E-Passport Cloned In Five Minutes

Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."

Open Rights Group - Biometric passport

[rimberg]

The Open Rights Group [openrightsgroup.org](Think UK EFF) have a wiki page that provideds more information on this an othere issues with the British Biometric Passport [openrightsgroup.org] The European version of the biometric passport is planned to have digital imaging and fingerprint scan biometrics placed on the Radio Frequency chip. The government of UK thinks that the public has a negative opinion of RFID chips so instead they call it a contactless chip.

Re:Well then,

[ChowRiit]

RTFA: The chip contains no information not in the passport, and as the chip can't be cloned remotely, you'd have the passport in order to clone the chip.

Re:completely ignores the point

[Anonymous Coward]

Also, the article states that the key to some encrypted information on the chip is something that's printed, in plain sight, on the passport... oh man.

I'm no fan of the new passports, but if I understand it correctly ...

The passports are encrypted with a bunch of information which is printed on the passport (and probably in a barcode or some other machine readable format), yes. A few different items make up a key. The RFID chip doesn't automatically spit out the encrypted information when blindly queried, but only if presented with an request derived from the key data. So, it's not like you arbitrarily query passports in people's bags and crack the encypted response later, because it won't respond if you don't know the key. And guessing that key to get the data would involve you sitting next to the passport for a Long Time.

This key allows someone on a desk with visual access (and barcode reader or mag swipe) to the passport to query it by presenting the right key and thereby "verify" the passport with the info on the RFID.

Now it should be relatively (for clever crypto people) simple given this that someone can copy the passport (it would suprise me that the data was not signed by some PKI tough) as they already what the key is.

So anyway, that's why the key is based on printed info, and why you cannot read abitrary passports without seeing them to get the key fields.

That's all down to my (incomplete) understanding of it based on watching a film with one of these crypto guys and some googling afterwards.

a simple way to correct cluelessness

[spasm]

"It is hard to see why anyone would want to access the information on the chip."

I think it's time someone cloned his passport and got busted importing drugs or weaponry or child porn or similar while on that passport. Hell, he's probably got a diplomatic passport == no search. Pure gold to anyone wanting to move anything *really* profitable.

Tinfoil

[Shadyman]

You can always get one of these [difrwear.com] or just wrap your passport in tinfoil.

BRB, I'm making a tinfoil hat for my passport, so it matches mine.

Re:Shielding?

[BrianRoach]

Google is your friend.

http://www.google.com/search?q=passport+faraday+ca ge&ie=utf-8&oe=utf-8&rls=org.mozilla:en-GB:officia l&client=firefox-a [google.com]

- Roach

Re:RFID is absolutely TERRIBLE for security

[bigberk]

There is a serious misunderstanding of the technology, yes even among slashdot users. The problem is that the media and slashdot refer generically to 'rfid' when they talk about two different things:

1) Simple RFID chips that can be scan and read by anyone
2) Contactless smart cards (ISO 14443 etc), with crypto

Both use the same frequency band and similar hardware, but they are different beasts: one has crypto and the other doth not.

Identity information can be put on a contactless smart card but depending on how it is implemented (hopefully securely) you probably will NEED A KEY otherwise the crypto will prevent access. Take a wireless payment card or credit card (#2 category) for example. You can't just read/dump the bank account numbers on it. There is a crypto protecting the data.

On the other hand, walmart uses the non-crypto rfid chips. Yes you can just read the info on them, there is no encryption.

So when you say "RFID is terrible for personal security" you're right, RFID (#1 above) is completely inappropriate for privacy. But contactless smart cards (#2 above) is totally appropriate, and the passports use #2

Re:huh?

[hughk]

Most modern passports have an OCR section now on the ID page (and this is a condition of visa-less entry into the US now). All international passports cary the main data in Latin characters as well as the original Cyrillic, Arabic. Hebrew or whatever. Technically this is a French transliteration, which may actually be a slightly different to the English.

The technology used

[Eljas]

Many people here seem to make claims on RFID security without knowledge of the technology actually used. I have done some research on the subject so I think I can give some pointers. Details about the technology can be found at ICAO's web page [icao.int] and short presentation on the subject Jacobs/Wichers Schreur [utwente.nl].

The communication between the password and the reader is encrypted using information in the Machine Readable Zone at the bottom of the passport. This is the basic way to authorize passport reading. The MRZ-information is generated from the information of the passport holder and random numbers. If bad numbering scheme [whatthehack.org] is used, breaking the encryption is quite possible. If large enough random numbers are used, breaking the encryption with brute force is currently not practical.

The authentication is done using public key cryptography. Currently only Passive Authentication is mandatory, but Active Authentiacation is supported and it is mandatory when fingerprint information is contained in the passport. With only Passive Authentication cloning of MRZ-compromized passport is easy, but with Active Authentication it should be unfeasibly difficult.

Reading and cloning an European RFID passport which is using all available security measures (like the e-passports in Finland) is not as trivia as many people here seem to think. As long as there are no backdoors in the cryptography (e.g. for the intelligence agencies) I think the technology is quite sound. Not using all available cryptography is just bad choise by the goverment issuing the passports.

The scheme in TFA is nothing new and nothing revolutionary. If you have physical access to a passport with only Passive Authentication cloning is trivial, as pointed in TFA. This is actually how the technology was designed to work. Maybe the design is bad, but that is hardly big suprise, since the technology is compromize between many organizations and goverments. When someone clones a passport which has Active Authentication, then that is real news.

Re:Then why put it on?

[theshowmecanuck]

Apply for a bank account/credit card... identity theft stuff. A passport is prime ID. I believe you can do as much with it as with a birth certificate (probably more since you cannot use a birth certificate to get back into the U.S. by air and soon by ground as well). In fact, I wouldn't doubt that you could order a duplicate birth certificate with it... or maybe go to a social security office with it and claim you lost your SSN card and would like to know the number. You could probably cause a lot of problems. Or if you were a terrorist from say Iran, you could fake a U.S. citizenship and get into the country without a hassle. Theft of someone's identity is very serious.

And if they mess up the systems dealing with passports when they become required for all entries to the U.S. including ground entry from Mexico and Canada (and they *will* be required, it was just delayed for a year for ground crossings) there could be a HUGE impact. They are America's two biggest trading partners accounting for something like half of all foreign trade (Canada is the U.S.'s biggest trading partner... Mexico I believe is a close second and maybe soon to pass the Canadians). What if, for example, the trucks all of a sudden couldn't roll across the border because the driver's passports were messed up (in either direction by the way... what American driver is going to want to leave if he/she can't get back in)?

Re:Such ID numbers already exist

[KDR_11k]

Let's not forget we are talking about Europe where many countries issue personal IDs and keep registries of all citizens at several levels with mandatory registration.

Re:Well then,

[DaveCar]

If someone walks by you while it is in your pocket, they can't read off the pertinent information physically written on it in order to decode the encrypted RFID data. I'm sure given enough CPU time it could eventually be cracked without that data, but there are other much easier ways of doing identity theft.

I *believe* that the RFID chip won't actually respond with the encrypted data unless presented with a request which has (some function of) the key information. Which means you can't just get in the info and brute force it later - you have to brute force the key *live* whilst the passport is there to get it to respond. And the RFID tag (deliberately) takes some time respond, making it rather difficult to get the info in any reasonable timeframe.

Anyway, that's the impression I got by doing some googling ... it may be wrong. And I'm no apologist for these passports - I made sure I got mine renewed a year or so ago so that I got an old style one.