Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Hackers Clone E-Passport 185

mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"
This discussion has been archived. No new comments can be posted.

Hackers Clone E-Passport

Comments Filter:
  • by hkgroove ( 791170 ) on Thursday August 03, 2006 @10:04AM (#15839291) Homepage
    But this unfortunately is not going to stop the governments from wasting money on them.
  • Re:I've got one (Score:3, Insightful)

    by HugePedlar ( 900427 ) on Thursday August 03, 2006 @10:09AM (#15839323) Homepage
    Shit. I was planning on doing the same thing. Might as well not bother now.

    It both scares and infuriates me that my government wants to roll out a vastly more insecure (and expensive!) system than that which already exists, while proclaiming the opposite. Seriously, how the hell is this allowed to happen??
  • What's more... (Score:5, Insightful)

    by vain gloria ( 831093 ) on Thursday August 03, 2006 @10:12AM (#15839358) Homepage
    But this unfortunately is not going to stop the governments from wasting money on them.

    Our money.
  • Re:I've got one (Score:3, Insightful)

    by PunkOfLinux ( 870955 ) <mewshi@mewshi.com> on Thursday August 03, 2006 @10:12AM (#15839368) Homepage
    simple - RFID is a buzzword. Politicians and PHB's like buzzwords!
  • Wait wait wait... (Score:3, Insightful)

    by MoneyT ( 548795 ) on Thursday August 03, 2006 @10:22AM (#15839455) Journal
    you mean data can be copied? Holy fuck! Stop the presses and halt the manufacturing this is clearly useless because data can be copied. Seriously why is this a big deal? Was it any real suprise that data could be cloned? The purpose at least as far as I understand it is an additional measure of security, not the only measure. Yes, if you only go off the chip, you're screwed, but hey, that's why you don't only go off the chip. No one is saying this will stop forgeries, just that it will make it more difficult. It's one more thing that needs to be done and done right which means it's one more way to possibly catch a forgery. Surely no one thinks the new coloring on new money is going to stop forgery but it will hopefuly make it more difficult and time consuming. Is the coloring worthless because forgery can still happen?
  • by plover ( 150551 ) * on Thursday August 03, 2006 @10:22AM (#15839457) Homepage Journal
    The weakness happens if the inspector examines only the paper copy and relies on the electronic copy to perform the security checks in the background. That's likely to become a common occurance -- look at the passport, scan the passport, chat with the guy asking if he's here on business or holiday, wait for a green "OK" screen in the corner of your eye, and wave him through. It'll happen a hundred times a day, and the inspectors will make mistakes.

    Probably the better question is "will the bad guys be willing to risk trying this?" No doubt there'll be an endless stream of stolen passport data available on line from crooked hotel clerks -- skimmed e-passport RFID data will be the next hot hacker item for sale.

  • by MobyDisk ( 75490 ) on Thursday August 03, 2006 @10:24AM (#15839470) Homepage
    After reading this article, the RFID thing isn't nearly as bad as I thought.

    1) They aren't eliminating the physical passports. So all the physical protections (watermarking) still apply.
    2) They are shielding the passports so they can't be remotely read.
    3) You need to send a cryptographic key which makes it even more difficult to read remotely (although I don't understand how this works).
    4) They are hard to tamper with because of the hashes (assuming they are good hashes, this is comparable to watermarks).

    Having said that, I'm not sure why the RFID thing is even useful. A bar code would be simpler, although no more or less tamper proof. And there are existing machines which can read passports by scanning them and OCRing. They are very reliable since passports use high-quality printed text with the characters in known fonts and positions.
  • Specs here (Score:5, Insightful)

    by hughk ( 248126 ) on Thursday August 03, 2006 @10:29AM (#15839519) Journal
    You can find a copy of the specs on the ICAO website [icao.int].

    It doesn't give away a lot, it doesn't have to. A passport must be inspectable by anyone so the spec on how to read it must be pretty much public. There is an (optional) electronic signature mechanism, but this predicates an international public key infrastructure. The bank where I work has enough problems getting one of those together, let alone an international organisation. PKI is very hard. Google for references on this.

    Key compromise means that all issues documents are then compromised. Can you imagine a country recalling all its passports?

  • by Moraelin ( 679338 ) on Thursday August 03, 2006 @10:33AM (#15839557) Journal
    Step 1: Figure out how to clone Passport
    Step 2: Figure out how to alter clone
    Step 3: ???
    Step 4: Profit!

    Let's just say that the same applies then to forging a digitally signed document:

    1. copy the document
    2. figure out how to change it while hashing to the same digital signature
    3. ???
    4. profit

    Yes, but see, step 1 is a non-achievement there. Step 2 is the real issue. _That_ what digital signatures really prevent. Seeing some idiot come up and say "ha ha, digital signatures are useless, because I just copied a CD that had a digitally signed file on it" would just tell me that the poor idiot is completely clueless and doesn't even know what he's talking about. It wasn't step 1 that was supposed to be made harder by those signatures, it was step 2 all along. Wake me up when you achieve that.

    Same applies here.

    Copying a RFID chip verbatim is a non-issue and non-achievement. It's like copying a floppy or a CD. _Of_ _course_ it can be copied, and only a complete ignoramus would make that their grand achievement.

    Wake me up when you can actually change the data. And for that matter when the plan is less retarded than hoping that noone will look in the pass _and_ that they'll let you scan a building pass together with / instead of the passport. It's such a "cunning" plan that only Baldrick of Black Adder fame could honestly think it "cunning".
  • Well that's fucking secure - chalk up another one for security through stupidity.

    Ya know, there is not a thing that Homeland Security has done that has made us more secure. Even the one or two instances where they actually tracked down a terrorist cell instead of wasting government money on vacations and useless Katrina relief trailers could easily have been done by the individual agencies themselves.

    It's almost difficult to fathom what anyone that requires this shit is thinking. There is no evaulation of technology, and a complete lack of understanding of security. Unfortunately, those that make the decisions often disregard for political reasons the constant cries of the actual technology folks in those agencies that actually point out these flaws. Unfortunately, their cries fall on deaf ears (although, a big thanks for not giving up the good fight). But politics outweighs information, and RFID gets put into passports, despite the overwhelming evidence that they are a very bad idea.

    Almost all of this is politically motivated now, in one of two avenues - to "appear" to be taking some action to protect security, or in an effort to more easily collect information on anyone that steps foot one into this country - be ye citizen or visitor.

    Checks and balances, being the glory of the past but just about dead now, make sure that these unilateral decisions can be made without any oversite. And with Bush just giving himself more power [theonion.com] (a parody, but eerily poignant) there is no end in site to this stupidity.

  • by rs232 ( 849320 ) on Thursday August 03, 2006 @10:39AM (#15839608)
    "Seriously why is this a big deal? .. as far as I understand it is an additional measure of security, not the only measure", MoneyT

    Allow me to explain it to you. The move to e-passports was so as you couldn't counterfeited them like the paper ones. One of the measures required, if not the primary one is the ability to not be cloned. Thats why they call them e-passports

    "his grand achievement is... what? That that a fellow called John Smith could thus make a fake passport that still says John Smith?", Moraelin

    No, that a follow called Osama could pass through an airport if it used electronic scanning. Or as the article mentions an electronic device could be activated when 'John Smith' opened his passport.

    The same lack of thought seems to have gone into fingerprint scanning. As this article [diva-portal.org] demonstrates it is possible to forge these as you leave your prints all over the place.
  • by Yvanhoe ( 564877 ) on Thursday August 03, 2006 @10:44AM (#15839639) Journal
    Well, would you take the risk to leave copies of your passport in the wild ? Here is how to use a copied passport : Find someone of your size with a beard. Taint your hairs, use lens for the color of your eyes, stop shaving, get used to be called 'Gunter'.

    Photos are anything but secure. I wouldn't even trust fingerprints for anything serious.
  • by davidwr ( 791652 ) on Thursday August 03, 2006 @10:47AM (#15839666) Homepage Journal
    In order to be "secure" against fakery a passport, or any document should:

    1) Have an digital signature of all the data, or at least a signature of a strong one-way hash.
    2) Have a means to verify the signature, and that the signer's key hasn't been repudiated.
    3) Have a means to verify the hash is legit, i.e. rehash the data on the spot.
    4) Have a means to verify the data in question matches the printed version of the document, e.g. a computer screen that shows the digitized picture and the other data that should be on the printed document. A human, or perhaps a computer, can then compare that with the actual document.

    Steps 1, 2, and 3 are at the heart of any digitally-signature-validation scheme. Step #4 will detect misuse, as someone using a cloned passport will "look" the same as someone using a stolen-but-legitimate one to the checker.

    An alternative, where bandwidth is available, is to have the document-issuing authority validate the document: Upload the document to the authority, and have it send back a "valid" or "not valid" response. This is essentially what happens with credit cards: the name, card #, and expiration date are passed on to the bank or the bank's agent, and the merchant gets back a code saying "card is valid," "card not valid," or one of several other codes such as "card reported stolen/missing."

    There are still 2 problems with this approach:
    1) The identical twin or look-alike problem.
    2) Privacy issues if passport data is compromised.

    The twin problem is mitigated by the digitized version of the handwritten signature, a fingerprint, notation of scars, or other items which look-alikes are less likely to share. Privacy issues are in principle no more than they are today with stolen passports, ASSUMING no information that is not on the printed passport finds its way to the embedded electronic data. However, electronic data is much easier to deliver to fraudsters than paper data, and passport theives aren't likely to spend the time typing or scanning in data from a paper passport. The best cure for this is to encrypt the data.

    RFID is not required for a secure document. All RFID does is make the data easier to read, which is good for those who want to read the passports without contact them, be they freind or foe. Hmm, maybe someone should invent an RFID tag with an "on" switch.
  • by MikeRT ( 947531 ) on Thursday August 03, 2006 @10:49AM (#15839687)
    An insecure, RFID-driven passport is the perfect thing for making it too dangerous for Americans to travel safely abroad. If an American had one of these in Lebanon, Hezbollah could walk through a public place with a RFID reader and discretely find some good targets of hostage-taking opportunity. It'd be easier for the Chinese police, for example, to track American visitors.

    Don't go abroad! Don't see the world except through the lens of CNNABCCBSNBCFOXNPR! That's how the political class wants it. A population that is scared to travel is a population that can't as easily see the world on its own and make its own decisions.
  • by davidwr ( 791652 ) on Thursday August 03, 2006 @10:49AM (#15839688) Homepage Journal
    I'm not even an expert in the field, but an RFID tag with an "on" switch seems pretty obvious. Just put the switch between the antenna and the rest of the device. It can be either a traditional on-off switch or a pressure-sensitive "off when not pressed" switch. Imagine an RFID-enabled passport that ONLY broadcasts when someone was holding down the "broadcast" switch.
  • by CreatureComfort ( 741652 ) * on Thursday August 03, 2006 @10:56AM (#15839742)

    Now in three sentences, that is far-fetching, but if it was released day after day in news report, I am confident you could turn the majority of US opinion against any country in the world.

    Too late. The majority of US opinion is already against every country in the world, "Freedom" fries anyone? The only exceptions to this are a few countries like England and Australia, which most Americans think of a funny sidekicks to Uncle Sam, as long as they know their place and don't start getting uppity. Or countries like Sweden, Norway, etc. who most Americans never think of at all, and would never remember if asked to name all the countries in the world.

    There is one exception that does prove your rule though... the US itself. Just look at the idiocy, promoted day-after-day in the media, being perpetrated by the American govt. and all you get is angry comments, from the general public, to the effect of "why does the NYT hate America?"

  • by alienmole ( 15522 ) on Thursday August 03, 2006 @11:09AM (#15839843)
    Having said that, I'm not sure why the RFID thing is even useful.
    Government agencies. Shiny new people-tracking technology. Huge tax-funded budgets don't spend themselves, people!
  • by SyncNine ( 532248 ) on Thursday August 03, 2006 @11:12AM (#15839868)
    OK, seriously. You sound like George Bush. Just stop talking.

    Let me explain this as simple as possible so that I'm sure that we're all on the same page:
    Someone can duplicate the DATA on a passport and NOT edit it, and you say 'OMFGZ OSAMA BIN LADEN ROFLOL'.
    Give the Osama argument a rest.

    Let us play out this scenario of yours:

    Osama Bin Laden finds himself in possession of a stolen/cloned passport for one 'John Smith' of the USA.
    This passport, while stolen and cloned, is still digitally signed -- meaning that the information on it cannot be changed.
    Osama Bin Laden attempts to enter the USA with this passport.
    The electronic scanner reads 'John Smith' and provides a picture of 'John Smith'.
    Osama Bin Laden is NOT 'John Smith'.
    Osama Bin Laden is taken into custody.

    The only way that "Osama could pass through an airport if it used electronic scanning" is if he found a way to re-digitally sign the contents of the passport, OR if he could do enough facial modification that he looked like 'John Smith'.

    So, what we're saying is, if he's willing to do the plastic surgery or to spend the time to crack the RSA encryption on the contents of the RFID chip and is able to RE-digitally sign it after he edits it, he can get into the country. Gee. Sounds a lot less secure than our current method of ... uh ... looking at a piece of paper that could be edited by anyone with enough time and the holograms to make it look right.

    Or, the more likely scenario, he'll just waltz across the Mexican border because the USA doesn't seem to give a crap about the fact that thousands of people illegally cross it daily. Without passports. Or extensive facial modification.

    On to your second mention that someone could have an electronic device that activates when an RFID chip is within range:
    YIPPEE. Anyone could make an electronic device that would activate when your Chase Blink card or your FastPass or your Building Key Card is within range. THIS IS NOT NEW, NOR IS IT EXCITING OR DANGEROUS.

    Quit with the FUD posts and actually take a step back to find out that, YES, RFID passports are not perfect. YES, the concept has its inherent flaws. NO, they really aren't (yet) worse than the standard passport flaws. NO, this does not mean that you can just drop a FUD post about Osama getting into the airport because of it without any factual basis behind it, whatsoever.
  • by aplusjimages ( 939458 ) on Thursday August 03, 2006 @12:05PM (#15840261) Journal
    Just wait it out. A year from now they will see they made a mistake. Unfortunately it will be at the expense of travelers. But hey the only way politicians will listen is after the bad thing you predict will happen happens. They only wear hindsite glasses.
  • Re:Rant Rant Rant! (Score:4, Insightful)

    by mpapet ( 761907 ) on Thursday August 03, 2006 @12:59PM (#15840724) Homepage
    While I 100% agree with your first paragraph, it's just a "something must be done!" kind of response to keep the voters happy and concentrate power in DC.

    Your next couple of points should be reconsidered carefully:

    There is no evaulation of technology
    On the contrary, there is quite a bit of evaluation of technology. Only the U.S. gov't can afford to pay people to spend the time to come up with these torture tests. My current employer was very briefly involved early on in the process for the new U.S. passport and I can tell you the tests the Feds came up with are very high quality tests that have improved the technology and force companies to better comply with ISO standards.

    Please consider RFID passports as a response to the demand for *much* more international travel in even larger planes. In order to more accurately process many more people through customs at airports around the world, this is a good way to do it more efficiently.

    Finally, I believe no one is claiming they are "secure" as in magically impenetrable. They are not. And like most security systems, the critical control points of entry are probably not staffed by the "brightest and best" so the usual systemic failures will occur. Only, the wait at customs will be a little shorter and govt's will have more data (not necessarily better or higher quality!) as to who is entering when.

  • Re:What's more... (Score:2, Insightful)

    by Tekzel ( 593039 ) on Thursday August 03, 2006 @01:29PM (#15840984)
    Yeesh, some people. Get the tin foil hat off and go outside once in a while.

    Money is a representation of wealth, the goverment owns the physical you own the wealth it represents. The government takes its tithe in taxes. You are free to do what you want with YOUR share of your earnings, the government will do what it wants with ITS share of your earnings. Fact of life, and nothing new.

  • So I can't simply read the information and then brute force the key? One presumes that all somebody needs is to get their hands on one or more of these passports, figure out the key schema, and then write a program to try to crack the RFID information using the most likely keys.

    Effectively getting you what? Finger prints and photos of you that they can't use? I'm sure the governments realize this isn't the safest technology, it's not crack proof. I'm fairly certain these changes are just meant to speed up long lines in customs and make it harder to fake a passport. No more replacing the picture and viola you're someone else.

    I don't understand what the big deal is, why is this technology so flawed? What can be done with this that couldn't be done before? No, RFID triggered bombs aren't a vaild complaint, your big tourist hawaiian shirt, camera around your neck, and fat gut gives you away more than your RFID passport. Even with the data from your RFID chip, I can't see an instance where having that data would allow an attacker to do anything they couldn't do already.

    Why is everyone against RFID? Do you think it violates your privacy or is it a fear of technology being put to use? Maybe you just like idling in a queue all day while customs check's your passport...
  • by Anonymous Coward on Thursday August 03, 2006 @02:02PM (#15841256)
    It's not a waste of money if you're in the administration business.

    Say it costs $1 billion to implement a government program, but it fails outright and they scrap it after 2 years. Does the power elite profit?

    You can bet your house on it.
  • Re:What's more... (Score:3, Insightful)

    by Anonymous Coward on Thursday August 03, 2006 @02:12PM (#15841349)
    Right, so it's entirely moral and correct for government to take "their share" of my earnings and spend it on something I would never even consider authorizing in my life, for example the incarceration of peaceful individuals at home or the slaughter of peaceful individuals abroad.

    Wake up -- government is the organization holding the unique "right" to employ coercion as their means (anyone else who does so is a criminal). That is the only universal, unambigous definition of government that holds true for every government that has ever existed, and any government that could possibly exist. The voting process does not, in any way, remove the core element of coercion from government.

    Govenrment's "fair share"? Either you're a member of the power elite, or you're one of the blind followers.
  • by Anonymous Coward on Thursday August 03, 2006 @02:36PM (#15841572)
    Unfortunately, those that make the decisions often disregard for political reasons the constant cries of the actual technology folks in those agencies that actually point out these flaws.
    Beg to differ on this point. The trend nowadays is to staff the "actual technology folks in those agencies" with the vendors themselves.

Some people manage by the book, even though they don't know who wrote the book or even what book.