Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Hackers Clone E-Passport 185

Posted by timothy
from the thank-heavens-for-black-hat dept.
mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"
This discussion has been archived. No new comments can be posted.

Hackers Clone E-Passport

Comments Filter:
  • I've got one (Score:5, Interesting)

    by Spad (470073) <slashdot@sCOLApad.co.uk minus caffeine> on Thursday August 03, 2006 @09:05AM (#15839297) Homepage
    I just renewed my passport, hoping to get in before the "biometric" passports became mandatory in the UK (Not that there's actually *any* biometric data on them), but sadly I've ended up with a RFID chip embedded in the back page of my new one.

    The booklet that comes with it helpfully suggests ways to damage the chip, such as microwaving it, but doing so will render the passport useless, unfortunately. Anyone know where I can get a good tinfoil wallet from?
  • by plover (150551) * on Thursday August 03, 2006 @09:07AM (#15839309) Homepage Journal
    According to TFA, in order to read the data from the passport you have to enter a key printed in the passport itself. This will at least prevent a surrepetitious cloning while sitting in an airport chair (like the guys who cloned the Mobil SpeedPass keytags.)

    Of course, that won't stop the mad bombers with their IEDs from detonating their bombs in the presense of an ePassport. The video [youtube.com] from TFA shows yet another weakness in this crappily designed (i.e. vendor driven) system.

  • According to TFA, in order to read the data from the passport you have to enter a key printed in the passport itself. This will at least prevent a surrepetitious cloning while sitting in an airport chair (like the guys who cloned the Mobil SpeedPass keytags.)

    So I can't simply read the information and then brute force the key? One presumes that all somebody needs is to get their hands on one or more of these passports, figure out the key schema, and then write a program to try to crack the RFID information using the most likely keys.

    Security of passports is nebulous at best, even without the RFID technology.

  • by Dare nMc (468959) on Thursday August 03, 2006 @09:57AM (#15839754)
    >Ah yes, so he could clone someone else's chip, if he can steal their passport, and place it on his own passport.

    Except that 2 major stated purposes of RFID in passports is nullified by his actions.

    IE:
    RFID passports are more secure/no the digital portion can be copied easier than the paper.
    RFID passports will speed customs/no the RFID download can't be trusted, without thourgh comparison to the paper.

    also Identity theft occurs within families. So if I were 18 year old George W Bush Jr, I snag W Bush Sr's passport, make a copy of the chip, return it. Unless a photo is on the RFID chip, their are only 3 differences in our passports, 1) Age, 2) a additional roman numeral (ie III instead of II) 3) SSN

    not to mention their are 3 unrelatead Jim Jones within 5 miles of my house, all within 5 years of age to me, likely at least 2 have the first 3 digits of their SSN the same as me (most SSN's issued in my home state, of simular issue dates started with number in the range of 478 to 480)
    So if I were to become a felon on Parol with a travel ban,
    1) have my name legaly changed to Jim Jones
    2) Break into Jim Jones' houses, cloan digital chip, Jim never knows.
    3) I now have 4 passable unique ID's to use anywhere I want, 1 piece of paper, 3 chips to swap.

  • Still do it. (Score:1, Interesting)

    by Anonymous Coward on Thursday August 03, 2006 @10:03AM (#15839802)
    Even though it has RFID, the ones coming in October will cost more (£93) and you will be entered into the National Identity Register (read: Be interrogated, DNA-swabbed and fingerprinted like a criminal).

    Do it now (like I will) and get RFID, or do it later and get life-long surveillance on the NIR (where a simple clerical error can ruin your life). If I ever get to the point of having to go on that database, Im leaving the country.
  • challenge-response? (Score:3, Interesting)

    by tilminator (970595) on Thursday August 03, 2006 @10:17AM (#15839901)

    Why is it so hard to implement a challange-response mechanism to avoid airing the entire passport data?

    Especially when they are going to store fingerprints /images/iris scans on the chips, I would expect the passport chip to do the matching up. (Of course, it has to legitimate itself, too.) Just imagine having to change your fingerprints because of identity theft. Americans already have a taste of this with social security numbers.

    BTW, if all you'd like to broadcast is your name and number, just print a barcode. That works perfectly fine in Chile (or Colombia? sorry).

  • by RunzWithScissors (567704) on Thursday August 03, 2006 @10:24AM (#15839955)
    Unfortunately, we've already seen that governments place a higher importance on the appearence of security rather than actual security. For direct evidence, just look at airport screening.

    I'll conceed that x-ray'ing baggage would highlight obvious weapons like knives or guns. However, as we've seen from the likes of Yousef Josef and other terrorists, people can smuggle bomb components on plains using items, such as watches, which would not be picked up by the usual airport screening proceedures. Add to that the ever so effective comparison of the name and date on my boarding pass with the name on whatever casually inspected ID I provide. Please don't even get me started on how rediculous making me take off my shoes is.

    If governments were really serious about airport security, they would adapt a model similar to the one used in Israel. Roving groups of heavily armed, well trained commandos that stop "interesting" individuals and select them for additional screening. However, this method would be too inconvienent and intrusive for travelers (Americans).

    This is the state of governmental security. To the not very determined to violate it, lay individual, it appears that there is SOME kind of security in place. With a slight bit more investigation, someone with a bit of desire can easily violate it, thereby rendering the "security" utterly useless. But hey, they have to have some way to spend our tax dollars, right?

    -Runz
  • by mack knife (96580) on Thursday August 03, 2006 @11:52AM (#15840666)
    From TFA:

    "What this person has done is neither unexpected nor really all that remarkable," Moss says. "(T)he chip is not in and of itself a silver bullet.... It's an additional means of verifying that the person who is carrying the passport is the person to whom that passport was issued by the relevant government."

    Moss also said that the United States has no plans to use fully automated inspection systems; therefore, a physical inspection of the passport against the data stored on the RFID chip would catch any discrepancies between the two.


    If the RFID passports were to used like some kind of gas card--where a traveller just waves his or her passport through a reader, gets a beep and a green light, and goes on--this news would be a problem.

    But that's not how they'll be used. There will still be an inspector checking the RFID data against the printed data, and against the physical appearance of the traveller. Like they already do now, for crying out loud.
  • Okay, so lets say a terrorist reads your passport RFID chip as you walk by, and makes a copy of the encrypted data on the chip. How does the terrorist use this to gain access to some country so he can blow himself up?

    In the USA the passport jacket will have a metal lining so that the RFID cannot be read when the passport is closed.

  • by michaelaiello (841620) on Thursday August 03, 2006 @11:54AM (#15840674) Homepage
    Little venture I started about a year ago....

    Stylish RFID blocking passport cases and wallets

    http://www.difrwear.com/ [difrwear.com]
  • by axelrue (993032) on Thursday August 03, 2006 @12:01PM (#15840733)
    In the wired-article are some fotos with a RFID-shielding device for the passport.
    I found it here https://shop.foebud.org/product_info.php/cPath/30/ products_id/130 [foebud.org] cheers, axel
  • Speaking of RFID (Score:2, Interesting)

    by I7D (682601) <ian.shook@gmai l . c om> on Thursday August 03, 2006 @12:29PM (#15840993) Homepage
    I used to set off security alarms in stores pretty much anywhere because of a RFID key for my condo. I found though, that keeping the RFID key right next to my cell (candybar) would negate the RFID signal, and I could get through stores with no alarm.
  • Re:And yet again... (Score:3, Interesting)

    by mpe (36238) on Thursday August 03, 2006 @01:27PM (#15841479)
    The addition of extra identifying characteristics to the passport system widens the skillset required to accurately produce a forgery. As few people are capable of the full range of these skills, the cost of the forgery increases and thus its value goes down.

    You can be reasonably sure that the most dangerous entities have access to these skillsets anyway.

    To create a full passport it would therefore be necessary to clone the passport itself, physically alter the appearance of the picture to match yours and ensure all the data is consistent.

    Or blackmail/bribe someone who issues passports...
  • by PingXao (153057) on Thursday August 03, 2006 @02:08PM (#15841849)
    He was planning to give a demo today at BlackHat in Vegas. Look at what they did to Skylarov for Adobe. You think they're going to sit idly by while some *gasp* foreigner shows them up? THOU SHALT NOT TAUNT THE HAPPY FUN BALL

    Seriously, I'm waiting for word that he cancelled his presentation "voluntarily" or has been arrested.

The moon is a planet just like the Earth, only it is even deader.

Working...