Chipped Passport Cloned In Minutes

Death Metal Maniac writes "New microchip passports designed to be foolproof against identity theft failed the test when a researcher was able to manipulate one in minutes. The cloned passports were accepted as genuine by the computer software recommended for use at international airports. According to the article: 'A computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.'"

Re:Um, well...

[Fred_A]

Hasn't this been known for a long time ?

Some extra security could be added to the chips (proper key signing IIRC) but never is. Everybody knows about this but since it makes the US happy as part of their security theatre, nobody cares.

Re:Um, well...

[TheLink]

It's mostly theatre. Bad people get valid passports too.

Only in a few cases are those passports revoked.

Summary doesn't mention digital signing

[Wanderer2]

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it.

The researcher replaced the digital signatures on the passports with ones of his own creation when altering the photographs... if the equipment used to test had actually compared the digital signatures to those on file, it would have immediately spotted the tampering. Problem is most countries aren't sharing their signatures yet, making those checks impotent. For now, at least (and not saying there aren't other vulnerabilities).

Take a hammer to it...

[pha7boy]

see, that's why you should take a hammer to that sucker. And when the border guard asks you what happened... say that you sat on it :)

Re:Electronic voting's cousin?

[stainlesssteelpat]

I got one of these new fandangled passports a few years ago when I went to Japan, got fingerprinted electronicly at customs and thought nothing of it, with all the post 9/11 sentiment it sucks but i can't see it going away now. Anyway point is I'm an ex chef (still part time while at uni), so when I flew into newark to go visit my girlfriends parents with her in Fargo I get hustled into an interview room. I thought it was on account of being heavily tattoed and having dreadlocks and being under 30. Anyway, I get grilled by this mean assed gentlemen from customs about how I got this passport. Turns out the damage done to my hands over the course of two years, meant that thier software didn't match the biometric that Japanese customs had put on there. Got sorted out eventually, 2 hours nearly missed my connection from JFK. Was more bemused than anything, US customs don't get Aussie humour thats for sure.

Less than adequate summary.

[FlyingBishop]

The article says that the problem is that the public keys to the chips aren't being used. Every country maintains their own database of public keys used to identify the passwords. The databases aren't all properly set up to synchronize, so the system must accept all chips from countries that have not synchronized, basically rendering the encryption moot if you know which countries haven't authenticated properly. So the chip itself hasn't been cracked, it's more a question of the international passport encryption network being worthless. Even if everyone was synchronizing properly, such a system sounds highly vulnerable to a cache poisoning attack of some sort.

Re:Take a hammer to it...

[maztuhblastah]

Unfortunately, microwaving it is likely to cause combustion, either of the chip itself and/or of the material around it.
I'm sure /. can come up with some other ideas for disabling these little bastards. As a privacy geek stuck in an increasingly totalitarian country, I'd love to hear 'em....

Bigger problem

[Coraon]

If memory serves can't the US confiscate anything that contains digital data at their border, therefore couldn't they now just take your passport and never give it back. That could prove to be a issue. Imagine, your going from Canada to the US, you present your passport to the US customs, they take it and then tell you "Nope not allowed in, you don't have your passport." You try to go back into Canada and then they say "We would let you in but since you don't have your passport your stuck, eh?"

Papers, bitte.

[monkeyboythom]

I have to say the more we rely on "foolproof" technology, the more we rely on fools to operate the machinery.

I have to admit the Germans had it nearly right. Almost nothing beat the steely-eyed glare of a Hauptsturmführer asking for your passport -- unless of course you have a John Williams musical score swelling in the background, and even then it would be a life changing, tension filled 2 minutes of your life going by you.

Re: countries not sharing signatures...

[Jaws]

Actually, all country trust roots (not _signatures_) end up in an international database, and terminals SHOULD check that passports are signed by one of those. The "hack" does not work for this reason (and relevant countries' terminals do check, even if the standard-testing software does not).

FYI, country certs are also published on human-readable pages, such as these:

http://www.bsi.bund.de/english/topics/csca/index.htm [bsi.bund.de]
http://www.bmi.gv.at/csca/startseite.asp [bmi.gv.at]

So hypothetically, you could collect these (they won't be changed more than once every few years) and perform your own verification.

Re:"Can't find ass with both hands" comes to mind.

[cdrguru]

The problem is that the people we are trying to defend against have no fear of punishment. It is a fairly well-known axiom that you can't stop an assassin that is willing to die to accomplish their mission. What we have is a group of people that are absolutely willing to die to accomplish their missions. Tough job to defend against that.

We could take the attitude that their victims are just a cost of doing business. Folks in the US are incredibly willing to take casualties that are due to accidents, misfortune and so-called "acts of God." However, for the most part people in the US are incredibly vengeful when faced with casualties due to incompetence and deliberate acts.

This can be seen by the response to 40,000 highway fatalities each year vs. the five or so people that died because of the Tylenol tampering. Could the highway deaths be prevented or reduced? Maybe, but the general feeling is that these are not intentional acts or due to incompetence. So they are overlooked. The Tylenol tampering was an intentional act and resulted in vast changes to how products are made and distributed in the US.

The folks that would like us to "convert or die" - and let them have their own legal system in our country - are not being treated as something that is nobody's fault. There is clear intent there and malice. It wasn't easy or simple to change how food and drugs are packaged in the US, nor was it easy to go to the Moon. But it was done because there was a strong motivation to do it. I don't think anyone in the US is going to stand for treating terrorism as a "cost of doing business" or just stuff that happens that isn't intentional. It is intentional. It is done with malice. And the general feeling is that it isn't going to be tolerated.

Don't like it? Think we should just accept a few casualties now and then? I'd strongly suggest that you live elsewhere, somewhere where the general attitude is more in line with your feelings. It isn't going to happen anytime soon in the US.

Re:Um, well...

[hey!]

Well, a couple of years ago I worked for an outfit that was hired by a startup that was going after various pots of government money. They wanted to sell technology to the DoD for, among other things, tracking reconstruction needs and efforts in Iraq.

They didn't have any engineers, so they hired us. The application they were promising cost about 10x what they were willing to pay, so pretty much the understanding was they were getting a model -- not even really a prototype -- of what the application might do. They also built a very impressive data center, even though they didn't have a single IT pro. The conference room where they courted their guests had a large glass wall with motorized shutters that would slide up to reveal the operations center. Normally the ops center was deserted, but they had some recent college grad gofers that they dressed in spiffy uniforms and who had to spend the day in the ops center looking busy when somebody was coming to visit.

They had enough money to do it all for real, but most of that money ended up going into lobbyists, so there was only the bare minimum available to actually develop the technology they were selling. We spent months working closely with them to help them land their first contract. After that we never heard from them again; the last I heard through the brother of one of their employees was that they'd hired the military officer who'd been responsible for helping them get their first contract, although I suspect it might have been through on of the CEO's father-in-law's companies.

So, don't put me in the surprised category.

We'd also looked at going after some homeland security projects ourselves, and what we found out was that the post 9/11 years were the golden age of lobbying. You pretty much needed a lobbyist to get in on the bonanza, and since lobbyists are expensive and make their money from large contracts, those guys with their shell operations center and application pretty much had the right approach if you wanted to succeed.

Re:Um, well...

[bsDaemon]

My father was an airline pilot for years and recently retired. His opinion of the matter is that the reason TSA searches little old white grannies (and myself -- constantly. I've pretty much given up on flying because I **ALWAYS** get taggged) is that they don't WANT to find anything which they might have to deal with.

They harass pilots and take their nailclippers -- as if the captain of the plane needs nailclippers to hijack a plane that he's already in command of (mind you, there is a fire ax in the cockpit that can chop through the bulkhead).

The term the pilots use most often for it all is "political eyewash." Not that it matters, because after 911, passengers aren't just going to sit by for a hijacking ever again. The "rules" have changed. This is no longer the 1980s. Its not like the "Delta Force" movies anymore.

Racist or not, it would probably be more reasonable to search people who actually fit the known profile of like, you know, everyone who has ever hijacked a plane ever... but that might mean that the TSA people would actually have to do something. Much easier just to harass grannies from Iowa than to try and thwart "terrorism"