Hackers Clone E-Passport 185
mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"
I've got one (Score:5, Interesting)
The booklet that comes with it helpfully suggests ways to damage the chip, such as microwaving it, but doing so will render the passport useless, unfortunately. Anyone know where I can get a good tinfoil wallet from?
At least it won't work for a drive-by cloning (Score:5, Interesting)
Of course, that won't stop the mad bombers with their IEDs from detonating their bombs in the presense of an ePassport. The video [youtube.com] from TFA shows yet another weakness in this crappily designed (i.e. vendor driven) system.
Re:At least it won't work for a drive-by cloning (Score:3, Interesting)
So I can't simply read the information and then brute force the key? One presumes that all somebody needs is to get their hands on one or more of these passports, figure out the key schema, and then write a program to try to crack the RFID information using the most likely keys.
Security of passports is nebulous at best, even without the RFID technology.
Re:And this helps... how? (Score:5, Interesting)
Except that 2 major stated purposes of RFID in passports is nullified by his actions.
IE:
RFID passports are more secure/no the digital portion can be copied easier than the paper.
RFID passports will speed customs/no the RFID download can't be trusted, without thourgh comparison to the paper.
also Identity theft occurs within families. So if I were 18 year old George W Bush Jr, I snag W Bush Sr's passport, make a copy of the chip, return it. Unless a photo is on the RFID chip, their are only 3 differences in our passports, 1) Age, 2) a additional roman numeral (ie III instead of II) 3) SSN
not to mention their are 3 unrelatead Jim Jones within 5 miles of my house, all within 5 years of age to me, likely at least 2 have the first 3 digits of their SSN the same as me (most SSN's issued in my home state, of simular issue dates started with number in the range of 478 to 480)
So if I were to become a felon on Parol with a travel ban,
1) have my name legaly changed to Jim Jones
2) Break into Jim Jones' houses, cloan digital chip, Jim never knows.
3) I now have 4 passable unique ID's to use anywhere I want, 1 piece of paper, 3 chips to swap.
Still do it. (Score:1, Interesting)
Do it now (like I will) and get RFID, or do it later and get life-long surveillance on the NIR (where a simple clerical error can ruin your life). If I ever get to the point of having to go on that database, Im leaving the country.
challenge-response? (Score:3, Interesting)
Why is it so hard to implement a challange-response mechanism to avoid airing the entire passport data?
Especially when they are going to store fingerprints /images/iris scans on the chips, I would expect the passport chip to do the matching up. (Of course, it has to legitimate itself, too.) Just imagine having to change your fingerprints because of identity theft. Americans already have a taste of this with social security numbers.
BTW, if all you'd like to broadcast is your name and number, just print a barcode. That works perfectly fine in Chile (or Colombia? sorry).
Security, shmecurity. (Score:4, Interesting)
I'll conceed that x-ray'ing baggage would highlight obvious weapons like knives or guns. However, as we've seen from the likes of Yousef Josef and other terrorists, people can smuggle bomb components on plains using items, such as watches, which would not be picked up by the usual airport screening proceedures. Add to that the ever so effective comparison of the name and date on my boarding pass with the name on whatever casually inspected ID I provide. Please don't even get me started on how rediculous making me take off my shoes is.
If governments were really serious about airport security, they would adapt a model similar to the one used in Israel. Roving groups of heavily armed, well trained commandos that stop "interesting" individuals and select them for additional screening. However, this method would be too inconvienent and intrusive for travelers (Americans).
This is the state of governmental security. To the not very determined to violate it, lay individual, it appears that there is SOME kind of security in place. With a slight bit more investigation, someone with a bit of desire can easily violate it, thereby rendering the "security" utterly useless. But hey, they have to have some way to spend our tax dollars, right?
-Runz
Not new, unexpected, or problematic. (Score:2, Interesting)
"What this person has done is neither unexpected nor really all that remarkable," Moss says. "(T)he chip is not in and of itself a silver bullet.... It's an additional means of verifying that the person who is carrying the passport is the person to whom that passport was issued by the relevant government."
Moss also said that the United States has no plans to use fully automated inspection systems; therefore, a physical inspection of the passport against the data stored on the RFID chip would catch any discrepancies between the two.
If the RFID passports were to used like some kind of gas card--where a traveller just waves his or her passport through a reader, gets a beep and a green light, and goes on--this news would be a problem.
But that's not how they'll be used. There will still be an inspector checking the RFID data against the printed data, and against the physical appearance of the traveller. Like they already do now, for crying out loud.
So they can copy the encrypted data, so what? (Score:4, Interesting)
In the USA the passport jacket will have a metal lining so that the RFID cannot be read when the passport is closed.
RFID Blocking Passport Cases (Score:2, Interesting)
Stylish RFID blocking passport cases and wallets
http://www.difrwear.com/ [difrwear.com]
That nice RFID-shielding-device (Score:2, Interesting)
I found it here https://shop.foebud.org/product_info.php/cPath/30
Speaking of RFID (Score:2, Interesting)
Re:And yet again... (Score:3, Interesting)
You can be reasonably sure that the most dangerous entities have access to these skillsets anyway.
To create a full passport it would therefore be necessary to clone the passport itself, physically alter the appearance of the picture to match yours and ensure all the data is consistent.
Or blackmail/bribe someone who issues passports...
Has Grunwald been arrested yet? (Score:3, Interesting)
Seriously, I'm waiting for word that he cancelled his presentation "voluntarily" or has been arrested.