Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

E-Passport Cloned In Five Minutes

Posted by kdawson on Sun Dec 17, 2006 09:50 PM
from the if-more-proof-were-needed dept.
Privacy Security
Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."
+ -
story

Related Stories

[+] IT: RFID Passport Security "Poorly Conceived" 33 comments
tonk writes, "European expert researchers on identity and identity management summarize their findings from an analysis of passports with RFID and biometrics — Machine Readable Travel Documents or MRTDs — and recommend corrective measures that 'need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues... By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international MTRDs which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilizes technologies and standards that are poorly conceived for its purpose.' The European experts therefore come to similar conclusions as the Data Privacy and Integrity Advisory Committee of the US Department of Homeland Security in a draft report, which seems to be delayed."
[+] IT: British "Secure" Passports Cracked 305 comments
hard-to-get-a-nickna writes "The Guardian has cracked the so-trumpeted secure British passports after 48 hours of work: 'Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?'"
[+] Disabling the RFID in the New U.S. Passports? 294 comments
slashchuck writes "Along with the usual Jargonwatch and Wired/Tired articles, the January issue of Wired offers a drastic method for taking care of that RFID chip in your passport. They say it's legal ... if a bit blunt. From the article: 'The best approach? Hammer time. Hitting the chip with a blunt, hard object should disable it. A nonworking RFID doesn't invalidate the passport, so you can still use it.' While this seems a bit extreme, all indications seem to be these chips aren't very secure. How far will you go to protect or disable the RFID chip in your passport? Do you think such a step is necessary? Does anyone have an argument in favor of the technology's implementation here? "
[+] Technology: RFID Passports Cloned Without Opening the Package 168 comments
Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

E-Passport Cloned In Five Minutes 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Well then, (Score:5, Insightful)

    by QuantumG (50515) * <qg@biodome.org> on Sunday December 17 2006, @09:52PM (#17281836) Homepage Journal

    "It is hard to see why anyone would want to access the information on the chip."
    I guess that's what they call a failure of imagination.

    • Re:Well then, (Score:5, Insightful)

      by l2718 (514756) on Sunday December 17 2006, @10:04PM (#17281904)
      Well, it's true that if you already possess a passport and want to copy it, it's essentially the same problem with and without an RFID. It's also true that the RFID chip does stop the basic hack of replacing the photo in the passport (since the data on the chip is persumably read-only, and the chip can't be replaced without mutilating the passport). I think what the esteemed spokesman missed is the privacy implications (I can now read your passport without your knowledge). In particular, you can clone these passports without actually holding the original. In the past to clone a passport you needed the co-operation of its owner (if you steal a passport it's known to be stolen). Now you can make your own sure-to-be valid passport by just stepping into the airport and choosing an appropriate victim (someone who looks like you, perhaps?).

      • Re:Well then, (Score:5, Insightful)

        by swillden (191260) * <shawn-ds@willden.org> on Monday December 18 2006, @02:57AM (#17283440) Homepage Journal

        It's also true that the RFID chip does stop the basic hack of replacing the photo in the passport (since the data on the chip is persumably read-only, and the chip can't be replaced without mutilating the passport).

        Stronger than that, the data on the chip is digitally signed, so even if you can tracelessly replace the chip in the passport with a different one that has the photo you want, you're not going to be able to generate the appropriate digital signature for the altered data. This technology makes the passports effectively unalterable, as long as the chip is intact.

        I think what the esteemed spokesman missed is the privacy implications (I can now read your passport without your knowledge). In particular, you can clone these passports without actually holding the original.

        Not exactly. To read the passport data you have to have the authentication key. To get the authentication key, you need to have the passport, because the data that the key is derived from is printed inside. Note, however, that it has been shown that a large enough portion of the printed data is guessable, given basic information like the passport holder's name and a guess at his or her age, that the rest can be brute-forced pretty quickly. So there *is* a possibility it could be read without the owner's knowledge, but it's not completely trivial and does require some additional information.

        The US has addressed this issue by putting a shielding mesh in the passport cover, which isolates the chip when the cover is closed.

        • Tin foil hats, everyone (Score:5, Insightful)

          by h2g2bob (948006) on Monday December 18 2006, @01:53AM (#17283188) Homepage
          The ID cards themselves are just a distraction. The real agenda is the setting up of a big database with information on all citizens. While everyone debates ID cards, they get to do what they want with the database proposal. They can back down on ID cards later, and everyone is happy.

            • Yes, but not co-ordinated like this (Score:5, Insightful)

              by Anonymous Brave Guy (457657) on Monday December 18 2006, @09:20AM (#17284856)

              Yes, governments have databases about the citizens of their countries, for tax purposes, medical purposes, driver licensing and so on. That in itself is not unreasonable, as long as the data collected is necessary for the purpose, properly and securely handled, with suitable checks made on those with access to it and confidentiality maintained.

              The National Identity Register in the UK, however, will combine most of the existing government databases into a single, centralised point of failure. In practice, it will likely be the case that most government departments and many outside agencies will have access to all of the records about an individual, not just those they have reason to see.

              A second major concern is that the NIR will track every time it is checked. That won't help with the identity theft problem that follows from the above, unless the security of access is near-perfect across many thousands of people with access to the database. It will, however, mean that once the national ID card becomes the "easy option" for identity verification, the government has a handy record of each citizen's entire life: where they shop, which financial services they've been using, jobs they've been applying for, where they've travelled and who with, etc. There is simply no need for any state organisation to keep this sort of information about any citizen, other than when conducting legitimate surveillance of a suspect for genuine security purposes, with independent oversight.

              Identity thieves, however, already happy to be part of the fastest-growing and most profitable crime wave in recent history, have hit the jackpot. Just along the Slashdot front page from this story as I write this, there is another article estimating that 100 million personal information leaks have occurred within the past couple of years or so. If that combination isn't reason enough to stop the NIR plans right now, I don't know what kind of sanity prevails in the government's universe.

    • Re:Well then, (Score:5, Insightful)

      by Zemran (3101) on Sunday December 17 2006, @10:47PM (#17282202) Homepage Journal
      "It is hard to see why anyone would want to access the information on the chip."

      Just like it is hard to see why anyone would want to blow up an aircraft? I think that people are still thinking within the sandbox and not realising that the real risk is what we have not yet thought of. There will be lots of reasons to want to access the information and to change it or learn to create false IDs that Joe Average security assumes to be valid because it is state of the art.

    • Re:Well then, (Score:5, Interesting)

      by JimBobJoe (2758) <swiftheartNO@SPAMgmail.com> on Monday December 18 2006, @05:43AM (#17284054)
      I guess that's what they call a failure of imagination.

      It's a common failure that occurs in these scenarios.

      As part of my research on driver's licensing issues, when states added photos to driver's licenses (starting in the late 60's) the word "fraud" never entered the picture. Driver's licenses were essentially fraud free documents before the photographs were added--so it really never entered anyone's mind that things would change once the document became more powerful/useful/trusted.

      • Re:Well then, (Score:5, Insightful)

        by nonlnear (893672) on Sunday December 17 2006, @11:09PM (#17282328)
        UYFB (Use Your F***ing Brain): Do you want all the info on your passport's personal details page readable by absolutely everyone you walk by?

        Passport cloning isn't even the primary security concern here. Cloning a passport has become no harder or easier thanks to RFID. But Identity theft will become much much easier.

          • Re:Can I zap it? (Score:5, Interesting)

            by Alioth (221270) <dyls@alioth.net> on Monday December 18 2006, @06:01AM (#17284132) Homepage Journal
            Actually, they can and will deport you if the chip doesn't work.

            You make the invalid assumption that people at immigration desks are reasonable people - they are *not*. Some of them are little Hitlers with bad attitude, and the ones who aren't have their hands tied by the law - they have no discretion at all. If the law says you can't enter without a working chip, the immigration officer (even the world's friendliest and most reasonable one) has no choice but to deport you. Just as they would deport you if your passport photo was mutilated.

            (I'll make one exception for the little Hitlers - one notable aberration is Houston's immigration desks - those people are polite and make you feel welcome to the United States - truly refreshing to get to an immigration desk where it isn't just stony faces and demands to see that you have a return plane ticket. I frequently travel through Houston and they've always had good people there. Dallas Ft.Worth on the other hand - I will never travel through that airport again).

  • Was the Home Office spokesman an idiot? (Score:5, Insightful)

    by Salvance (1014001) * on Sunday December 17 2006, @09:53PM (#17281838) Homepage Journal
    "It is hard to see why anyone would want to access the information on the chip." Hmmm... it's also hard to see why anyone would want my credit card information, SSN, address, etc. I'm sure nobody really wants to know any personal information about me at all, and I'm sure nobody would ever want to forge any of my identifying documentation.

    Something is just wrong with the UK's Home Office. Today I read that they will now classify panty theifs as sex offenders [sundaymirror.co.uk], receiving the same long-term classification on the sex offenders' registry as child abusers, rapists, and child pornographers.

    • Re:Was the Home Office spokesman an idiot? (Score:5, Funny)

      by Dunbal (464142) on Sunday December 17 2006, @10:42PM (#17282172) Homepage
      they will now classify panty theifs as sex offenders

            Thank God stealing a bra is still ok...I was worried for a second there.
      • If my name is written on someone else's panties, I demand to know why!

        ob Simpsons:
        Skinner: Oh, it's a miracle no one was hurt.
        Otto: I stand on my record - fifteen crashes and not a single fatality!
        Lou: Let's see your license, pal.
        Otto: No can do. Never got one. But, if you need proof of my identity, I wrote my name on my underwear... Oh wait, these aren't mine!
        Skinner: Well that tears it! Until you get a license and wear your own underwear, mister, you are suspended without pay!

      • Re:Was the Home Office spokesman an idiot? (Score:5, Insightful)

        by LordLucless (582312) on Sunday December 17 2006, @11:57PM (#17282592)
        Awesome. Let's book kids who sneak some booze when they're underage with the same charge as heroin dealers. They're probably just building up the courage to do something more serious. Of course, there's always the whacky notion that the punishment should fit the crime that was actually committed rather than what we think they might do in the future.

      • Re:Was the Home Office spokesman an idiot? (Score:5, Insightful)

        by RexRhino (769423) on Monday December 18 2006, @12:38AM (#17282840)
        This is absolute bullshit. There has been absolutly no research to determine if an 18 year old who has sex with a 17 year old classmate, or a guy streaking as part of a college fraternity prank, or a guy who has consentual sex with other adult men in a public-park lavatory, or the couple who park up on "lovers lane" to have sex, or a married couple who has oral sex in Arkansas, or the 90% of "sex offenders" who never did anything that wouldn't be legal or a misdemeanor if they where only done in San Fransico or Amsterdam, are likely to do anything!

        Only a tiny fraction of the people who are being branded second class citizens for life, and being subjected to a lifetime of harrasment and violence at the hands of vigilantes, did anything remotely like rape or molestation. Most commited only voluntary, consentual sex acts with people their own age.

        Sex offender lists, and their sister paranoia law enforcement, Do Not Fly list, are part of our societies current irrational, paranoid, fear of boogie men - being afraid of sex offenders or terrorists depending on where you live and your political beliefs. Personally, I am far more disturbed by the people who believe their friends or neighbors are all devious sexual preditors lurking to rape their kids - If anything I would be far more worried about the guy who is constantly paranoid of sex offenders (ala Mark Foley), than I would the college football players who get arrested doing a panty raid on the girls sorority. Or I would be far more frightened of the people who think everyone named "Mohammed" may be a terrorist, than I would be of someone named "Mohammed" sitting next to me on a plane.

        Maybe read Author Miller's "The Crucible" ( http://en.wikipedia.org/wiki/The_Crucible [wikipedia.org] ) to get a good idea of the sort of Moral Panic ( http://en.wikipedia.org/wiki/Moral_panic [wikipedia.org] ) our society is in today.

  • In other news, bureaucrats develop sentience (Score:5, Insightful)

    by zuki (845560) on Sunday December 17 2006, @10:04PM (#17281906) Journal
    As it may be, the people in charge of budgetary approval for the programs which put all of these RFID solutions
    into place will steadfastly deny that anything is wrong until they are forced to do so, as agreeing that those are
    potentially high security risks would otherwise equate it with having to backtrack on what they previously approved,
    even though they were amply forewarned by many in the security-related field.

    It's really about not losing face at any cost, lest people start questioning other methods they employ.

    Human nature, really. Look no further than the voting machines controversy for parallels here in the US.

    Z.

  • At least they can publish this... (Score:5, Interesting)

    by rrohbeck (944847) on Sunday December 17 2006, @10:05PM (#17281914)
    Now another researcher has shown how to clone a European e-Passport in under 5 minutes.

    Thanks to a software he himself has developed, called RFdump, he downloads the passport's data onto his computer and then onto a blank chip.

    How long would it take for some 3 letter agency to show up at their door in the US?

  • Open Rights Group - Biometric passport (Score:5, Informative)

    by rimberg (133307) on Sunday December 17 2006, @10:10PM (#17281938) Homepage
    The Open Rights Group [openrightsgroup.org](Think UK EFF) have a wiki page that provideds more information on this an othere issues with the British Biometric Passport [openrightsgroup.org] The European version of the biometric passport is planned to have digital imaging and fingerprint scan biometrics placed on the Radio Frequency chip. The government of UK thinks that the public has a negative opinion of RFID chips so instead they call it a contactless chip.

  • huh? (Score:5, Insightful)

    by jshackney (99735) on Sunday December 17 2006, @10:15PM (#17281974) Homepage
    It is hard to see why anyone would want to access the information on the chip.

    If no one would want to access that information, then why is it on the chip? Why even bother with the chip? Why even bother with the information?

  • The Solution is Obvious (Score:5, Funny)

    by serutan (259622) <doug@@@geekazon...com> on Sunday December 17 2006, @10:47PM (#17282204) Homepage
    Throw the researchers in jail for showing the weakness in the system. Problem solved!

  • The proper response is... (Score:5, Insightful)

    by Todd Knarr (15451) * on Sunday December 17 2006, @11:22PM (#17282402) Homepage

    The proper response to that spokesman is "Well then, you won't mind lending us your passport for a minute, so we can copy it and put copies on sale in <district with notorious reputation>, will you?".

    Some politicians simply need the problem made their personal problem before they'll see it.

    • Re:completely ignores the point (Score:5, Insightful)

      by Dunbal (464142) on Sunday December 17 2006, @10:25PM (#17282048) Homepage
      It's a scary world when those who are old and have little clue about technology (the politicians) are told they need a high tech solution to a security issue.

            Careful. The hippies used to complain about how all the old farts in power didn't have a clue back then. Now they're running things, and look where we are. I shudder to think about what the world will be like when it's YOUR turn...
    • RFID IDs are TERRIBLE for personal security, because it adds RANGE to detection and forgery. Parent post has ABSOLUTELY missed the point.

      No one is claiming that magnetic stripes and/or bar codes are bad for security. In both cases they make it very marginally harder to copy and virtually eliminate data-entry errors. RFID has a BIG problem beyond that: It can be read without the knowledge of the holder.

      No one can read the inside of my paper passport without me giving it to them - nor my magstripe nor bar code. I have complete control over who sees it. Sure, I might be conned into showing someone, but they have to con me. RFID means that:

      1. They can copy my information without me ever showing it to them.
      2. They can READ my information without me ever showing them, allowing them to identify me from a distance.
      3. Even with a perfectly random RFID system, they can identify your nationality from afar, which obviously may make you a target in some circumstances.

      To be SAFE, an RFID system must have a) zero emissions in the closed state (eg a tested foil cover) AND b) No non-random information broadcast from the chip. (that is, a random passportID that is broadcast that has NO other information until you look it up in the appropriate database.)

      "b" is necessary because "a" alone still allows someone nearby you to snoop whenever you have to show your passport somewhere.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.