Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Find Problems With RFID Passport Cards

timothy posted about 6 years ago | from the clearly-unpossible dept.

Privacy 172

An anonymous reader writes "Researchers at the University of Washington have found that RFID tags used in two new types of border-crossing documents in the US are vulnerable to snooping and copying. The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card." You can also read the summary of the researchers' report.

Sorry! There are no comments related to the filter you selected.

nothing to worry (0)

Anonymous Coward | about 6 years ago | (#25495291)

i hear most americans don't have password to begin with

Re:nothing to worry (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25495539)

Sarah Palin have one! since 2006!

Re:nothing to worry (5, Interesting)

SL Baur (19540) | more than 5 years ago | (#25495713)

Oh yeah. Nothing to worry about. One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain. I've never been to Europe, have no planned trips there for maybe the rest of my life. Wonderful.

Another danger is that the tags can be read from as far as 150 feet away in some situations, so criminals could read them without being detected.

s/criminals/kidnappers/ which IS an issue in places I travel. Those RFID thingies shout out, "I'm an American citizen, kidnap me!".

Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance, they said.

See previous comment.

Though there's no reason for panic, "Our hearts should start to beat a little faster," Kohno said.

Bwahahahaha. Can I please have my paper only passport back, please? It's for my safety and think of my children.

Re:nothing to worry (5, Informative)

ettlz (639203) | more than 5 years ago | (#25495815)

One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain.

Really?! Because I thought here in the UK, one of the main stated reasons they started introducing RFID passports was to facilitate entry to the United States!

Re:nothing to worry (1)

SL Baur (19540) | more than 5 years ago | (#25495961)

Really?! Because I thought here in the UK, one of the main stated reasons they started introducing RFID passports was to facilitate entry to the United States!

Can you find a link to some reference for that and get back to me? I'll do likewise.

This announces the bloody thing, but isn't complete: http://edocket.access.gpo.gov/2005/05-21284.htm [gpo.gov]

Re:nothing to worry (0)

Anonymous Coward | more than 5 years ago | (#25496047)

http://news.zdnet.co.uk/emergingtech/0,1000000183,39284374,00.htm

UK, US, what the hell's the difference? (0)

Anonymous Coward | more than 5 years ago | (#25496481)

Seems like we in the UK just bend over and do whatever the US administration wants these days. We don't get to vote for the US leaders, but then, given the farce of the last couple of elections, it seems like the US don't either.

Re:nothing to worry (4, Insightful)

TheRaven64 (641858) | more than 5 years ago | (#25495839)

One of the main stated reasons they started introducing these things was to facilitate entry to Great Britain.

Actually, much of Europe. But talk to your government about that - they started the tit-for-tat escalating entry requirements. When someone enters the US now, they are photographed and fingerprinted, and the only reason I didn't require a biometric passport for entry last time I went was because there was a temporary visa waiver program in place for people without biometric passports.

Most of the stupid entry requirements for Americans entering other countries are due to politicians responding to pressure from their constituents complaining about being treated like criminals when they enter the USA.

Re:nothing to worry (2, Informative)

spikejnz (1393097) | more than 5 years ago | (#25496937)

You do realize that there are currently 27 countries whose citizens are not required to get visas for entry into the US, right?

http://www.travel.state.gov/visa/temp/without/without_1990.html [state.gov]

You also realize that the US required these 27 countries to comply with their intent to implement RFID enabled passports, right? Should they decide NOT to implement the passports, they faced possibly losing their visa-free status.

"...requirements under the US Visa Waiver Programme which calls for countries to roll out their Biometric Passport before 26 October 2006."

http://www.wired.com/politics/security/news/2005/05/67418?currentPage=all [wired.com]

Re:nothing to worry (1)

Hurricane78 (562437) | more than 5 years ago | (#25497423)

But who wants to go to a terrorist nation anyway? Or would you go to Iran, because they say you need no visa?

In both cases there is a high probability that you lose your laptop and maybe not even come back at all.

There, I did it. I compared the USA to Iran. Beautiful countries with good people, but evil extremistic governments that brainwash them for their own power.

Oh, and we in Europe will join you soon. By then I'll be gone to one of the new growing independend nations...

Re:nothing to worry (4, Insightful)

niiler (716140) | more than 5 years ago | (#25496013)

Are you ready for the inevitable conspiracy theory? Here it is, cooked up between my wife and myself after discussing the implications of renewing our passports shortly.

The problems are actually a feature. Let me explain. Remember how the old Soviet-bloc countries didn't like their nationals traveling because they would see how much better the rest of the world was? (Don't get me wrong, I like it here just fine.) Well, if everyone who hears about this says "I guess I won't be traveling any time soon", it effectively stops travel (usually by the intelligentia) all the while allowing the govt to say "We have no travel restrictions on our own citizens".

Of course, all this is nonsense. Our current administration would never feign incompetence to obtain other goals. [npr.org] Yet there's plenty of other information that suggests there's no tom-foolery about this and that the incompetence is real [washingtonpost.com] .

So in short, I'm not sure which it is, but the bottom line for me is that I'm waiting until the last minute in the hopes that some of the recommended features are implemented by then.

Re:nothing to worry (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25496357)

"I'm an American citizen, kidnap me!".
I'm sorry I can't let this one pass. Do you think that it's the RFID and not your face or your pretentious attitude what people will use to determine you're an American?
I think if "kidnappers" won't find the Americans "who believe are going to be kidnapped" (yeah, only those paranoid ones) because of their RFID, they just need to find for a BIG EGO.

Re:nothing to worry (0)

Anonymous Coward | more than 5 years ago | (#25497941)

BIG EGO

Says the coward who apparently thinks that America is the only source of white faces, or that all Americans are white.

Re:nothing to worry (1)

sir_eccles (1235902) | more than 5 years ago | (#25496411)

I'm not sure why people are so worried about high tech methods of "stealing" passports when thousands of passports are physically lost and stolen every year. Check out the statistics from the past two Brits abroad reports.

http://www.fco.gov.uk/resources/en/press-release/2007/08/fco_hp_npr_070802_britsbehavab [fco.gov.uk]

http://www.fco.gov.uk/en/newsroom/latest-news/?view=PressR&id=5226726 [fco.gov.uk]

Re:nothing to worry (1)

caluml (551744) | more than 5 years ago | (#25496767)

Those RFID thingies shout out, "I'm an American citizen, kidnap me!".

Stop with the paranoia. You'll find people around the world are generally all decent people. Of course, YMMV in Iraq, Afghanistan, etc, etc

Re:nothing to worry (2, Insightful)

Spy der Mann (805235) | more than 5 years ago | (#25496925)

Stop with the paranoia. You'll find people around the world are generally all decent people. Of course, YMMV in Iraq, Afghanistan, The White House, etc, etc

There, fixed that for you.

Re:nothing to worry (1)

daem0n1x (748565) | more than 5 years ago | (#25497601)

Why would people in those countries be different from the rest of the world? I wonder if they are born with the "evil gene" or something like that.

Re:nothing to worry (2, Insightful)

coffeepriest (1227990) | more than 5 years ago | (#25497439)

Most of the places I can think of that have a problem with kidnappers would be places like the Philippines where I seriously doubt the kidnap-for-ransom groups would have RFID readers powerful enough to scan a large group of people and locate you. Besides, they won't be looking for AMERICANS, they would be looking for anyone from a devloped nation because they might have money. Most of these places you would stick out like a sore thumb looking like a tourist anyway, so the RFID card isn't going to give you away anymore than your appearance likely does anyhow. So, I think this fear of 'kidnappers' is overblown.

Re:nothing to worry (1)

Rick Bentley (988595) | more than 5 years ago | (#25497915)

Can I please have my paper only passport back, please?

Just put the one you have now in your microwave for a few seconds, that'll fry anything in there and you'll effectively have a paper-only one again. If they ever try to engage the RFID portion and it doesn't work just say "huh, wierd". Yours won't be the only one to ever fail.

Be RFID (0)

Anonymous Coward | more than 5 years ago | (#25496561)

Be VERY RFID http://www.cafepress.com/berfid [cafepress.com]

Anonymous Coward (0)

Anonymous Coward | about 6 years ago | (#25495303)

I guess there's going to shortly be a huge market for small Faraday cages so we can carry our passports around without being identity-raped.

Re:Anonymous Coward (4, Informative)

L4t3r4lu5 (1216702) | about 6 years ago | (#25495377)

Already been done. [thinkgeek.com]

Re:Anonymous Coward (3, Informative)

will_die (586523) | more than 5 years ago | (#25495639)

Too expensive cheaper here [smartcardfocus.com] .

Re:Anonymous Coward (1)

L4t3r4lu5 (1216702) | more than 5 years ago | (#25495931)

That's a card holder. We're talking about RFID passports.

How about this [thinkgeek.com] for your cards, or this [thinkgeek.com] if you like the idea, but want to keep your passport and cards in one place.

However, if you think that having all your ID in one place is a good idea, I don't think you should be on this thread.

Re:Anonymous Coward (1)

will_die (586523) | more than 5 years ago | (#25495995)

Further down on the page they have passport holders and wallets. They are compariable in price to the ones on Thinkgeek site, excluding the stainless steel one.
Based on the photos the wallets are the same ones.

Re:Anonymous Coward (1)

thepotoo (829391) | more than 5 years ago | (#25497853)

It would be cheaper just to put the passport in the microwave, however this might be illegal. Anyone know for sure?

Re:Anonymous Coward (1)

mapkinase (958129) | more than 5 years ago | (#25496087)

Swell! And it's not done by Faraday!

Re:Anonymous Coward (1)

tRANIS (195360) | more than 5 years ago | (#25495577)

I would just hammer it

Re:Anonymous Coward (4, Interesting)

txoof (553270) | more than 5 years ago | (#25495645)

A moulding nail works great for smashing the hell out of just the RFID chip. My new AmEx came with one and I immediately crushed the hell out of it. I was thinking about doing the same to my new passport when it arrives. I decided that the plausible deniability might be a little slim for a precisely placed hole over the chip though. Perhaps another destructive method might be in order. Who knows what might happen if I accidentaly stood too close to a strong microwave emitter... I hear that the microwave oven is good for drying out wet passports too.

Re:Anonymous Coward (2, Interesting)

HungryHobo (1314109) | more than 5 years ago | (#25495803)

It will be considered a mangled document. Never mind that it's also an old style passport, if the RFID tag is broken then it's considered the same as if the passport was dipped in ink or burned too badly to read.

The fun starts when you consider that RFID tags break if exposed to too stong a signal of the kind used in RFID scanners. You could build one fairly easily, stick it in your backpack and hang out or even walk through somewhere with a lot of tourists.

Re:Anonymous Coward (3, Insightful)

txoof (553270) | more than 5 years ago | (#25497111)

It will be considered a mangled document. Never mind that it's also an old style passport, if the RFID tag is broken then it's considered the same as if the passport was dipped in ink or burned too badly to read.

Having a toasted RFID chip would be much like having a gunked up, but not deliberately defaced passport number. The OCR machines are notoriously bad at reading the data at the bottom of the document. A fried, but not obviously physically damaged chip would appear to the border offical as if the chip or the reader had malfunctioned. They would most likely simply input the data by hand and send you on your way. If you use a hole punch to remove the chip, it's a completely different story. Then it looks like you're up to no good. They key hear is to look innocent ;)

Re:Anonymous Coward (0)

Anonymous Coward | more than 5 years ago | (#25498005)

You can just hit the chip with a hammer. They're more fragile than you might think :)

Re:Anonymous Coward (2, Insightful)

stephanruby (542433) | more than 5 years ago | (#25495845)

I could see why you'd want to do this to other people's passports, but why do it to your own? Do you enjoy being detained by airport security before/after a long flight? Do you think the American government will pay to replace your defective passport?

Re:Anonymous Coward (2, Interesting)

dyingtolive (1393037) | more than 5 years ago | (#25495981)

I think the whole point is that (omitting the mangled document thing from the other reply) it prevents anyone else from reading/stealing/monitoring your data and hopefully would just be manually read and you would be on your way.

Government Property? (1)

PolygamousRanchKid (1290638) | more than 5 years ago | (#25497461)

Well, it doesn't seem to be in the fine print of my new passport (without RFID!), but my old one states:

THIS PASSPORT IS THE PROPERTY OF THE UNITED STATES OF GOVERNMENT.

Followed by a paragraph titled:

ALTERATION OR MUTILATION OF PASSPORT

Prosecution (Title 18, U.S. Code, Section 1543), etc ...

I wonder if the new ones state: "This passport is only valid with a functioning RFID chip."

This just in (2, Insightful)

Anonymous Coward | about 6 years ago | (#25495339)

Bear shits in woods, news at 11.

Re:This just in (1)

Serenissima (1210562) | more than 5 years ago | (#25496627)

How about "This just in: DUH!?" :)

Breaking news: (4, Interesting)

cosmocain (1060326) | about 6 years ago | (#25495345)

The left hand doesn't know what the right hand is doing.

FTFA:

We show that a key anti-cloning feature proposed by the U.S. Department of Homeland Security (the tag-unique TID) remains undeployed in these cards.

Re:Breaking news: (1, Funny)

Anonymous Coward | more than 5 years ago | (#25495601)

The left hand doesn't know what the right hand is doing.

That only cos I sat on my arm. Totally worth it btw.

Re:Breaking news: (1)

L4t3r4lu5 (1216702) | more than 5 years ago | (#25495941)

Ahhhh... "The Stranger."

Good for those who sleep on their arms.

Re:Breaking news: (1)

morgan_greywolf (835522) | more than 5 years ago | (#25496229)

Why were you so surprised that you never saw the stranger?

Re:Breaking news: (2, Funny)

GoombaTroopa (1022351) | more than 5 years ago | (#25495841)

The left hand doesn't know what the right hand is doing.

It's probably better off not knowing. ;)

(This sort of joke was inevitable)

Don't worry, once Obama becomes President... (0, Funny)

Anonymous Coward | more than 5 years ago | (#25495861)

people will no longer have the desire to do such nefarious things as clone passports. And if they do, he'll simply sit down with them and reason with them, and they will see the light and cease their evil ways. And the world will be as one, and we'll all join hands in a giant ring around the globe and sing Kumbayah as we sway back and forth.

Re:Don't worry, once Obama becomes President... (-1, Offtopic)

V!NCENT (1105021) | more than 5 years ago | (#25496001)

Obama wil also cure cancer patients by just showing them his face on TV. When he gets elected, beams from the heavens shall fall upon the evil lands of Iraq and make every terrorist loyal to the rightious USA. When he pees on your shoulder you will be happy for Obama giving you the eternal live. Burning in hell shallt anyone who will be elcting McCain for his white hair, which is also the color of the white rabbit. Follow the white rabbit and thou shallt be imprisonned by agent Smith, calling you "Miiiiisteeeeeerrr Anderrrrsooonn" instead of just Neo, which is your lame hacker name because you couldn't be at least a litle more creative.

question to those who read the article (3, Insightful)

mapkinase (958129) | about 6 years ago | (#25495371)

Did they compare the efficiency of copying passports w/ and w/out RFID?

Re:question to those who read the article (1)

soulfury (1229120) | about 6 years ago | (#25495391)

Ah, I see. You must not be new here.

Re:question to those who read the article (1)

HungryHobo (1314109) | more than 5 years ago | (#25495567)

I'm going to guess easier to copy than traditional passports.Can find anyone who can copy my passport in a few minutes after simply passing me on the street while my passport was inside my bag without me knowing they've obtained a copy?

Re:question to those who read the article (5, Insightful)

NoisySplatter (847631) | more than 5 years ago | (#25495957)

They still can't.

From the article:
"Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance..."

Considering the "passport" is the entire document and the tag itself contains no identifying information they still can't clone your passport at a distance. They could clone the tag inside it, but the process of faking your passport would still involve creating the paper hard copy. I'd say if they still have to do everything they used to and also something new then it's more secure, not less.

Of course the ability to recognize and track a person's movements through the use of RFID is still worrying, but it's no easier to fake a passport than it used to be.

Re:question to those who read the article (1)

SCHecklerX (229973) | more than 5 years ago | (#25497313)

Then what is the point of using RFID in the first place? If you need to see the actual passport anyway, why not use magstripe or barcodes? *sigh*

Re:question to those who read the article (1)

davolfman (1245316) | more than 5 years ago | (#25498045)

Magstripes decay. Neither stores data all that densely.

Re:question to those who read the article (1)

houghi (78078) | more than 5 years ago | (#25498043)

then it's more secure, not less.

That is security through obscurity. I could even argue that it has become less secure. Now people will look at green light that will show up and when that does happen then it must be OK.
People tend to believe the machien more then they do themselves. This because they do not have to take the resposability, but can blame somebody (or in this case something) else. A simple case of "Gee, I can not give you another seat, because the computer tells me the plane is full" even though there are only 3 people on the plane.

Re:question to those who read the article (1)

mapkinase (958129) | more than 5 years ago | (#25496063)

The only reason they copy YOUR passport is because it's easier to create an RFID passport from scratch for Joe Plumber.

They do not have to copy your conventional passport, because it's easier to create a conventional passport for Joe Plumber.

That's the comparison I am asking about. How easy is to create a passable RFID passport compared to passable conventional passport.

Elvis (5, Funny)

Krneki (1192201) | about 6 years ago | (#25495379)

So, if I want to be Elvis all I need is one of those new passports.

Cool.

Re:Elvis (4, Informative)

Yvanhoe (564877) | more than 5 years ago | (#25495717)

You may or may not be aware that this very hack happened with the European version of the RFID passport in september :

http://hackaday.com/2008/09/30/cloning-and-modifying-e-passports/ [hackaday.com]

By the way, the most "funny" thing I saw about RFID passports was that in Pakistan, at least one occurrence of "American passport bearer detection" has occurred in a market crowd. Fortunately, the goal was then to steal the passport, not behead the bearer.

Re:Elvis (1, Informative)

Anonymous Coward | more than 5 years ago | (#25495945)

By the way, the most "funny" thing I saw about RFID passports was that in Pakistan, at least one occurrence of "American passport bearer detection" has occurred in a market crowd. Fortunately, the goal was then to steal the passport, not behead the bearer.

Citation needed

Re:Elvis (4, Funny)

value_added (719364) | more than 5 years ago | (#25495745)

Elvis would be a good choice when registering to vote in Chicago. For border crossings, I'd recommend using Cat Stevens.

Re:Elvis (1)

morgan_greywolf (835522) | more than 5 years ago | (#25496261)

Elvis would be a good choice when registering to vote in Chicago. For border crossings, I'd recommend using Cat Stevens.

You mean Yusuf Islam [wikipedia.org] ? I'm guessing not such a good idea...call me crazy...

Researches @ Wasington University invent a "Wheel" (0, Flamebait)

sc4ry4nt (1331937) | about 6 years ago | (#25495403)

Maybe researches at Washington University should spend more time reading tech news than wasting research time and funds on proving the proven eh.

How should I respond to this? (5, Funny)

retech (1228598) | about 6 years ago | (#25495411)

  1. I am shocked!
  2. I am outraged!
  3. I am indignant!
  4. Tubes, what tubes?
  5. This is why I wrap all my important body parts in tinfoil.
  6. Why didn't we know about this sooner?
  7. If it's not on BoingBoing I don't believe it.

Please, someone in authority with intelligence tell me what to think about this. Oh.. wait... that's never going to happen is it.

Re:How should I respond to this? (0)

Anonymous Coward | more than 5 years ago | (#25495709)

no, mommy says do not fed the trolls

Re:How should I respond to this? (4, Interesting)

SharpFang (651121) | more than 5 years ago | (#25496683)

8. Shut up. This is to stop the terrorists. And you don't want to support terrorism, do you?
9. Shut up. This is to protect the children. And you don't want to support pedophilia, do you?
10. This is a classified information you were not authorised to obtain. Please lay on the ground face down and place your hands on your head.

Security (2, Informative)

supernova_hq (1014429) | about 6 years ago | (#25495441)

I guess this is especially bad, considering their security! [washingtontimes.com]

And this is news? (1, Insightful)

Anonymous Coward | about 6 years ago | (#25495463)

Researchers discovered that the exact same thing that Slashdot users said would happen years ago, is happening. BREAKING NEWS.
You know, it'd be nice if one of these things actually caught us by surprise for once instead of seeing the government wanting to implement a multi-billion dollar program that is hacked before it is even designed.

Re:And this is news? (3, Insightful)

HungryHobo (1314109) | more than 5 years ago | (#25495763)

It's hard to find a large group of people more cynical than slashdot users.
If anything I'd say this proves that the cynical tend to be correct.

Does Lou Dobbs... (0)

dgun (1056422) | more than 5 years ago | (#25495523)

...know about this? Because if not, please for the love of God don't tell him.

Again (4, Interesting)

RAMMS+EIN (578166) | more than 5 years ago | (#25495535)

This is about the umpteenth time we hear about this. Somehow, I can't believe anymore that putting these chips in passports was meant to increase security. The question is...what _was_ the purpose?

Re:Again (1)

SL Baur (19540) | more than 5 years ago | (#25495739)

The question is...what _was_ the purpose?

The main stated reason was to facilitate entry of US citizens into Great Britain. It was also supposed to be "more secure".

Sigh. See my earlier post in this article how kidnapper convenient these things are.

Re:Again (4, Informative)

Yer Mum (570034) | more than 5 years ago | (#25496187)

My first reaction would be to say that you are kidding, but then this is yet another example of policy laundering.

In the UK the government said it was because it was being deployed by the US.

Basically it was a working group from the US, UK, Canada, Australia, and New Zealand which pushed it onto the ICAO and then each country was forced to grudgingly and unwillingly implement this standard which they previously pushed for.

Re:Again (1)

klui (457783) | more than 5 years ago | (#25497113)

Maybe the Chinese will do it right and just put a shoddy non-working chip into its citizens' passports. The first time when DOA is a good thing.

Re:Again (1)

SharpFang (651121) | more than 5 years ago | (#25496699)

The main stated reason of introducing RFID passports in GB was to facilitate entry of GB citizens into US.

So, bullshit.

Re:Again (3, Insightful)

DrgnDancer (137700) | more than 5 years ago | (#25497613)

I don't see the conflict here:

Step one: US and UK (and probably several other) governments get together and decide this is a good idea.
Step two: Both governments go back to their people and say "This is to facilitate entry into $otherCountry."
Step three: Both governments get the standards implemented and both get to make it look like they were just being nice and facilitating travel to $otherCountry; while at the same time getting what they actually wanted anyway.

Both governments get what they want, neither side actually lied (since, after all, travel between the two or more countries IS facilitated) and everyone is happy except for the people who realized that this was a dumb, ineffective, and potentially abusable idea in the first place.

Re:Again (1)

mrdoogee (1179081) | more than 5 years ago | (#25498527)

If I had mod points, I would have modded parent up.

Re:Again (5, Informative)

will_die (586523) | more than 5 years ago | (#25495753)

The purpose was to decrease the time it took to process a passport aka person. Bar codes can have problems being read and take more time to scan then RFIDs. In addition the RFID contain the same information you see in the passport, so that you can check that against the database and future use would allow checking the RFID stored photo with a camera scan to verify ID.

The problems mentioned here and elsewhere are that you can copy an RFID make a duplicate of it. With a regular passport that is not really a problem, excluding privacy since they contain personnal data but the US system and others are suppose to be encrypted so you cannot get the info without the physical passport so you can get the key, because your passport is checked against the database entery and then the person doing the check is suppose to compare the computer to the passport to the holder and they should all match. In this case the problem is that these are passport cards, not regular passports, designed for people who cross the borders all time and this will allow for quick processing with the passport card never being checked by human; same system that you have for toll road cards.
Since these cards and also drivers licenses are not encrypted and not checked by humans an evil person could copy the card, get your PIN and then have easy access to cross the border, provided they don't have sort of facial recognition system, being implemented, that checks your passport card against the database against the facial recognition system.

Even if they have a facial recognition system... (0)

Anonymous Coward | more than 5 years ago | (#25496295)

I see nothing that prevents Tina Fey from using Sarah Palin's passport.

Re:Again (3, Interesting)

jlarocco (851450) | more than 5 years ago | (#25495777)

This is about the umpteenth time we hear about this. Somehow, I can't believe anymore that putting these chips in passports was meant to increase security. The question is...what _was_ the purpose?

First, the article isn't talking about passports. It's talking about the new passport cards [state.gov] . It's not necessarily a given that the same RFID chip is used in both of them.

Second, passport cards aren't even required. You can get a regular passport with or without getting the card. The cards have nothing to do with extra security and everything to do with making travel between the US, Canada and Mexico more convenient.

Third, the RFID chip in regular passports isn't required either. You can get the passport, smash the chip with a hammer, and use it just like a regular old passport.

In any case, it's 100x easier to just order somebody's birth certificate, make a fake ID, and order a legit passport in their name.

Re:Again (3, Informative)

swillden (191260) | more than 5 years ago | (#25496441)

The purpose WAS to increase security, and it works just fine. What these researchers did was simple, obvious and pointless.

Sure you can copy the data from one passport to another. So what? It still contains the original photo and any other biometrics, binding it to the true owner of the passport. The data can't be altered because it's digitally-signed. Someone else can impersonate the passport holder, but only if they have the passport holder's face. As more biometrics are added, they'll also need the passport holder's fingerprints, iris -- maybe someday they'll need the passport holder's DNA.

Now, the fact that the passport might be detectable from a distance is something of an issue. US passports have foil in the cover to create a mini Faraday cage and RF-isolate the chip when the passport is closed, so for holders of US passports the solution is simple: put a rubber band around your passport to hold it closed. Holders of passports from other countries may want to cover their passport in tinfoil if they're concerned about being tracked.

Re:Again (2, Interesting)

TheP4st (1164315) | more than 5 years ago | (#25497475)

The data can't be altered because it's digitally-signed.

mmkay.. [guardian.co.uk]

Re:Again (1)

swillden (191260) | more than 5 years ago | (#25498273)

The data can't be altered because it's digitally-signed.

mmkay.. [guardian.co.uk]

That's got nothing to do with the digital signature on the data.

In order to read the data from the card, you first have to authenticate with a challenge-response protocol using a symmetric authentication key. That key is derived from data printed on the inside of the passport, the "Machine Readable Zone", or MRZ. The purpose of this authentication is to make it difficult for someone to read your passport data without your knowledge. In theory, they'd need to open your passport, grab an image of the inside page and then they could authenticate to read out the data from the chip.

The problem is that there is insufficient entropy in the MRZ, since it doesn't contain any random numbers. Because of that, with a little guesswork and some trial and error, an attacker can figure out the authentication key without seeing the MRZ.

That means that an attacker can read the data from the card -- the digitally-signed data. Being able to modify the data without invalidating the signature requires breaking either SHA-1 (with a pre-image collision) or RSA-2048. Good luck with that.

Before someone else brings it up, there was another group who discovered that at least one immigration agency (Belgium? I don't remember which) was not bothering to verify the digital signature on the data. Since they weren't, the group was able to modify the contents of a passport and get away with it. That's not a security failure in the passport, though, it's a procedural error on the part of the immigration agency. Assuming agencies implement their passport checking software correctly and validate the digital signature on the data, there is no way for an attacker to modify any of the data without detection.

Re:Again (1)

MrJerryNormandinSir (197432) | more than 5 years ago | (#25498341)

The day I'm required to supply my fingerprints, iris scan, and DNA to hold a passport, would be the day I uproot my family and reverse emigrate to San Miguel, Azores, Portugal. My In-Laws have property that's high on a cliff overlooking the ocean there. I'm tempted to see how much they want for it. There's hot springs there so a simple geothermal generator is possible. Solar too.. The climate is very temperate. I could do Linux consulting remotely to pay the bills. The Patriot Act is anything but patriotic. I'm getting even more disgusted with the presidential election.. we don't have a viable candidate from any party. McCain is loosing his mind, I don't have a good feeling about Barack.. I believe if he makes it in, history will repeat itself and Biden will end up as president in a year. Bob Bar voted for the patriot act so he's not getting my vote. Ralph Nader.. even though his intentions are good.. he's too old to be our nation's leader. The future of the U.S. looks bleak. RFID is too Orwellian for me. benjiman Franklin said something like "If you sacrifice liberty of security you will have neither"

My Great Grand parents emigrated to the US from Italy. My Wife's parents Emigrated from San Miguel. My wife and I were born in the US.

Re:Again (1)

swillden (191260) | more than 5 years ago | (#25498479)

The day I'm required to supply my fingerprints, iris scan, and DNA to hold a passport, would be the day I uproot my family and reverse emigrate to San Miguel, Azores, Portugal.

Portugal will almost certainly implement biometric requirements before the US will.

this is intentional (5, Interesting)

Anonymous Coward | more than 5 years ago | (#25495537)

Part of creating a more authoritarian society is to keep your populace under fear. To have the more knowledgeable elements of your population know just how close they are to losing their freedom due to a modern equivalent of a filing error is entirely intentional.

No-one in government/civil service wants these documents to be 100% secure. A few accidental misidentifications will keep everyone realising how powerless they are, and a few "accidental" misidentifications will be used to conveniently eliminate specific undesirables.

Summary: If you fear that your identity will be stolen now, the government is operating as intended.

Don't worry, it's all OK (1)

necromcr (836137) | more than 5 years ago | (#25495573)

.. expect deletion of this news. You never saw this article.

Three Words (1)

Dracophile (140936) | more than 5 years ago | (#25495711)

No shit, Sherlock.

Tinfoil anyone? (4, Funny)

dword (735428) | more than 5 years ago | (#25495825)

Damn it, now I have to take off my tinfoil hat and use the tinfoil to protect my RFID!

Re:Tinfoil anyone? (1)

glop (181086) | more than 5 years ago | (#25496509)

Does it actually work?
What's the frequency used for RFID chips? How thick a metal box do you need? What kind of joints does one need?
Come on guys, don't tell me I'll have to Google it!

Re:Tinfoil anyone? (1, Funny)

Anonymous Coward | more than 5 years ago | (#25496741)

This is probably just a global conspiracy, to increase tinfoil sales.

Re:Tinfoil anyone? (1)

houghi (78078) | more than 5 years ago | (#25497837)

I do have made a pouch for my RFID passport. I took some tinfoil and put somer duct tape on one side a bit more then souble the size of my passport in length. Doublefolded it and put duct tape on the outside as well. Now it is like an envelope. Layer of duct tape, layer of tinfoil and again a layer of duct tape.

I was once asked why I did this. I told them it was because I once had problems with a password becoming wet and unreadable, so this is to prevent that. If they would have asked about the tinfoil in the middle, I would have explained that that was because it is easier to work with that way.

The real reason is because it was fun to do and I had time, tinfoil and duct tape to spare. The fact this IS a good protection against damaging your passport is just a nice plus.

wait... (1)

nimbius (983462) | more than 5 years ago | (#25495829)

the question im asking right now is not "why didnt everyone just listen to me when i said it was a problem" but, "does this make me a researcher too??"

frosPt 4ist?! (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#25495885)

can coonect to its readers and argued by Eric and Juliet 40,000

QUelle surprise (0)

Anonymous Coward | more than 5 years ago | (#25496027)

Yet more proof that rolling out new, unproven and only vaguely understood technology on a large scale is likely to backfire in interesting ways. Sure you can iron out the bugs later, but it means that you're not now providing the best security you know you can. The state of the art in hard-to-forge documents still is without RFID and will remain so for at least a decade.

What utter bozos decided this was a good idea, again?

Big cluestick (1)

KenRH (265139) | more than 5 years ago | (#25496045)

The persons who got the brilliant idea to but remote readable technology into passports should be hit with a cluestick the size of the Eiffel-tower.

Like it would be such a big problem to put such a card into a reader with connection points

So what? You still need to forge the card itself (4, Interesting)

jjo (62046) | more than 5 years ago | (#25496287)

Just cloning the RFID code isn't a particularly safe way to forge a border-crossing card. With a blank RFID card carrying cloned data you are running the risk that the border agents will examine your bogus RFID card, see that it's not geniuine, and bust you for forgery.

Even if you do a convincing forgery of the card itself, you run a risk of discovery. Using the RFID data as an index into the government database, the border agent's computer system will pull up the photo (or other biometric data) of the genuine cardholder. If they are paying attention, they will see that you are not the right person, and bust you for forgery.

Also, each RFID passport card comes with a foil-lined sleeve that protects it from both physical damage and RFID skimming. I always keep mine in the sleeve when not in use. If others do the same, this vulnerability will be restricted to places where the cards are used, i.e., border crossings. Lurking around border crossings to clone RFID data seems like another risky strategy.

Re:So what? You still need to forge the card itsel (0)

Anonymous Coward | more than 5 years ago | (#25497229)

If they are paying attention, they will see that you are not the right person, and bust you for forgery.

And therein lies the problem.

Re:So what? You still need to forge the card itsel (0)

Anonymous Coward | more than 5 years ago | (#25498127)

The RFID passport cards may come with a foil sleeve, but the RFID passports themselves do not. Mine got accidentally left in a hot car in the middle of summer for 5-6 hours (before I even got my hands on it! Apparently, you aren't supposed to let it get above 80 F for very long...), then some heavy textbooks were accidentally dropped on it, and it may have got accidentally bent... and I still got one of those RFID-resistant passport things since I needed one anyways and actually wrapping my passport in tinfoil didn't seem economical. Although, I helped both my siblings who have passport cards line a pocket of their wallets with foil.

once again (1, Funny)

Anonymous Coward | more than 5 years ago | (#25496363)

I work with motorola canopy gear to bring people broadband to remote areas using RF. It's amazing how simple it is to steal some of our stream, access people's "radio's" and routers and so on...

I guess if the global government wants to put a definitive leash on us, they'll have to pursue other avenues.

otherwise - I can't wait to hack my RF brain chip!

Quick! (2, Informative)

BigBadBus (653823) | more than 5 years ago | (#25496403)

Someone call the Mythbusters! Oh, someone did? Darn.

anti-static bag (1)

pseudorand (603231) | more than 5 years ago | (#25498053)

Would keeping my passport in an anti-static bag that computer parts come with prevent it from being read? And does anyone know where I can get an RFID reader cheap? (cuz I don't trust the /. crowd to really know the answer to the first question.)

Also, what anti-copying technology could they possibly be talking about. It seems to me that unless the RFID chips have evolved into active things that actually read some transmitted data, decrypt it (proving you have the secret key without revealing the secret key) and send it back, RFID couldn't possibly be anything more than a bar code that doesn't require line-of-sight. 'splain it to me, Lucy.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?