E-Passport Cloned In Five Minutes 259
Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to
clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."
At least they can publish this... (Score:5, Interesting)
Thanks to a software he himself has developed, called RFdump, he downloads the passport's data onto his computer and then onto a blank chip.
How long would it take for some 3 letter agency to show up at their door in the US?
Could someone address the points raised? (Score:1, Interesting)
2. If the passport page contains anything useful, how easy or difficult will it be to get hold of this information? Can you stand next to someone in a queue and scan the passport in their carry bag, or do you actually need to hold it close? My ID card at work has an RFID chip, that works only at about 4cm.
3. Is it correct that forging RFID passports will be more difficult? Obviously, if you used to have to manufacture a passport or switch a picture, and you now need to _both_ do that _and_ insert or change an RFID chip, then that raises the bar. So the followups to this question are;
3a. Will passport controls be replaced by RFID scans, or in addition to? I would hardly think the former, but please inform.
3b. Is it possible to change the information on an RFID chip without actually having physical access to the circuitry? As in, are there read/write scanners so you can avoid having to manufacture a chip and replacing it in a passport?
If the answers to these are no, difficult, yes, in addition to and no/no, then I can certainly see it providing additional security. And vica versa. Someone in the know?
Re:This is all FUD (Score:2, Interesting)
Not when it's in my pocket.
I can't believe how juicy this is. Imagine being able to get your dirty fingers on the theft prevention system at the doors or a department store. Just a slight modification of the frequency and code, and let the harvesting begin.
And the problem is... (Score:3, Interesting)
Cheers,
-b.
Re:RFID is not for security (Score:3, Interesting)
Before the goons come to get me!! I'll say I know NOTHING about these new passports beyond what's on slashdot. I got no expertise in RFID beyond looking at it. A good security system should have something in place to prevent this sort of "cloning" attack... you'd hope like hell that somebody's thought about this!!! and they don't just send the goons to cover it up.. after all, that's the new policy for scientific reports now... and has been the policy for security reports since 9/11.
Shielding? (Score:1, Interesting)
How about a switch (Score:2, Interesting)
I can't imagine it being that hard in theory, although divising a reliable and rugged switch may be a bit more challenging.
Still, I bet it could be done, and it pretty much eliminates all the concerns about people reading the chip without your permission.
Re:Open Rights Group - Biometric passport (Score:3, Interesting)
There is a huge difference, I keep posting this but nobody seems to get the point: the walmart RFID chips have zero crypto, but the passport, payment cards have a ton of crypto. You can't just dump their contents
The government calls them contactless smart cards because that is what they are, of course the media and everyone else uses the blanket term "RFID" to refer to all of it and works themselves up into a frenzy while not understanding the characteristics of the technology.
Re:Well then, (Score:4, Interesting)
But isn't the whole point of a secure passport to secure the identity of an individual? If the identity is not secure, we may as well not waste the time or money.
Re:RFID is absolutely TERRIBLE for security (Score:4, Interesting)
The fun thing is that the moment the standard was created, everyone said that this is going to be a field day for the press when the first researcher figures out that the keys are so weak. The day has arrived
In reality the issue is blown out of proportion: the epassport is not that much of a privacy issue. Tourists can be spotted by a mile away by simply the way that they look and walk, and the smart tourist will leave the passport in the hotel safe anyway, carrying only a photocopy with him. You are in far more trouble if your passport gets stolen than if it gets copied: if you do not have your passport, dealing with any authorities in a strange country is going to be a problem, whereas if your passport gets copied, you still have the original.
Also, forging a passport is no easier than before - in fact, getting the digital and the physical passport data to match becomes a lot harder with the epassports. Reading something does not mean you can change it and write it back, as surely is well understood by anyone familiar with digital signatures.
Can I zap it? (Score:4, Interesting)
Couldn't one kill the RFID chip by putting the passport in a microwave oven for a minute?
I can't imagine the rubber-stamper at immigration control not letting me through because he can't read my RFID tag... I'm sure a good percentage of non-zapped passports would fail to scan for one reason or another. If enough people did it, then they justn wouldn't be able to rely on them, period.
Re:Well then, (Score:5, Interesting)
It's a common failure that occurs in these scenarios.
As part of my research on driver's licensing issues, when states added photos to driver's licenses (starting in the late 60's) the word "fraud" never entered the picture. Driver's licenses were essentially fraud free documents before the photographs were added--so it really never entered anyone's mind that things would change once the document became more powerful/useful/trusted.
Re:Can I zap it? (Score:5, Interesting)
You make the invalid assumption that people at immigration desks are reasonable people - they are *not*. Some of them are little Hitlers with bad attitude, and the ones who aren't have their hands tied by the law - they have no discretion at all. If the law says you can't enter without a working chip, the immigration officer (even the world's friendliest and most reasonable one) has no choice but to deport you. Just as they would deport you if your passport photo was mutilated.
(I'll make one exception for the little Hitlers - one notable aberration is Houston's immigration desks - those people are polite and make you feel welcome to the United States - truly refreshing to get to an immigration desk where it isn't just stony faces and demands to see that you have a return plane ticket. I frequently travel through Houston and they've always had good people there. Dallas Ft.Worth on the other hand - I will never travel through that airport again).
Re:RFID is absolutely TERRIBLE for security (Score:3, Interesting)
The problems with passports can be much more subtle, so I wouldn't count on the fact that adding the same data in RFID mode didn't do anything else than just have some redundancy to prevent reading errors.
A little tale from my experience: We were flying to Brasil from Lisboa with a flight that was first landing in Natal, and then flying to Recife. For some reason we never spotted an immigration office. I don't know if we were supposed to step out in Natal, get immigration stamps in the passport and then go back to the plane (the flight from Natal to Recife was domestic, because new passengers were boarding to Recife), or if we were supposed to look for immigration at Recife Airport. We didn't, and nobody seemed to care. When we were trying to leave Brasil three weeks later, the officer at border control pointed out that we were missing the immigration stamps. We were argueing, telling the story, he was insisting on immigration stamps. In the end he just pointed us to the gate, telling us "Nao entrada, nao saida" (No entrance, no exit), meaning "You have never been here, and you have never left."
A similar occurrence was when I was cycling with a group through the then still existing Czechoslovakia. We entered through the polish-slovakian border, and everyone got his passport stamped. We were leaving a week later through the czech-german border, and the officials were just stamping the list of all members of the group. A few weeks later I was again with the bicycle in Czechoslovakia, and I got controlled by the normal police about 30 km from the border, and the police got suspicious with me because I had two immigration stamps, but no exit stamp. So looking from the papers I had entered twice without leaving once. The patrol took me to the office, and then they phoned around for 1 1/2 hours, before just setting me free around midnight, when the train I was planning to take to Prague had just left.
What I am trying to say: Whenever some inconsistencies come up with your passport, they aren't migitated by having RFID chips somewhere. No one actually cares about this type of redundancy. Immigration officers are humans only, and errors will occur, and most of them will not be solved by looking at RFID chips, but in the end by reluctance of the powers in charge to press any further because it is late, because they don't want hassle or because it's easier to pretend nothing had happened. Given U.S. immigration procedures it will probably solved by just handing persons like me to indefinite detention without access to legal counsel. Because Electronics is always right, and if not, lock up everyone not hiding fast enough.
The most important question (Score:2, Interesting)
If they have a range of one or more feet, so that somebody can scan my passport from across the room, then I really see a big privacy and security problem.
If, on the other hand, they have a range of one inch or less, then I don't see any reason of concern: if scanning my passport requires roughly the same effort as stealing it, and also if by scanning it one obtains the same information (d.o.b., height, picture, etc.) that he would have obtained by stealing it, where's the problem here?
Re:RFID is absolutely TERRIBLE for security (Score:3, Interesting)
For whatever reason, this brought to mind part of one of Laurie Anderson's song/stories from her "The Ugly One with the Jewels" album:
Re:Tin foil hats, everyone (Score:3, Interesting)
My point was really that (here in the UK at least, so I don't expect you to realise it) the ID cards are always pushed by the government as the way to make us all more secure against terrorism. It will save us all, you see. It's the primary reason for introducing the scheme. Never mind that most experts (inc. the police and MI5, iirc) disagree - and you, as someone living in an ID card carrying country, seem to disagree too.
Oh yay, you certainly know how to sell me on the benefits of having an ID card! :-) I think I speak for many people when I say that being able to identify my charred body via an ID card is not top of my priorities.
Er, got a source for that assertion?
Ah. So no, then.
That's 'probably' why the UK govt keeps refusing to give an estimate of how much the ID card system would cost.
A lot of the resistance, as well as a dislike for the general concept/system, is merely that it won't improve anything, so why waste billions of pounds of UK taxpayers' money implementing it?