Forgot your password?
typodupeerror
Privacy Security Your Rights Online

E-Passport Cloned In Five Minutes 259

Posted by kdawson
from the if-more-proof-were-needed dept.
Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."
This discussion has been archived. No new comments can be posted.

E-Passport Cloned In Five Minutes

Comments Filter:
  • by rrohbeck (944847) on Sunday December 17, 2006 @10:05PM (#17281914)
    Now another researcher has shown how to clone a European e-Passport in under 5 minutes.

    Thanks to a software he himself has developed, called RFdump, he downloads the passport's data onto his computer and then onto a blank chip.


    How long would it take for some 3 letter agency to show up at their door in the US?
  • by Anonymous Coward on Sunday December 17, 2006 @10:18PM (#17281990)
    1. They claim that there is little useful on a passport's details page. Can someone confirm whether this is the case for the purposes of general information theft?

    2. If the passport page contains anything useful, how easy or difficult will it be to get hold of this information? Can you stand next to someone in a queue and scan the passport in their carry bag, or do you actually need to hold it close? My ID card at work has an RFID chip, that works only at about 4cm.

    3. Is it correct that forging RFID passports will be more difficult? Obviously, if you used to have to manufacture a passport or switch a picture, and you now need to _both_ do that _and_ insert or change an RFID chip, then that raises the bar. So the followups to this question are;

    3a. Will passport controls be replaced by RFID scans, or in addition to? I would hardly think the former, but please inform.

    3b. Is it possible to change the information on an RFID chip without actually having physical access to the circuitry? As in, are there read/write scanners so you can avoid having to manufacture a chip and replacing it in a passport?

    If the answers to these are no, difficult, yes, in addition to and no/no, then I can certainly see it providing additional security. And vica versa. Someone in the know?

  • Re:This is all FUD (Score:2, Interesting)

    by rrohbeck (944847) on Sunday December 17, 2006 @10:28PM (#17282076)
    but then it's never been very hard to visually look at it and read the paper

    Not when it's in my pocket.

    I can't believe how juicy this is. Imagine being able to get your dirty fingers on the theft prevention system at the doors or a department store. Just a slight modification of the frequency and code, and let the harvesting begin.
  • by b0s0z0ku (752509) on Sunday December 17, 2006 @10:30PM (#17282102)
    How is this different than Xeroxing a 2D barcode? Isn't that why there's biometric data on the passport and a digitally encoded photo - to render it useless even when cloned? Not to mention that the passport # *could* key to a database with the same data for verification purposes - the database should also contain records of passport #'s invalidated due to theft, cloning, or whatever. The data on the RFID chip is *meant* to be read. Rerecording the bitstream is a trivial exercise.

    Cheers,
    -b.

  • by mabhatter654 (561290) on Sunday December 17, 2006 @11:08PM (#17282316)
    Sure it makes things wildly insecure. You know lazy tired TSA workers will only glance at the passport and just trust what the display says. The usefulness works like this... I'm an evil terrorist, I know I can't get on planes.... I can remotely grab another passengers RFID tag in line at the boarding pass counter with a ticket on same flight I wish to perform evil deeds... even easier than pickpocketing!! Now I get THEIR pass info, forge my hacked RFID chip with their passport ID...it doesn't have to be a "real" ID chip, just report to the reader like one. remember, it will probably be in those little folders anyway... as long as the reader sees my hacked on first, and again the agent is too lazy to remove the document from it's case and inspect the passport for tampering, I'm in with their ticket and ID...


    Before the goons come to get me!! I'll say I know NOTHING about these new passports beyond what's on slashdot. I got no expertise in RFID beyond looking at it. A good security system should have something in place to prevent this sort of "cloning" attack... you'd hope like hell that somebody's thought about this!!! and they don't just send the goons to cover it up.. after all, that's the new policy for scientific reports now... and has been the policy for security reports since 9/11.

  • Shielding? (Score:1, Interesting)

    by Anonymous Coward on Sunday December 17, 2006 @11:27PM (#17282432)
    So what is the paranoid meant to do to shield their passports? We all joke about the tin-foil, but is there something that actually does the job?
  • How about a switch (Score:2, Interesting)

    by phlipped (954058) on Monday December 18, 2006 @12:15AM (#17282690)
    How about having an electronic switch built in to the passport, so that the chip only works when someone holding it wants it to work. For example, you could set it up so that the chip only works when the passport is opened flat on the details page at the front.

    I can't imagine it being that hard in theory, although divising a reliable and rugged switch may be a bit more challenging.

    Still, I bet it could be done, and it pretty much eliminates all the concerns about people reading the chip without your permission.
  • by bigberk (547360) <bigberk@users.pc9.org> on Monday December 18, 2006 @12:51AM (#17282896)
    There is a huge difference between "RFID chips" and "contactless smart cards"! They both use the same frequency band and similar communication protocols, but RFID chips have no crypto while contactless smart cards have all the AES, MAC, etc. stuff plus secure filesystem storage.

    There is a huge difference, I keep posting this but nobody seems to get the point: the walmart RFID chips have zero crypto, but the passport, payment cards have a ton of crypto. You can't just dump their contents

    The government calls them contactless smart cards because that is what they are, of course the media and everyone else uses the blanket term "RFID" to refer to all of it and works themselves up into a frenzy while not understanding the characteristics of the technology.
  • Re:Well then, (Score:4, Interesting)

    by msobkow (48369) on Monday December 18, 2006 @01:09AM (#17282996) Homepage Journal
    A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."

    But isn't the whole point of a secure passport to secure the identity of an individual? If the identity is not secure, we may as well not waste the time or money.

  • by Ecyrd (51952) on Monday December 18, 2006 @02:01AM (#17283224)
    Except that you can use #2 with no crypto or bad crypto as well. Which is exactly what the epassports are doing. They have such bad keys that it is easy to brute-force crack them open in a couple of minutes. Most well-designed systems using the same standard have non-trivial keys, which makes them a lot more secure than the ICAO epassport standard.

    The fun thing is that the moment the standard was created, everyone said that this is going to be a field day for the press when the first researcher figures out that the keys are so weak. The day has arrived :)

    In reality the issue is blown out of proportion: the epassport is not that much of a privacy issue. Tourists can be spotted by a mile away by simply the way that they look and walk, and the smart tourist will leave the passport in the hotel safe anyway, carrying only a photocopy with him. You are in far more trouble if your passport gets stolen than if it gets copied: if you do not have your passport, dealing with any authorities in a strange country is going to be a problem, whereas if your passport gets copied, you still have the original.

    Also, forging a passport is no easier than before - in fact, getting the digital and the physical passport data to match becomes a lot harder with the epassports. Reading something does not mean you can change it and write it back, as surely is well understood by anyone familiar with digital signatures.
  • Can I zap it? (Score:4, Interesting)

    by seanadams.com (463190) * on Monday December 18, 2006 @03:30AM (#17283562) Homepage
    Cloning a passport has become no harder or easier thanks to RFID. But Identity theft will become much much easier.

    Couldn't one kill the RFID chip by putting the passport in a microwave oven for a minute?

    I can't imagine the rubber-stamper at immigration control not letting me through because he can't read my RFID tag... I'm sure a good percentage of non-zapped passports would fail to scan for one reason or another. If enough people did it, then they justn wouldn't be able to rely on them, period.
  • Re:Well then, (Score:5, Interesting)

    by JimBobJoe (2758) <swiftheart@NOSpam.gmail.com> on Monday December 18, 2006 @05:43AM (#17284054)
    I guess that's what they call a failure of imagination.

    It's a common failure that occurs in these scenarios.

    As part of my research on driver's licensing issues, when states added photos to driver's licenses (starting in the late 60's) the word "fraud" never entered the picture. Driver's licenses were essentially fraud free documents before the photographs were added--so it really never entered anyone's mind that things would change once the document became more powerful/useful/trusted.
  • Re:Can I zap it? (Score:5, Interesting)

    by Alioth (221270) <no@spam> on Monday December 18, 2006 @06:01AM (#17284132) Journal
    Actually, they can and will deport you if the chip doesn't work.

    You make the invalid assumption that people at immigration desks are reasonable people - they are *not*. Some of them are little Hitlers with bad attitude, and the ones who aren't have their hands tied by the law - they have no discretion at all. If the law says you can't enter without a working chip, the immigration officer (even the world's friendliest and most reasonable one) has no choice but to deport you. Just as they would deport you if your passport photo was mutilated.

    (I'll make one exception for the little Hitlers - one notable aberration is Houston's immigration desks - those people are polite and make you feel welcome to the United States - truly refreshing to get to an immigration desk where it isn't just stony faces and demands to see that you have a return plane ticket. I frequently travel through Houston and they've always had good people there. Dallas Ft.Worth on the other hand - I will never travel through that airport again).
  • by Sique (173459) on Monday December 18, 2006 @07:12AM (#17284346) Homepage
    You are in far more trouble if your passport gets stolen than if it gets copied: if you do not have your passport, dealing with any authorities in a strange country is going to be a problem, whereas if your passport gets copied, you still have the original.


    The problems with passports can be much more subtle, so I wouldn't count on the fact that adding the same data in RFID mode didn't do anything else than just have some redundancy to prevent reading errors.

    A little tale from my experience: We were flying to Brasil from Lisboa with a flight that was first landing in Natal, and then flying to Recife. For some reason we never spotted an immigration office. I don't know if we were supposed to step out in Natal, get immigration stamps in the passport and then go back to the plane (the flight from Natal to Recife was domestic, because new passengers were boarding to Recife), or if we were supposed to look for immigration at Recife Airport. We didn't, and nobody seemed to care. When we were trying to leave Brasil three weeks later, the officer at border control pointed out that we were missing the immigration stamps. We were argueing, telling the story, he was insisting on immigration stamps. In the end he just pointed us to the gate, telling us "Nao entrada, nao saida" (No entrance, no exit), meaning "You have never been here, and you have never left."

    A similar occurrence was when I was cycling with a group through the then still existing Czechoslovakia. We entered through the polish-slovakian border, and everyone got his passport stamped. We were leaving a week later through the czech-german border, and the officials were just stamping the list of all members of the group. A few weeks later I was again with the bicycle in Czechoslovakia, and I got controlled by the normal police about 30 km from the border, and the police got suspicious with me because I had two immigration stamps, but no exit stamp. So looking from the papers I had entered twice without leaving once. The patrol took me to the office, and then they phoned around for 1 1/2 hours, before just setting me free around midnight, when the train I was planning to take to Prague had just left.

    What I am trying to say: Whenever some inconsistencies come up with your passport, they aren't migitated by having RFID chips somewhere. No one actually cares about this type of redundancy. Immigration officers are humans only, and errors will occur, and most of them will not be solved by looking at RFID chips, but in the end by reluctance of the powers in charge to press any further because it is late, because they don't want hassle or because it's easier to pretend nothing had happened. Given U.S. immigration procedures it will probably solved by just handing persons like me to indefinite detention without access to legal counsel. Because Electronics is always right, and if not, lock up everyone not hiding fast enough.
  • by Anonymous Coward on Monday December 18, 2006 @07:41AM (#17284424)
    The most important question here (and, at the same time, a question I see nobody asking) is: what is the range of these RFID chips?
    If they have a range of one or more feet, so that somebody can scan my passport from across the room, then I really see a big privacy and security problem.
    If, on the other hand, they have a range of one inch or less, then I don't see any reason of concern: if scanning my passport requires roughly the same effort as stealing it, and also if by scanning it one obtains the same information (d.o.b., height, picture, etc.) that he would have obtained by stealing it, where's the problem here?
  • by Odin's Raven (145278) on Monday December 18, 2006 @09:36AM (#17285004)
    If you're a tourist in another country, the LAST thing you would normally want to do is advertise that fact.

    For whatever reason, this brought to mind part of one of Laurie Anderson's song/stories from her "The Ugly One with the Jewels" album:

    [...] I especially remember an interesting list of tips devised by the US embassy in Madrid, and these tips were designed for Americans who found themselves in war-time airports. The idea was not to call ourselves to the attention of the numerous foreign terrorists who were presumably lurking all the way to terminal, so the embassy tips were a list of mostly don'ts. Things like:
    • don't wear a baseball cap
    • don't wear a sweat shirt with the name of an American university on it
    • don't wear Timberlands with no socks
    • don't chew gum
    • don't yell "Ethel, our plane is leaving!"

    I mean it's weird when your entire culture can be summed up in eight giveaway characteristics.

    --Laurie Anderson, "The Cultural Ambassador"

  • by Tim Browse (9263) on Monday December 18, 2006 @06:45PM (#17293410)

    Duh. And why ID cards would avoid terrorism in any way? You can make a bomb regardless of having an ID card or not.

    My point was really that (here in the UK at least, so I don't expect you to realise it) the ID cards are always pushed by the government as the way to make us all more secure against terrorism. It will save us all, you see. It's the primary reason for introducing the scheme. Never mind that most experts (inc. the police and MI5, iirc) disagree - and you, as someone living in an ID card carrying country, seem to disagree too.

    I can tell however that not having an ID card was one of the reasons it took so many time to know the identity of all the victims of UK bombings.

    Oh yay, you certainly know how to sell me on the benefits of having an ID card! :-) I think I speak for many people when I say that being able to identify my charred body via an ID card is not top of my priorities.

    I can also tell that it was probably much easier for the police to find the terrorists that did the 11-M bombings

    Er, got a source for that assertion?

    (since they probably had to use their IDs for so many things, getting internet connextion requires filling in your ID number).

    Ah. So no, then.

    It also probably saves lots of money to the administration.

    That's 'probably' why the UK govt keeps refusing to give an estimate of how much the ID card system would cost.

    A lot of the resistance, as well as a dislike for the general concept/system, is merely that it won't improve anything, so why waste billions of pounds of UK taxpayers' money implementing it?

How many QA engineers does it take to screw in a lightbulb? 3: 1 to screw it in and 2 to say "I told you so" when it doesn't work.

Working...