E-Passport Cloned In Five Minutes 259
Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to
clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."
Open Rights Group - Biometric passport (Score:5, Informative)
Re:Well then, (Score:1, Informative)
Re:completely ignores the point (Score:1, Informative)
I'm no fan of the new passports, but if I understand it correctly
The passports are encrypted with a bunch of information which is printed on the passport (and probably in a barcode or some other machine readable format), yes. A few different items make up a key. The RFID chip doesn't automatically spit out the encrypted information when blindly queried, but only if presented with an request derived from the key data. So, it's not like you arbitrarily query passports in people's bags and crack the encypted response later, because it won't respond if you don't know the key. And guessing that key to get the data would involve you sitting next to the passport for a Long Time.
This key allows someone on a desk with visual access (and barcode reader or mag swipe) to the passport to query it by presenting the right key and thereby "verify" the passport with the info on the RFID.
Now it should be relatively (for clever crypto people) simple given this that someone can copy the passport (it would suprise me that the data was not signed by some PKI tough) as they already what the key is.
So anyway, that's why the key is based on printed info, and why you cannot read abitrary passports without seeing them to get the key fields.
That's all down to my (incomplete) understanding of it based on watching a film with one of these crypto guys and some googling afterwards.
a simple way to correct cluelessness (Score:3, Informative)
I think it's time someone cloned his passport and got busted importing drugs or weaponry or child porn or similar while on that passport. Hell, he's probably got a diplomatic passport == no search. Pure gold to anyone wanting to move anything *really* profitable.
Tinfoil (Score:2, Informative)
BRB, I'm making a tinfoil hat for my passport, so it matches mine.
Re:Shielding? (Score:3, Informative)
Google is your friend.
http://www.google.com/search?q=passport+faraday+c
- Roach
Re:RFID is absolutely TERRIBLE for security (Score:4, Informative)
1) Simple RFID chips that can be scan and read by anyone
2) Contactless smart cards (ISO 14443 etc), with crypto
Both use the same frequency band and similar hardware, but they are different beasts: one has crypto and the other doth not.
Identity information can be put on a contactless smart card but depending on how it is implemented (hopefully securely) you probably will NEED A KEY otherwise the crypto will prevent access. Take a wireless payment card or credit card (#2 category) for example. You can't just read/dump the bank account numbers on it. There is a crypto protecting the data.
On the other hand, walmart uses the non-crypto rfid chips. Yes you can just read the info on them, there is no encryption.
So when you say "RFID is terrible for personal security" you're right, RFID (#1 above) is completely inappropriate for privacy. But contactless smart cards (#2 above) is totally appropriate, and the passports use #2
Re:huh? (Score:3, Informative)
The technology used (Score:4, Informative)
Many people here seem to make claims on RFID security without knowledge of the technology actually used. I have done some research on the subject so I think I can give some pointers. Details about the technology can be found at ICAO's web page [icao.int] and short presentation on the subject Jacobs/Wichers Schreur [utwente.nl].
The communication between the password and the reader is encrypted using information in the Machine Readable Zone at the bottom of the passport. This is the basic way to authorize passport reading. The MRZ-information is generated from the information of the passport holder and random numbers. If bad numbering scheme [whatthehack.org] is used, breaking the encryption is quite possible. If large enough random numbers are used, breaking the encryption with brute force is currently not practical.
The authentication is done using public key cryptography. Currently only Passive Authentication is mandatory, but Active Authentiacation is supported and it is mandatory when fingerprint information is contained in the passport. With only Passive Authentication cloning of MRZ-compromized passport is easy, but with Active Authentication it should be unfeasibly difficult.
Reading and cloning an European RFID passport which is using all available security measures (like the e-passports in Finland) is not as trivia as many people here seem to think. As long as there are no backdoors in the cryptography (e.g. for the intelligence agencies) I think the technology is quite sound. Not using all available cryptography is just bad choise by the goverment issuing the passports.
The scheme in TFA is nothing new and nothing revolutionary. If you have physical access to a passport with only Passive Authentication cloning is trivial, as pointed in TFA. This is actually how the technology was designed to work. Maybe the design is bad, but that is hardly big suprise, since the technology is compromize between many organizations and goverments. When someone clones a passport which has Active Authentication, then that is real news.
Re:Then why put it on? (Score:3, Informative)
Apply for a bank account/credit card... identity theft stuff. A passport is prime ID. I believe you can do as much with it as with a birth certificate (probably more since you cannot use a birth certificate to get back into the U.S. by air and soon by ground as well). In fact, I wouldn't doubt that you could order a duplicate birth certificate with it... or maybe go to a social security office with it and claim you lost your SSN card and would like to know the number. You could probably cause a lot of problems. Or if you were a terrorist from say Iran, you could fake a U.S. citizenship and get into the country without a hassle. Theft of someone's identity is very serious.
And if they mess up the systems dealing with passports when they become required for all entries to the U.S. including ground entry from Mexico and Canada (and they *will* be required, it was just delayed for a year for ground crossings) there could be a HUGE impact. They are America's two biggest trading partners accounting for something like half of all foreign trade (Canada is the U.S.'s biggest trading partner... Mexico I believe is a close second and maybe soon to pass the Canadians). What if, for example, the trucks all of a sudden couldn't roll across the border because the driver's passports were messed up (in either direction by the way... what American driver is going to want to leave if he/she can't get back in)?
Re:Such ID numbers already exist (Score:3, Informative)
Re:Well then, (Score:2, Informative)
I *believe* that the RFID chip won't actually respond with the encrypted data unless presented with a request which has (some function of) the key information. Which means you can't just get in the info and brute force it later - you have to brute force the key *live* whilst the passport is there to get it to respond. And the RFID tag (deliberately) takes some time respond, making it rather difficult to get the info in any reasonable timeframe.
Anyway, that's the impression I got by doing some googling