Forgot your password?
typodupeerror
Privacy Technology

Chipped Passport Cloned In Minutes 326

Posted by samzenpus
from the unsafe-at-any-customs-counter dept.
Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"
This discussion has been archived. No new comments can be posted.

Chipped Passport Cloned In Minutes

Comments Filter:
  • Um, well... (Score:5, Insightful)

    by superphreak (785821) on Thursday August 07, 2008 @08:02AM (#24508261) Homepage
    Is anyone surprised? At all? Seriously...
    • by Anonymous Coward on Thursday August 07, 2008 @08:05AM (#24508281)

      Well, they didn't make him take his shoes off - so no, I am not surprised.

    • Re:Um, well... (Score:5, Interesting)

      by Fred_A (10934) <fredNO@SPAMfredshome.org> on Thursday August 07, 2008 @08:07AM (#24508297) Homepage

      Hasn't this been known for a long time ?

      Some extra security could be added to the chips (proper key signing IIRC) but never is. Everybody knows about this but since it makes the US happy as part of their security theatre, nobody cares.

      • Re:Um, well... (Score:5, Interesting)

        by TheLink (130905) on Thursday August 07, 2008 @08:10AM (#24508317) Journal
        It's mostly theatre. Bad people get valid passports too.

        Only in a few cases are those passports revoked.
        • Papers, bitte. (Score:5, Interesting)

          by monkeyboythom (796957) on Thursday August 07, 2008 @10:39AM (#24509977)

          I have to say the more we rely on "foolproof" technology, the more we rely on fools to operate the machinery.

          I have to admit the Germans had it nearly right. Almost nothing beat the steely-eyed glare of a Hauptsturmführer asking for your passport -- unless of course you have a John Williams musical score swelling in the background, and even then it would be a life changing, tension filled 2 minutes of your life going by you.

      • Re: (Score:3, Insightful)

        by kingtonm (208158)

        The sad thing is, that as someone who has never been to the US and who can't see myself travelling frequently I don't want to have to pay for a poorly design or implemented system which my government might wind up relying on for things that actually do matter to me.

      • Re:Um, well... (Score:5, Insightful)

        by DrLang21 (900992) on Thursday August 07, 2008 @08:17AM (#24508375)
        I recently had a conversation at work about security issues. The fact is that any security system can be beaten. You can keep trying to make it more and more difficult to beat, but at some point you just have to decide that it's good enough. At the same time, you don't want your security to be so over the top that it is either prohibitive such that people are encouraged to find a work around, or it's just plain ineffectual. Adding chips to passports isn't a bad idea (if they actually put enough security in them to make it prohibitive to emulate), but it's not a replacement for old fasion visual inspection.
        • Re:Um, well... (Score:5, Insightful)

          by Swizec (978239) on Thursday August 07, 2008 @08:21AM (#24508425) Homepage

          At the same time, you don't want your security to be so over the top that it is either prohibitive such that people are encouraged to find a work around, or it's just plain ineffectual.

          Oh you mean like DRM? Prohibitive and ineffectual never stopped corporations before, why would it the government?

          • Re:Um, well... (Score:5, Insightful)

            by Hal_Porter (817932) on Thursday August 07, 2008 @09:52AM (#24509283)

            This is more like PGP signing. DRM has a flaw in that the user must be able to decrypt so the decryption key must be available. PGP signing is much more secure since you only need to know the private key if you sign. Verifying is done with the public key which is not secret.

            The passport contains data - name, address, photograph (and in future fingerprints and retinal scans). When the passport is made this data is digitally signed with the private key in some secure system.

            There is a trust chain from the per country CSCA (Country Signing Certificate Authority) down to the DS (Data Signers) down to the passports.

            See here, page 13
            http://www.rfidsec07.etsit.uma.es/slides/present/slides-1.1.pdf [etsit.uma.es]

            In the UK as far as I know there is only one DS, the Foreign and Commonwealth Office even for passports issued overseas (I got mine renewed from a non biometric one in Stockholm and the issuer is still marked as FCO not British Embassy Stockholm). So to check the trust chain you need the public keys for the CSCA and the DS that made a passport. The article says that "But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it." But elsewhere it says "Some of the 45 countries, including Britain, swap codes manually, but criminals could use fake e-passports from countries that do not share key codes, which would then go undetected at passport control". True, but if you used a clone British Passport anywhere with access to the shared keys it will be caught if you don't know the British private CSCA key. And any country that doesn't share it's public key could be threatened with being dropped from visa waiver programs, so it's fair to assume that given time they all will. Any country who leaked their private key could be handled the same way.

            As someone commented to the article

            Seemingly Mr Van Beek created only a copy of personal data with fake certificates, keys and signatures to fool only the reader he was using. In real life if he could have been able to put the chip into a real passport control systems where data is checked against the CSCA and DS certificates he would have been arrested at the same moment.

            The problem with not having a PKD is that people who don't have access to manually swapped public keys cannot verify the passport. But I bet the scanners in airports do. Installing 45 CSCA keys, one per country, and one or more DS keys per country is not very hard to do.

            I actually wonder how serious this is - of course a faked passport will not be detected by software that cannot verify the trust chain. The systems at airports can do this from what I've read.

            • Re:Um, well... (Score:5, Insightful)

              by Jah-Wren Ryel (80510) on Thursday August 07, 2008 @11:50AM (#24510939)

              I actually wonder how serious this is - of course a faked passport will not be detected by software that cannot verify the trust chain. The systems at airports can do this from what I've read.

              Identity Shopping.

              The process of finding a cryptographically secured ID of someone else that is "close enough" to pass visual inspection. No key swapping required.

              The passport contains data - name, address, photograph (and in future fingerprints and retinal scans).

              The day when real biometrics are included on passports is a long way off, and honestly I hope it never comes - but even if it does, the birthday problem will be enough to enable identity shopping.

              Furthermore, rfid based passport data can be snooped from a relative distance, attempts to build a faraday cage into the cover are a colossal fail. Put a snooper in a doorframe somewhere high-traffic - like a touristy shopping area - and you can record the data of every passport that walks through, yielding thousands of potential identities to shop from every day.

        • Re: (Score:3, Insightful)

          by jimicus (737525)

          I recently had a conversation at work about security issues. The fact is that any security system can be beaten.

          I have a variation on that.

          The only 100% guaranteed secure computer system is one that's been pulverised into little shards of metal and encased in concrete.

        • by caluml (551744)
          Indeed. Someone once (on here?) remarked that you can't make a bank invulnerable to being robbed/broken in. What you can do, however, is boost the security to a point where breaking in requires so much time, equipment and risk that it becomes prohibitive.
          Bank 1: £100k, in a shoe box, guarded by a blind old lady.
          Bank 2: £100m, in a state of the art, underground steel vault, guarded by 100 men with guns and sensors all over the place.

          You can, with enough time, people, and equipment rob both su
          • by xaxa (988988)

            Bank 1: £100k, in a shoe box, guarded by a blind old lady.

            *knock* *knock* *knock*
            *creeeeeeeeek*
            "Hello, I've come to read the water meter."

            Bank 2: £100m, in a state of the art, underground steel vault, guarded by 100 men with guns and sensors all over the place.

            I think that's safe from me.

        • but it's not a replacement for old fasion visual inspection.

          I've been through airports in portugal where there is no human visual inspection. If you have a biometric chipped passport, you can go in a different lane where a machine verifies your image matches that on the chip.

          If you are going to effort of putting in a security system, at least put in one known to work.

    • by Z00L00K (682162)

      Considering the long time of low standards when it comes to protection against forging of passports this is hardly surprising.

      And turn it on it's head instead - the majority of the people traveling around the world shouldn't be needing passports or visas. It's only a select few that actually are of interest to the authorities, so maybe it's time to find a better method.

    • Re: (Score:3, Interesting)

      by hey! (33014)

      Well, a couple of years ago I worked for an outfit that was hired by a startup that was going after various pots of government money. They wanted to sell technology to the DoD for, among other things, tracking reconstruction needs and efforts in Iraq.

      They didn't have any engineers, so they hired us. The application they were promising cost about 10x what they were willing to pay, so pretty much the understanding was they were getting a model -- not even really a prototype -- of what the application might

  • I want one! (Score:5, Funny)

    by PC and Sony Fanboy (1248258) on Thursday August 07, 2008 @08:03AM (#24508267) Journal
    I'd like one, preferably with a large memory chip added, so I can combine all my fake passports into one.

    Oh, and I'd like some fake passports.
  • by kale77in (703316) on Thursday August 07, 2008 @08:07AM (#24508299) Homepage
    ... when you can be a respectable "computer researcher"?
    • by Anonymous Coward

      I'm head of retail logistics, so I have to get back to stocking shelves now.

    • by dnwq (910646)

      The tests for The Times were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam.

      because being a l33t sup4 h4x0r doesn't actually require any, you know, qualifications.

    • Re: (Score:2, Funny)

      by iveygman (1303733)
      Only if I get paid at least 1337 dollars a week.
      • Re: (Score:3, Funny)

        by slashname3 (739398)
        And take a pay cut?
  • by Anonymous Coward

    It shows the benefit of this kind of outside security analysis, which should have probably been executed during the development process.

    Better the issues be uncovered now than when the issuance is widespread.

    There's always a loophole.

    • But, they couldn't spend more time developing the technology the marketing literature was ready. If they're ready to market a the product, the product is definitely done isn't it? We'll still be able to test it, we just have to focus on the launch first.
    • Re: (Score:2, Informative)

      by Hal_Porter (817932)

      It shows the benefit of this kind of outside security analysis, which should have probably been executed during the development process.

      Better the issues be uncovered now than when the issuance is widespread.

      There's always a loophole.

      There was lots of analysis. Years in fact. If you Google you can see there were groups working on MRTD standards since 1968. Biometric passports were conceived in 1997 and implemented in 2004, only because the US wanted to speed up the process after 9/11. That's still 7 years!

      Plenty of time for various committees of tire kickers to muse on the security of the system.

      http://www.rfidsec07.etsit.uma.es/slides/present/slides-1.1.pdf [etsit.uma.es] page 6

      1968: ICAO starts working on MRTD
      1980: first standard (OCR-B Machine Readable Zone (MRZ))
      1997: ICAO-NTWG (New Tech. WG) starts working on biometrics
      2001 9/11: US want to speed up the process
      2004: version 1.1 of standard with ICC
      2006: extended access control under development in the EU

      In fact if you do some research this cloned passport would be detected by

  • Are these electronic passports related to electronic voting?
    It's becoming obvious that low-tech paper is preferable in both elections and passports.
    • by pha7boy (1242512) on Thursday August 07, 2008 @08:18AM (#24508387)

      It's becoming obvious that low-tech paper is preferable in both elections and passports.

      yes, cos god knows, paper passports were NEVER falsified.

      • by LaminatorX (410794) <sabotage@@@praecantator...com> on Thursday August 07, 2008 @09:16AM (#24508831) Homepage

        Sucessful paper forgeries are usually more time consuming to create, and require skills that are less common in this day and age.

        Or another way, a forged passport is one forged passport. A broken authentication system is a thousand forged passports.

    • by stainlesssteelpat (905359) on Thursday August 07, 2008 @08:21AM (#24508423)
      I got one of these new fandangled passports a few years ago when I went to Japan, got fingerprinted electronicly at customs and thought nothing of it, with all the post 9/11 sentiment it sucks but i can't see it going away now. Anyway point is I'm an ex chef (still part time while at uni), so when I flew into newark to go visit my girlfriends parents with her in Fargo I get hustled into an interview room. I thought it was on account of being heavily tattoed and having dreadlocks and being under 30. Anyway, I get grilled by this mean assed gentlemen from customs about how I got this passport. Turns out the damage done to my hands over the course of two years, meant that thier software didn't match the biometric that Japanese customs had put on there. Got sorted out eventually, 2 hours nearly missed my connection from JFK. Was more bemused than anything, US customs don't get Aussie humour thats for sure.
      • Re: (Score:2, Insightful)

        by sa1lnr (669048)

        Customs don't get humour anywhere.

    • Obviously, the problem is that there aren't *enough of these spoofable chips. We should have them in our passports, cars, cellphones, and under the skin. 'Cause of terra.

    • Re: (Score:3, Insightful)

      by DNS-and-BIND (461968)
      Mayor Daley and JFK would like a word with you. Or heck the PRI in Mexico stole elections for 90 years using nothing but paper ballots. Pretending that paper is somehow better is folly.
      • by AGMW (594303) on Thursday August 07, 2008 @09:02AM (#24508733) Homepage
        Pretending that paper is somehow better is folly.

        Hmmmm. OK, but the corollary may well be that pretending something other than paper is any better is also folly!

        As some other poster says above, you want a level of security that makes it sufficiently difficult for joe-public to not think about trying to beat it, but not so intrusive as to adversly affect people's lives too much in day-to-day use.

        All the claptrap and palaver to do with air travel goes too far down the "intrusive" side of things, without actually offering any greater level of security (hence the term Security Theatre [wikipedia.org]). The attempt to track every individual using ID cards [no2id.net], etc, is also too intrusive, and just as ineffective - whereas a simple chip containing a picture which is displayed when the passport (or credit card) is put into a reader would allow a human to easily compare the picture with the person and thereby foil most of the casual passport/credit card fraud.

        Finally, you have to recognise that you CANNOT completely stop people from doing bad things and to think you can will lead to the 1984-type society that most right-minded people fear is where we are going already!

        • by cmat (152027) on Thursday August 07, 2008 @09:17AM (#24508849)

          As an aside, there is a parallel between pictures on ID and encryption: A picture on an ID allows me to verify that you look exactly like the guy on the ID (for various definitions of "exactly"), and symmetric encryption allows me to be fairly certain no one is listening in on a communication (assuming protected keys, sufficient key size, etc). But neither allow me to KNOW who you are or who I am communicating with. In other words, both systems fail at authentication, which is, in the end, what passports are trying to provide, and many people think encryption provides.

      • by Goaway (82658)

        Yeah, and you know about those.

  • by rarel (697734) on Thursday August 07, 2008 @08:11AM (#24508325) Homepage
    Captain Hammer will save us.
  • by Wanderer2 (690578) on Thursday August 07, 2008 @08:11AM (#24508329) Homepage

    The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it.

    The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).

    • by mpe (36238)
      The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).

      Any guesses on how secure the private keys for these signatures are likely to
      • by ettlz (639203)

        Any guesses on how secure the private keys for these signatures are likely to be?

        About the same likelihood as your average Home Secretary knowing what a private key is?

      • by Wanderer2 (690578)

        Any guesses on how secure the private keys for these signatures are likely to be?

        I'm sure they'll never be put on CD to be sent elsewhere then lost by a courier... or put on someone's laptop then left on the 18:15 from Waterloo. ;)

    • by Ed Avis (5917)

      Yeah, as far as I can tell the problem is that nobody bothered to import the public keys of all the world's passport signing authorities. In a sane world, each country would publish their public key on a web page, and maybe have paper copies available from embassies so you could check you weren't getting a fake. (Indeed, the passport authority's key signature could be printed on the inside front page of every passport issued, just to get it as widely distributed as possible.)

      • by Wanderer2 (690578)

        (Indeed, the passport authority's key signature could be printed on the inside front page of every passport issued, just to get it as widely distributed as possible.)

        Would a forger then be able to replace the printed key with one of their own and if so would anyone notice?

        I agree it seems silly that most countries haven't signed up to share their public keys yet. Without them you can't verify who actually generated the data on the passport.

    • by QX-Mat (460729)

      Sadly that's the problem. Noone in power seems to "get it".

      We have an illusionary mechanism of security, when all we can validate is the validation - or worst still, all we can validate is the appearance of some kind of mechanism that if tested would prove our authenticity. We are insecure if the process of testing this security is too taxing as to render it unused.

      Authenticating who you say you are vs who you're allowed to be is a trivial problem of matching biometric information that you supply with that

  • by pha7boy (1242512) on Thursday August 07, 2008 @08:13AM (#24508343)
    see, that's why you should take a hammer to that sucker. And when the border guard asks you what happened... say that you sat on it :)
  • by gavron (1300111) on Thursday August 07, 2008 @08:15AM (#24508359)
    If the passport authorities of the world want to authenticate a passport they *MUST* check its signature to ensure it is valid.

    Their outright failure to do so for at least a year for the UK and perhaps many more for other countries means that the digital information is less valid than the information imprinted on the card. Less valid because it's far easier to change, and shows no signs of alteration.

    In other words, countries that don't authenticate, and rely on the digital information alone are *MORE* insecure and open to falsification than those who do authenticate.

    Security: Not a tradeoff of civil liberties, but an intelligent application of a variety of techniques.

    Authentication: When available USE IT, don't just put it off and trust easily-modifiable data. When in doubt look at the printed picture and the text. *THAT* is harder to change without showing signs of alternation.

    Encryption: I guess if they can't get the key database working for simple authentication (or even a #$&*(#$ hash) they're not going to figure out the encryption stuff either.

    Hi Bruce.

    Ehud

  • by segedunum (883035) on Thursday August 07, 2008 @08:21AM (#24508415)
    Come up with a lame technical 'solution' to identity theft to help stop the completely over-hyped global terrorism threat, and then make the whole thing even easier by allowing easy cloning of existing passports. Be in several places at the same time! All you need is one loophole and it propogates.

    Additionally, I see no improvements to the initial checking of who is eligible for a passport to try and sort out the Day of the Jackal fraud:

    http://en.wikipedia.org/wiki/The_Day_of_the_Jackal [wikipedia.org]

    Using some form biometric system that seems to be implicitly trusted is even more dangerous, since if you can get your bogus identity trusted then people aren't ever going to question it.
    • Using some form biometric system that seems to be implicitly trusted is even more dangerous, since if you can get your bogus identity trusted then people aren't ever going to question it.

      It's like gaining root access.

      But really, do we really want infallible digitalized security? Seriously, hear me out.

      There are undesirables that we want to catch if they try to cross a border. Fine.

      There is also an enhanced ability to deny people travel for less-than-good reasons. I don't like the possibility that a fe

  • by erroneus (253617) on Thursday August 07, 2008 @08:23AM (#24508437) Homepage

    ...at least not human technology.

    Without exception, everything we try to lock up with a key can be unlocked by someone else. I'd like to hear it from anyone else that they recognize the fact that locks only keep honest people out and then perhaps we can move on to the bigger issue of why they are trying so hard to control honest people.

  • by ivothamdrup (991171) on Thursday August 07, 2008 @08:24AM (#24508441)

    The tests were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam

    ... and now a no-fly list nominee for engaging in terrorist activities.

  • by g0dsp33d (849253) on Thursday August 07, 2008 @08:30AM (#24508475)
    Who needs passports to get into a country anyway?
  • by FlyingBishop (1293238) on Thursday August 07, 2008 @08:30AM (#24508477)
    The article says that the problem is that the public keys to the chips aren't being used. Every country maintains their own database of public keys used to identify the passwords. The databases aren't all properly set up to synchronize, so the system must accept all chips from countries that have not synchronized, basically rendering the encryption moot if you know which countries haven't authenticated properly. So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless. Even if everyone was synchronizing properly, such a system sounds highly vulnerable to a cache poisoning attack of some sort.
    • by DragonHawk (21256) on Thursday August 07, 2008 @09:19AM (#24508877) Homepage Journal

      So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless.

      Technically accurate. But. The chip by itself is worthless. It's only worth something if it counters some kind of threat. This is why security isn't about products or techniques, it's about working systems. If the "chipped passports" don't have a working PKI, then there's really no point to the chips. They go together.

      ObQuote: "Security is a process, not a product." -- Bruce Schneier

  • Why is it that one after another after another after another of these government-sponsored security systems keep failing? I just don't get it. We give them infinite amounts of money to spend protecting us from something FAR less dangerous than ourselves (compare # of US gun crime victims to # of US terrorist victims sometime), and they consistently do a half-assed job.

    In about 1960, we decided to go to the moon. In 1969, we were there. Done and dusted -- and a government program, at that. Has America just l

    • No matter what they seem to claim, the state cannot protect us. One of the main justifications of the state's existence, security, falls flat on its face every time. When it comes right down to it, bureaucrats are very poor at what they are supposed to be doing.

  • I think we're overlooking a very important reason for this sort of screwup. Yes, they're incompetent. And yes, it's theater. But consider this: if security measures are ineffective, sooner or later there'll be another successful attack. And what happens then?

  • Misleading info? (Score:5, Informative)

    by Daemonic (575884) on Thursday August 07, 2008 @08:55AM (#24508665)
    The article contains the line:

    Many of the 9/11 bombers had travelled on fake passports.

    Now I could be wrong, but I thought all the 9/11 bombers were legally allowed to be where they were, and were using valid documents?

    I think what might have been the case is that they HAD used fake passpports in the past. The way this phrases it though suggests that a better implementation might have helped avoid 9/11, which is news to me.

  • by The Angry Mick (632931) on Thursday August 07, 2008 @10:33AM (#24509865) Homepage

    A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber.

    So now we can look forward to seeing thousands of people all sporting Osama Bin Laden pictures on their passports. It'll be as fashionable as Che Guevara t-shirts.

    The TSA will love it because they can announce that they've caught Bin Laden every day for the next 20 years, thus justifying their continued existence.

Bus error -- please leave by the rear door.

Working...