Forgot your password?
typodupeerror

Hackers Clone E-Passport 185

Posted by timothy
from the thank-heavens-for-black-hat dept.
mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"
This discussion has been archived. No new comments can be posted.

Hackers Clone E-Passport

Comments Filter:
  • This isn't news. (Score:5, Informative)

    by 4815162342 (940334) on Thursday August 03, 2006 @10:12AM (#15839357)
    While the headline sounds scary, when you examine it closer, this isn't really surprising. The ability to copy the passport is not the issue here. The key point of the technology was to have the issuing government digitally sign the information contained in the passport. This means that a forger cannot simply tip-ex out the name and and put in a new one ;-) The article did not mention if the German passport contains bio-metric data. i.e. a digital copy of the photo. This combined with a digital signature of the photo would make the system very secure indeed. The passport inspector simply scans the data and compares the photo to the person standing before him. I don't see how this "hack" compromises the security of the system, except in cases where the inspecting authority misuses or misunderstands the basis of security in the system.
  • Re:I've got one (Score:5, Informative)

    by Lurker187 (127055) on Thursday August 03, 2006 @10:12AM (#15839359)
    I believe that those anti-static bags that many computer boards come in will block an RFID signal. They certainly look exactly like the bag I was given with my RFID remote toll-paying tag, and putting the tag in the bag supposedly blocks it from being read.

    (What, you don't have any old computer parts in their original anti-static bags?!? That's it, no /. for you! ;) )
  • by Moraelin (679338) on Thursday August 03, 2006 @10:13AM (#15839372) Journal
    So he cloned a passport. As in, a verbatim copy with the same name, date of birth, etc. He explicitly says that he _can't_ (at the moment) change his name, date of birth, etc, because of the hashes.

    So his grand achievement is... what? That that a fellow called John Smith could thus make a fake passport that still says John Smith?

    Ah yes, so he could clone someone else's chip, if he can steal their passport, and place it on his own passport. Except now he has a passport that says John Smith and a chip that says Jane Doe. As he himself acknowledges it, it will work only if someone at the border/airport/whatever would just swipe the thing over a reader, but not bother actually reading it. And, oh, if also their scanner is broken and doesn't also read the "John Smith" printed in OCR letters on the real pass.

    It sounds like some clever hack, but frankly, then what's the improvement over just stealing a passport and using it as it is? If the condition of passing for Jane Doe instead of John Smith is hoping that they'll just swipe it over the reader and not actually look at it, then simply a stolen passport would work just as well and with far less of a hassle.

    So, basically, this is just someone's verbal masturbation, rather than some clever hack.
  • Re:I've got one (Score:3, Informative)

    by Spad (470073) <slashdot@NOsPam.spad.co.uk> on Thursday August 03, 2006 @10:13AM (#15839379) Homepage
    Get it done anyway - come October the price of a renewal goes up to cover the costs of the RFID system.
  • by undef (682662) on Thursday August 03, 2006 @10:18AM (#15839420)
    Safe from surreptitious cloning? Big deal. You routinely hand over your passport at hotels, etc... while in Europe.
  • by Tweekster (949766) on Thursday August 03, 2006 @10:18AM (#15839426)
    Do you think its hard to snag someones passport?

    How about a pickpocket at the airport, they can even turn it in to the lost and found afterwards. Suddenly being John smith isnt that bad now...

    and secondly, gee I really wonder if the people at the border are gonna be lazy and not bother to check but simply swipe it.... oh wait they are lazy and will do exactly that!

    As for the need to steal a passport right now to do this...wait a week, im sure someone will figure out how to take this one step further.
  • Re:Well... (Score:1, Informative)

    by Anonymous Coward on Thursday August 03, 2006 @10:36AM (#15839582)
    I think Israeli citzens are still numero uno on the terrorist hit lists.

    And thanks to "poodle" Blair, UK citizens are not a very distant third.

  • by Yvanhoe (564877) on Thursday August 03, 2006 @10:37AM (#15839597) Journal
    Don't German security consultants also specialize in building super-bunkers for Islamic terror states like Iran?

    And now they've compromised the future US passport as well?

    3 words to describe this -

    state sponsored terrorism.


    I know you are humorous. But you are insightful in your humor. See how easy it is to put something against anyone in the "war on terror" ? Now in three sentences, that is far-fetching, but if it was released day after day in news report, I am confident you could turn the majority of US opinion against any country in the world.
  • Re:I've got one (Score:5, Informative)

    by plantman-the-womb-st (776722) on Thursday August 03, 2006 @10:49AM (#15839679)
    Nope, the keys for my marina are RFID and I tested this very thing. The machine read the card as usual.
  • by Anonymous Coward on Thursday August 03, 2006 @10:50AM (#15839699)
    They've got passport cases, wallets, and wallet inserts that block RFID and other electromagnetic signals. Emvelope.com [emvelope.com]
  • Re:I've got one (Score:5, Informative)

    by chownrus (957727) on Thursday August 03, 2006 @10:53AM (#15839718)
    I think this will meet your needs: http://www.emvelope.com/products [emvelope.com]
  • by davidwr (791652) on Thursday August 03, 2006 @11:00AM (#15839780) Homepage Journal
    Appearently, the US Government will be doing exactly this - they have hashes to prevent altering the data and human inspectors to prevent data mismatch.

    Still, is RFID that's activatable without human intervention really necessary? I say no.

    Is lack of encryption irresponsible? I say yes.
  • by Anonymous Coward on Thursday August 03, 2006 @11:43AM (#15840102)
    The German passports do not employ the optional active authentication standard as specified by ICAO. Active authentication means that there is a private key within the passport. This private key can be used in a challenge-response authentication of the passport chip. The public key itself is stored in a data group on the passport, which is protected against alteration in the same way the biometric data is protected against alteration (a digital signature from the state).

    Nobody seems bothered to even *look* at the ICAO specifications, including 100% of the previous responses on e-Passports on slashdot. Why the hell should politicians even bother with citizens if not even the technological top 1% takes an interest?

    http://www.icao.int/mrtd/download/documents/TR-PKI %20mrtds%20ICC%20read-only%20access%20v1_1.pdf [icao.int]

    Check out chapter 2.3.2, 3.2.2, Annex D, Annex G.1.2
  • Re:I've got one (Score:4, Informative)

    by Lurker187 (127055) on Thursday August 03, 2006 @11:52AM (#15840167)
    Excellent detective work, thanks!

    I checked online with my state issuing authority (Maryland, US) for my toll-paying RFID tag, and I was able to request online that they send me 4 (the limit) free "read-prevention bags". This may only be of use to those in the northeastern US, but if any toll collector in your area uses a similar device, you might be able to find a bag easily.
  • by njdj (458173) on Thursday August 03, 2006 @12:30PM (#15840489)

    Renew your passport at a consulate overseas. Incidentally, this is also much quicker than renewing it in the UK (typically takes 2 weeks). The only snags are the obvious ones that you need to stay out of the UK for long enough to get your new passport, and you need an overseas address (maybe a friend's).

    I would not advise trying the obvious trick of just mailing your old passport to a friend in country X with all the forms, and asking them to post them to the consulate as though you were in X, then post the passport back to you when it arrives at their address. Cross-border postal mail is checked more often than most people realize, and I have heard of cases where identity documents have been removed.

  • Re:I've got one (Score:5, Informative)

    by lga (172042) on Thursday August 03, 2006 @12:59PM (#15840725) Homepage Journal

    The RFID chip is only the first step.

    The current chip contains a scanned photo. Future passports will be issued with an ID card which means going to an enrolment centre to get your iris and finger prints scanned and entering all your details into the national identity register. The iris scan may or may not be included in the passport RFID chip and the fingerprints won't be at first.

    The price of passports will go up [theregister.co.uk] from 51 pounds to 66 pounds in october (they were only 42 pounds last year!) to cover the costs and may rise again when ID card start being issued.

    Anyone who wants to avoid the National Identity Register should join the renew for freedom [renewforfreedom.org] campaign and renew their passport early. It is too late to avoid the biometric passport with RFID, but you will stay off of the NIR and will not have to provide fingerprints and iris scans in person. It will cost you 51 pounds but may well be worth it to avoid having to tell the Identity and Passport service every time you move house.

  • by SyncNine (532248) on Thursday August 03, 2006 @01:04PM (#15840778)
    Leisure is not really the proper term for this.

    The type of brute force cracking you mention would take years and years of CPU power. The following blurb is an excerpt about this type of encryption and the amount of time required to crack it:

    Doing the math, you can see that using the same method that was used to break 40-bit encryption in a week, it would take about 72 million weeks (about 1.4 million years) to even break '56-bit medium' encryption and significantly longer than the age of the universe to crack a 128-bit key. Of course the argument is that computers will keep getting faster, about doubling in power every 18 months. That is true, but even when computers are a million times faster than they are now (about 20 years from now if they double in speed every year), it would then still take about 6 thousand, trillion years, which is about a million times longer than the Earth has been around. Plus, simply upgrading to 129-bit encryption would take twice as long, and 130-bit would take twice as long again. As you can see, it's far easier for the encryption to keep well ahead of the technology in this case. Simply put, 128-bit encryption is totally secure.

    Brute force cracking isn't like sitting at a desk trying new passwords over and over again. There is no rhyme or reason to the encryption key, unlike passwords and other similar (human created) ciphers. This type of encryption was created specifically so that there would be so many combinations that it would NOT be feasible to do a 'brute force' attempt.

    Of course, seeing as how you posted as AC, I'm sure you were aware at the time that you were just talking out of your ass.
  • by statusbar (314703) <jeffk@statusbar.com> on Thursday August 03, 2006 @01:43PM (#15841102) Homepage Journal
    Don't worry, soon you will need a passport to come to canada and mexico. [nationalledger.com], and eventually you will probably need one for inter-state travel as well.

    --jeffk++

I am not now, nor have I ever been, a member of the demigodic party. -- Dennis Ritchie

Working...