Researchers Find Problems With RFID Passport Cards

An anonymous reader writes "Researchers at the University of Washington have found that RFID tags used in two new types of border-crossing documents in the US are vulnerable to snooping and copying. The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card." You can also read the summary of the researchers' report.

Re:Anonymous Coward

[L4t3r4lu5]

Already been done. [thinkgeek.com]

Security

[supernova_hq]

I guess this is especially bad, considering their security! [washingtontimes.com]

Re:Anonymous Coward

[will_die]

Too expensive cheaper here [smartcardfocus.com].

Re:Elvis

[Yvanhoe]

You may or may not be aware that this very hack happened with the European version of the RFID passport in september :

http://hackaday.com/2008/09/30/cloning-and-modifying-e-passports/ [hackaday.com]

By the way, the most "funny" thing I saw about RFID passports was that in Pakistan, at least one occurrence of "American passport bearer detection" has occurred in a market crowd. Fortunately, the goal was then to steal the passport, not behead the bearer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Again

[will_die]

The purpose was to decrease the time it took to process a passport aka person. Bar codes can have problems being read and take more time to scan then RFIDs. In addition the RFID contain the same information you see in the passport, so that you can check that against the database and future use would allow checking the RFID stored photo with a camera scan to verify ID.

The problems mentioned here and elsewhere are that you can copy an RFID make a duplicate of it. With a regular passport that is not really a problem, excluding privacy since they contain personnal data but the US system and others are suppose to be encrypted so you cannot get the info without the physical passport so you can get the key, because your passport is checked against the database entery and then the person doing the check is suppose to compare the computer to the passport to the holder and they should all match. In this case the problem is that these are passport cards, not regular passports, designed for people who cross the borders all time and this will allow for quick processing with the passport card never being checked by human; same system that you have for toll road cards.
Since these cards and also drivers licenses are not encrypted and not checked by humans an evil person could copy the card, get your PIN and then have easy access to cross the border, provided they don't have sort of facial recognition system, being implemented, that checks your passport card against the database against the facial recognition system.

Re:nothing to worry

[ettlz]

One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain.

Really?! Because I thought here in the UK, one of the main stated reasons they started introducing RFID passports was to facilitate entry to the United States!

Re:Elvis

[Anonymous Coward]

By the way, the most "funny" thing I saw about RFID passports was that in Pakistan, at least one occurrence of "American passport bearer detection" has occurred in a market crowd. Fortunately, the goal was then to steal the passport, not behead the bearer.

Citation needed

Re:Again

[Yer Mum]

My first reaction would be to say that you are kidding, but then this is yet another example of policy laundering.

In the UK the government said it was because it was being deployed by the US.

Basically it was a working group from the US, UK, Canada, Australia, and New Zealand which pushed it onto the ICAO and then each country was forced to grudgingly and unwillingly implement this standard which they previously pushed for.

Quick!

[BigBadBus]

Someone call the Mythbusters! Oh, someone did? Darn.

Re:Again

[swillden]

The purpose WAS to increase security, and it works just fine. What these researchers did was simple, obvious and pointless.

Sure you can copy the data from one passport to another. So what? It still contains the original photo and any other biometrics, binding it to the true owner of the passport. The data can't be altered because it's digitally-signed. Someone else can impersonate the passport holder, but only if they have the passport holder's face. As more biometrics are added, they'll also need the passport holder's fingerprints, iris -- maybe someday they'll need the passport holder's DNA.

Now, the fact that the passport might be detectable from a distance is something of an issue. US passports have foil in the cover to create a mini Faraday cage and RF-isolate the chip when the passport is closed, so for holders of US passports the solution is simple: put a rubber band around your passport to hold it closed. Holders of passports from other countries may want to cover their passport in tinfoil if they're concerned about being tracked.

Re:nothing to worry

[spikejnz]

You do realize that there are currently 27 countries whose citizens are not required to get visas for entry into the US, right?

http://www.travel.state.gov/visa/temp/without/without_1990.html [state.gov]

You also realize that the US required these 27 countries to comply with their intent to implement RFID enabled passports, right? Should they decide NOT to implement the passports, they faced possibly losing their visa-free status.

"...requirements under the US Visa Waiver Programme which calls for countries to roll out their Biometric Passport before 26 October 2006."

http://www.wired.com/politics/security/news/2005/05/67418?currentPage=all [wired.com]