Forgot your password?
typodupeerror
Privacy Technology

Chipped Passport Cloned In Minutes 326

Posted by samzenpus
from the unsafe-at-any-customs-counter dept.
Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"
This discussion has been archived. No new comments can be posted.

Chipped Passport Cloned In Minutes

Comments Filter:
  • by MRe_nl (306212) on Thursday August 07, 2008 @08:31AM (#24508487)

    Why get all physical?
    30 seconds on high in the microwave should do the job and leave less traces.
    "And when the border guard asks you what happened." the right response would be
    "I don't know what you're talking about Sir, there's chips in my passport?"

    ( or perhaps, depending on available force-points...
    "Sir, these are not the passports you're looking for" :)

  • Misleading info? (Score:5, Informative)

    by Daemonic (575884) on Thursday August 07, 2008 @08:55AM (#24508665)
    The article contains the line:

    Many of the 9/11 bombers had travelled on fake passports.

    Now I could be wrong, but I thought all the 9/11 bombers were legally allowed to be where they were, and were using valid documents?

    I think what might have been the case is that they HAD used fake passpports in the past. The way this phrases it though suggests that a better implementation might have helped avoid 9/11, which is news to me.

  • by Anonymous Coward on Thursday August 07, 2008 @09:10AM (#24508791)

    I wrote a better document on this, but then I hit the [back] button on my browser:

    BAC (Basic Access Control): not required but everybody uses it. Prevents skimming and eavesdropping. If the document number/expiry date and birthday can be easily guessed the protection is pretty weak, especially for eavesdropping (offline brute force attack). No identifying data is released by well designed ePassports before BAC.

    PA (Passive Authentication): required. Prevents alteration of the info in the data groups. Works on X.509 compatible PKI (CMS/X.509 certificates). Fully uncrackable, but won't work if you don't have a trust store with the country signing certificates. You can get those by the PKD (Public Key Directory) but also by bilateral means, or even just by download from the internet.

    AA (Active Authentication): not required, hardly implemented. Prevents complete cloning of the chip. Uses a private key stored in protected memory in the chip. Relies on PA, otherwise you cannot trust the public key stored in the ePassport to do the verification. Basically this is a challenge/response protocol. Also fully uncrackable at this time as long as the chip security holds.

    Here are the standards, all public information:

    http://www.mrtd.icao.int/images/stories/Doc/ePassports/PKI_for_Machine_Readable_Travel_Documents_offering_ICC_read-only_access_v1.1.pdf [icao.int]

  • by Anonymous Coward on Thursday August 07, 2008 @09:16AM (#24508837)

    One big problem with America today is that it's too US-centric. As an example, TFA is about the UK, but you just assumed it was about the US...

  • Re:Um, well... (Score:3, Informative)

    by Fred_A (10934) <(fred) (at) (fredshome.org)> on Thursday August 07, 2008 @09:43AM (#24509181) Homepage

    That wasn't very clear but from what I remember of the way this thing works, each country, or passport issuing authority has a master key. This key _may_ be used to sign and possibly encrypt the data on the passport's memory chip. The whole thing is basic PKI. However almost nobody seems to bother with implementing the PKI bit since it seems to be optional. Apparently reading a RFID passport seems to be magic enough that nobody's expected to figure it out.

    If some body is more familiar with the details, feel free to correct me, it's been a while since I looked into this.

  • by Hal_Porter (817932) on Thursday August 07, 2008 @10:08AM (#24509501)

    It shows the benefit of this kind of outside security analysis, which should have probably been executed during the development process.

    Better the issues be uncovered now than when the issuance is widespread.

    There's always a loophole.

    There was lots of analysis. Years in fact. If you Google you can see there were groups working on MRTD standards since 1968. Biometric passports were conceived in 1997 and implemented in 2004, only because the US wanted to speed up the process after 9/11. That's still 7 years!

    Plenty of time for various committees of tire kickers to muse on the security of the system.

    http://www.rfidsec07.etsit.uma.es/slides/present/slides-1.1.pdf [etsit.uma.es] page 6

    1968: ICAO starts working on MRTD
    1980: first standard (OCR-B Machine Readable Zone (MRZ))
    1997: ICAO-NTWG (New Tech. WG) starts working on biometrics
    2001 9/11: US want to speed up the process
    2004: version 1.1 of standard with ICC
    2006: extended access control under development in the EU

    In fact if you do some research this cloned passport would be detected by a system which verifies the trust chain correctly, i.e. it was a flaw in the software he tested with. Most likely the systems used at airports do verify the trust chain.

  • by Anonymous Coward on Thursday August 07, 2008 @10:21AM (#24509691)

    Actually, in some airports, like Schipol in Netherlands, you can bypass passport control by using a retina scanner.

  • by illegalcortex (1007791) on Thursday August 07, 2008 @10:40AM (#24509987)

    Reading the article, it's not as simple as that. There's not just an authentication system that can be toggled on an off. Each country has their own public key, which they can decide to share with other countries. Right now, 45 countries manually share keys. Then of them have signed up to an automated public key database. Only five of them are using it right now. So if you come from a country other than those 45, your passport never gets authenticated anyway. Bureaucracy being what it is, who knows when those numbers will grow much larger.

    Also, think about the potential for corruption. All you'd need is someone in the government who you could bribe to give you the private key. Think Pakistan, India, Romania, etc. Then you've actually got an authenticated passport that lulls the passport checker into a false sense of security. They think they've got added security when actually they don't.

  • by apathy maybe (922212) on Thursday August 07, 2008 @11:12AM (#24510439) Homepage Journal

    Mine says not to leave *on top of* the microwave, or even the TV. So I do. It also says not to bend etc., I do that too.

    Actually though, five seconds in the microwave should be enough to disable the chip.

    There have been lots of discussions on the very point, see for example:
    http://www.schneier.com/blog/archives/2006/09/renew_your_pass.html [schneier.com]
    http://www.davidicke.com/forum/showthread.php?t=20832&page=2 [davidicke.com]
    http://gizmodo.com/gadgets/wireless/how-to-disable-the-rfid-chip-in-us-passports-224321.php [gizmodo.com]
    http://www.engadget.com/2006/12/26/how-to-disable-your-e-passports-rfid-chip/ [engadget.com]

    Or you could do a search for disabling passport RFID or something like that.
    (What I got out briefly reading those discussions is either a magnet (CRT computer monitor or TV I guess would be easiest), or else a hammer.

  • by Jah-Wren Ryel (80510) on Thursday August 07, 2008 @12:05PM (#24511155)

    Fingerprinting in Japan didn't start until late last year, so I'm not sure how you got biometric data put in your passport a couple of years ago.

    And:

    (a) the japanese put the results in their systems, not australia's and not on the passport itself
    (b) us customs takes prints but doesn't do a comparison with anything but their own database and it ain't a real-time lookup either

    so one way or another there must be more to the story.

  • Not so much... (Score:4, Informative)

    by LanMan04 (790429) on Thursday August 07, 2008 @03:14PM (#24514359)

    FWIR about 1/3 of Iran's population is blonde haired and blue eyed. The Caucuses mountain range (from which we get the term Caucasian) is partly in Iran. So if Iran or part of their population (the government) is evil that whole profiling thing starts to not work real fast.

    I'm not arguing against profiling, but stating that 1/3 of Iran's population is "blond haired and blue eyed" is totally misleading.

    Caucasian != look like you're from Sweden

    About the "whitest" people in Iran are the Azeri [wikipedia.org], and maybe the Mazandarani [wikipedia.org], and I highly doubt you'd label any of them blond haired and blue eyed.

    http://en.wikipedia.org/wiki/Image:Caucasus-ethnic_en.svg [wikipedia.org]

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

Working...