Slashdot Log In
Researchers Find Problems With RFID Passport Cards
Posted by
timothy
on Fri Oct 24, 2008 04:11 AM
from the clearly-unpossible dept.
from the clearly-unpossible dept.
An anonymous reader writes "Researchers at the University of Washington have found that RFID tags used in two new types of border-crossing documents in the US are vulnerable to snooping and copying. The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card." You can also read the summary of the researchers' report.
Related Stories
[+]
Chipped Passport Cloned In Minutes 326 comments
Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"
[+]
Hardware: World's First "Unclonable" RFID Chip 320 comments
An anonymous reader writes to tell us that a new RFID chip from Verayo claims to be unclonable through the use of the new Physical Unclonable Functions (PUF), sort of an electronic DNA for silicon chips. "Basic passive RFID chips can be easily cloned by copying the data residing on one chip to another. Verayo's PUF-based RFID chips cannot be cloned, and provide a very strong and robust authentication mechanism. No other chip or device can be disguised as the original chip, even if the data is copied from one Verayo RFID chip to another."
[+]
New York Issues RFID-Encoded Drivers Licenses 288 comments
JagsLive passes along the intelligence that New York has become the second state to issue drivers licenses with RFID tags (Washington was the first). The new "enhanced drivers licenses" cost $30 more than the old ones. They can be used instead of a passport for entry into the US by land or sea (not air) from Canada, Mexico, and the Caribbean. Authorities say no personal information will be stored or transmitted by the chip, only an ID number that will be meaningless to anyone but DHS. Citizens of New York who prefer not to carry an identifying RFID chip can still get an old-style license.
[+]
IT: Hackers Clone Elvis' Passport 164 comments
Barence writes "Hackers have released source code that allows the 'backup' of RFID-protected passports, although the tool can potentially be used to create fake or cloned documents. The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport, it is revealed to belong to one Elvis Aaron Presley, complete with picture. Reports of the hackers serenading security staff with 'Are You Clonesome Tonight' are unconfirmed."
Submission: Researchers find problems with RFID passport cards by Anonymous Coward
[+]
IT: WarCloning, the New WarDriving? 154 comments
ChrisPaget writes "After my legal skirmishes with HID a while back, The Register has coverage of my latest RFID work — cloning Passport Cards and Electronic Drivers Licenses from a moving vehicle. Full details will be released at Shmoocon this weekend, but in the meantime there's video of the equipment and articles all over the place."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
This just in (Score:2, Insightful)
Re: (Score:2)
Breaking news: (Score:5, Interesting)
FTFA:
We show that a key anti-cloning feature proposed by the U.S. Department of Homeland Security (the tag-unique TID) remains undeployed in these cards.
Re: (Score:2, Funny)
The left hand doesn't know what the right hand is doing.
It's probably better off not knowing. ;)
(This sort of joke was inevitable)
Re: (Score:2)
Good for those who sleep on their arms.
question to those who read the article (Score:3, Insightful)
Did they compare the efficiency of copying passports w/ and w/out RFID?
Re: (Score:2)
I'm going to guess easier to copy than traditional passports.Can find anyone who can copy my passport in a few minutes after simply passing me on the street while my passport was inside my bag without me knowing they've obtained a copy?
Re:question to those who read the article (Score:5, Insightful)
They still can't.
From the article:
"Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance..."
Considering the "passport" is the entire document and the tag itself contains no identifying information they still can't clone your passport at a distance. They could clone the tag inside it, but the process of faking your passport would still involve creating the paper hard copy. I'd say if they still have to do everything they used to and also something new then it's more secure, not less.
Of course the ability to recognize and track a person's movements through the use of RFID is still worrying, but it's no easier to fake a passport than it used to be.
Parent
Re: (Score:3, Insightful)
Then that's a flaw of the user, not the system. You could argue that adding a machine to the process would cause people to become complacent, but even the best lock only works if you use it properly.
Re: (Score:3, Insightful)
Then that's a flaw of the user, not the system. You could argue that adding a machine to the process would cause people to become complacent,
No, a system that does not take into account natural human behavior is flawed, not the humans. Your attitude is what leads to counterproductive 'security' like the UAC on Vista.
Elvis (Score:5, Funny)
So, if I want to be Elvis all I need is one of those new passports.
Cool.
Re:Elvis (Score:5, Informative)
http://hackaday.com/2008/09/30/cloning-and-modifying-e-passports/ [hackaday.com]
By the way, the most "funny" thing I saw about RFID passports was that in Pakistan, at least one occurrence of "American passport bearer detection" has occurred in a market crowd. Fortunately, the goal was then to steal the passport, not behead the bearer.
Parent
Re:Elvis (Score:5, Funny)
Elvis would be a good choice when registering to vote in Chicago. For border crossings, I'd recommend using Cat Stevens.
Parent
How should I respond to this? (Score:5, Funny)
Please, someone in authority with intelligence tell me what to think about this. Oh.. wait... that's never going to happen is it.
Re:How should I respond to this? (Score:5, Interesting)
8. Shut up. This is to stop the terrorists. And you don't want to support terrorism, do you?
9. Shut up. This is to protect the children. And you don't want to support pedophilia, do you?
10. This is a classified information you were not authorised to obtain. Please lay on the ground face down and place your hands on your head.
Parent
Re: (Score:3, Funny)
Your solution advocates a
( ) technical ( ) legislative ( ) market-based ( ) vigilante (*) emotional
approach to solving a looming privacy problem. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular emotional state, and it may have other flaws which used to vary from state to state or country to country before a bad federal or international law was passed.)
Security (Score:3, Informative)
Again (Score:5, Interesting)
This is about the umpteenth time we hear about this. Somehow, I can't believe anymore that putting these chips in passports was meant to increase security. The question is...what _was_ the purpose?
Re: (Score:2)
The question is...what _was_ the purpose?
The main stated reason was to facilitate entry of US citizens into Great Britain. It was also supposed to be "more secure".
Sigh. See my earlier post in this article how kidnapper convenient these things are.
Re:Again (Score:5, Informative)
My first reaction would be to say that you are kidding, but then this is yet another example of policy laundering.
In the UK the government said it was because it was being deployed by the US.
Basically it was a working group from the US, UK, Canada, Australia, and New Zealand which pushed it onto the ICAO and then each country was forced to grudgingly and unwillingly implement this standard which they previously pushed for.
Parent
Re: (Score:2)
The main stated reason of introducing RFID passports in GB was to facilitate entry of GB citizens into US.
So, bullshit.
Re:Again (Score:4, Insightful)
I don't see the conflict here:
Step one: US and UK (and probably several other) governments get together and decide this is a good idea.
Step two: Both governments go back to their people and say "This is to facilitate entry into $otherCountry."
Step three: Both governments get the standards implemented and both get to make it look like they were just being nice and facilitating travel to $otherCountry; while at the same time getting what they actually wanted anyway.
Both governments get what they want, neither side actually lied (since, after all, travel between the two or more countries IS facilitated) and everyone is happy except for the people who realized that this was a dumb, ineffective, and potentially abusable idea in the first place.
Parent
Re:Again (Score:5, Informative)
The problems mentioned here and elsewhere are that you can copy an RFID make a duplicate of it. With a regular passport that is not really a problem, excluding privacy since they contain personnal data but the US system and others are suppose to be encrypted so you cannot get the info without the physical passport so you can get the key, because your passport is checked against the database entery and then the person doing the check is suppose to compare the computer to the passport to the holder and they should all match. In this case the problem is that these are passport cards, not regular passports, designed for people who cross the borders all time and this will allow for quick processing with the passport card never being checked by human; same system that you have for toll road cards.
Since these cards and also drivers licenses are not encrypted and not checked by humans an evil person could copy the card, get your PIN and then have easy access to cross the border, provided they don't have sort of facial recognition system, being implemented, that checks your passport card against the database against the facial recognition system.
Parent
Re: (Score:3, Interesting)
No. A friend of a friend got his new RFID chipped passport in the US. He refused to accept the passport without the chip being checked. This was good because it was someone else's chip in his passport. The manufacturing process has got screwed up and the wrong data was recorded in the passport.
The
Re:Again (Score:4, Interesting)
First, the article isn't talking about passports. It's talking about the new passport cards [state.gov]. It's not necessarily a given that the same RFID chip is used in both of them.
Second, passport cards aren't even required. You can get a regular passport with or without getting the card. The cards have nothing to do with extra security and everything to do with making travel between the US, Canada and Mexico more convenient.
Third, the RFID chip in regular passports isn't required either. You can get the passport, smash the chip with a hammer, and use it just like a regular old passport.
In any case, it's 100x easier to just order somebody's birth certificate, make a fake ID, and order a legit passport in their name.
Parent
Re:Again (Score:4, Informative)
The purpose WAS to increase security, and it works just fine. What these researchers did was simple, obvious and pointless.
Sure you can copy the data from one passport to another. So what? It still contains the original photo and any other biometrics, binding it to the true owner of the passport. The data can't be altered because it's digitally-signed. Someone else can impersonate the passport holder, but only if they have the passport holder's face. As more biometrics are added, they'll also need the passport holder's fingerprints, iris -- maybe someday they'll need the passport holder's DNA.
Now, the fact that the passport might be detectable from a distance is something of an issue. US passports have foil in the cover to create a mini Faraday cage and RF-isolate the chip when the passport is closed, so for holders of US passports the solution is simple: put a rubber band around your passport to hold it closed. Holders of passports from other countries may want to cover their passport in tinfoil if they're concerned about being tracked.
Parent
this is intentional (Score:5, Interesting)
Part of creating a more authoritarian society is to keep your populace under fear. To have the more knowledgeable elements of your population know just how close they are to losing their freedom due to a modern equivalent of a filing error is entirely intentional.
No-one in government/civil service wants these documents to be 100% secure. A few accidental misidentifications will keep everyone realising how powerless they are, and a few "accidental" misidentifications will be used to conveniently eliminate specific undesirables.
Summary: If you fear that your identity will be stolen now, the government is operating as intended.
Tinfoil anyone? (Score:5, Funny)
Re: (Score:2)
Does it actually work?
What's the frequency used for RFID chips? How thick a metal box do you need? What kind of joints does one need?
Come on guys, don't tell me I'll have to Google it!
wait... (Score:2)
So what? You still need to forge the card itself (Score:5, Interesting)
Even if you do a convincing forgery of the card itself, you run a risk of discovery. Using the RFID data as an index into the government database, the border agent's computer system will pull up the photo (or other biometric data) of the genuine cardholder. If they are paying attention, they will see that you are not the right person, and bust you for forgery.
Also, each RFID passport card comes with a foil-lined sleeve that protects it from both physical damage and RFID skimming. I always keep mine in the sleeve when not in use. If others do the same, this vulnerability will be restricted to places where the cards are used, i.e., border crossings. Lurking around border crossings to clone RFID data seems like another risky strategy.
Quick! (Score:3, Informative)
One Word Solution. Problem Solved. (Score:3, Insightful)
"Microwave"
Re:Anonymous Coward (Score:5, Informative)
Parent
Re:Anonymous Coward (Score:4, Informative)
Parent
Re: (Score:2)
How about this [thinkgeek.com] for your cards, or this [thinkgeek.com] if you like the idea, but want to keep your passport and cards in one place.
However, if you think that having all your ID in one place is a good idea, I don't think you should be on this thread.
Re: (Score:2)
Based on the photos the wallets are the same ones.
Re:Anonymous Coward (Score:5, Interesting)
A moulding nail works great for smashing the hell out of just the RFID chip. My new AmEx came with one and I immediately crushed the hell out of it. I was thinking about doing the same to my new passport when it arrives. I decided that the plausible deniability might be a little slim for a precisely placed hole over the chip though. Perhaps another destructive method might be in order. Who knows what might happen if I accidentaly stood too close to a strong microwave emitter... I hear that the microwave oven is good for drying out wet passports too.
Parent
Re: (Score:3, Interesting)
It will be considered a mangled document. Never mind that it's also an old style passport, if the RFID tag is broken then it's considered the same as if the passport was dipped in ink or burned too badly to read.
The fun starts when you consider that RFID tags break if exposed to too stong a signal of the kind used in RFID scanners. You could build one fairly easily, stick it in your backpack and hang out or even walk through somewhere with a lot of tourists.
Re:Anonymous Coward (Score:4, Insightful)
It will be considered a mangled document. Never mind that it's also an old style passport, if the RFID tag is broken then it's considered the same as if the passport was dipped in ink or burned too badly to read.
Having a toasted RFID chip would be much like having a gunked up, but not deliberately defaced passport number. The OCR machines are notoriously bad at reading the data at the bottom of the document. A fried, but not obviously physically damaged chip would appear to the border offical as if the chip or the reader had malfunctioned. They would most likely simply input the data by hand and send you on your way. If you use a hole punch to remove the chip, it's a completely different story. Then it looks like you're up to no good. They key hear is to look innocent ;)
Parent
Re: (Score:3, Insightful)
Re: (Score:2, Interesting)
Re:nothing to worry (Score:5, Interesting)
Oh yeah. Nothing to worry about. One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain. I've never been to Europe, have no planned trips there for maybe the rest of my life. Wonderful.
Another danger is that the tags can be read from as far as 150 feet away in some situations, so criminals could read them without being detected.
s/criminals/kidnappers/ which IS an issue in places I travel. Those RFID thingies shout out, "I'm an American citizen, kidnap me!".
Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance, they said.
See previous comment.
Though there's no reason for panic, "Our hearts should start to beat a little faster," Kohno said.
Bwahahahaha. Can I please have my paper only passport back, please? It's for my safety and think of my children.
Parent
Re:nothing to worry (Score:5, Informative)
Really?! Because I thought here in the UK, one of the main stated reasons they started introducing RFID passports was to facilitate entry to the United States!
Parent
Re:nothing to worry (Score:5, Insightful)
One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain.
Actually, much of Europe. But talk to your government about that - they started the tit-for-tat escalating entry requirements. When someone enters the US now, they are photographed and fingerprinted, and the only reason I didn't require a biometric passport for entry last time I went was because there was a temporary visa waiver program in place for people without biometric passports.
Most of the stupid entry requirements for Americans entering other countries are due to politicians responding to pressure from their constituents complaining about being treated like criminals when they enter the USA.
Parent
Re:nothing to worry (Score:5, Insightful)
Are you ready for the inevitable conspiracy theory? Here it is, cooked up between my wife and myself after discussing the implications of renewing our passports shortly.
The problems are actually a feature. Let me explain. Remember how the old Soviet-bloc countries didn't like their nationals traveling because they would see how much better the rest of the world was? (Don't get me wrong, I like it here just fine.) Well, if everyone who hears about this says "I guess I won't be traveling any time soon", it effectively stops travel (usually by the intelligentia) all the while allowing the govt to say "We have no travel restrictions on our own citizens".
Of course, all this is nonsense. Our current administration would never feign incompetence to obtain other goals. [npr.org] Yet there's plenty of other information that suggests there's no tom-foolery about this and that the incompetence is real [washingtonpost.com].
So in short, I'm not sure which it is, but the bottom line for me is that I'm waiting until the last minute in the hopes that some of the recommended features are implemented by then.
Parent
Re: (Score:2)
Those RFID thingies shout out, "I'm an American citizen, kidnap me!".
Stop with the paranoia. You'll find people around the world are generally all decent people. Of course, YMMV in Iraq, Afghanistan, etc, etc
Re: (Score:3, Insightful)
Stop with the paranoia. You'll find people around the world are generally all decent people. Of course, YMMV in Iraq, Afghanistan, The White House, etc, etc
There, fixed that for you.
Re:And this is news? (Score:5, Informative)
Fatal Flaw Weakens RFID Passports (Nov 3 2005), Schneier: http://www.schneier.com/essay-093.html [schneier.com]
on rfid id cards:
Does Big Brother want to watch? (October 4, 2004), Schneier: http://www.schneier.com/essay-060.html [schneier.com]
Parent
Re:And this is news? (Score:4, Insightful)
It's hard to find a large group of people more cynical than slashdot users.
If anything I'd say this proves that the cynical tend to be correct.
Parent