Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Clone Passports In Driveby RFID Heist

CmdrTaco posted more than 5 years ago | from the well-not-exactly dept.

Security 251

pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.

cancel ×

251 comments

Sorry! There are no comments related to the filter you selected.

I feel deja vu.. from monday (3, Informative)

uncledrax (112438) | more than 5 years ago | (#26723981)

Jules Verne called, he wants his time-machine back.

Dupe story:
http://it.slashdot.org/article.pl?sid=09/02/02/2224255 [slashdot.org]

Re:I feel deja vu.. from monday (2, Funny)

zappepcs (820751) | more than 5 years ago | (#26723999)

That's how good these hackers are. Not only did they dupe a passport RFID, but they duped the news of their hack too!! Soon they will duplicate themselves and all kinds of deja vu is going to happen.

Re:I feel deja vu.. from monday (5, Funny)

Anonymous Coward | more than 5 years ago | (#26724613)

H. G. Wells called. He wants his story back.

Re:I feel deja vu.. from monday (0)

Anonymous Coward | more than 5 years ago | (#26725733)

Posted by CmdrTaco... it's not like he has any clue what goes on at Slashdot anymore...

Passport? (0, Offtopic)

Anonymous Coward | more than 5 years ago | (#26723989)

They're not real passports and nothing was cloned. Nothing new.....

Re:Passport? (1)

BrokenHalo (565198) | more than 5 years ago | (#26725861)

No. Nothing new until this is used to clone a passport that will withstand scrutiny by US Immigration officials. Now THAT will be news.

Why is this unfair? (3, Interesting)

jimwelch (309748) | more than 5 years ago | (#26723993)

The RFID is the most important part. Check the rest of the web for more info.

Re:Why is this unfair? (2, Insightful)

von_rick (944421) | more than 5 years ago | (#26724213)

True. Your computer records matching up is becoming increasingly more important than you actually showing up. A matching RFID would make things much easier.

Re:Why is this unfair? (1)

Erikderzweite (1146485) | more than 5 years ago | (#26724935)

With this technology widespread it will be so much easier for a nerd criminal to create an alibi or set somebody else up.
Hell, if we had RFID's spread a couple of years earlier, we would have a stable in-kernel version of Reiser4 now.

Re:Why is this unfair? (1)

von_rick (944421) | more than 5 years ago | (#26725189)

Carrying a passport along with you on your way to committing a crime is a pretty dumb thing to do. Reiser is a pretty slick programmer, but he was quite a dumb criminal. Tracing a RFID trail to the crime scene would've alerted the detectives of an obvious set up. But I digress.

Re:Why is this unfair? (0)

Anonymous Coward | more than 5 years ago | (#26725455)

alibi, not frame...

using RFID Reiser would have been able to get his passport RFID registered at some completely different place at the time of the murder, making it seem he was really at customs on LA-X rather then cutting up his wife into tiny pieces..

Re:Why is this unfair? (2, Interesting)

Anonymous Coward | more than 5 years ago | (#26724849)

And who really cares? Are you more worried that someone will dupe your information so that when they do "bad stuff" in the overseas country you are in you get nailed hard? Or because it is trivial for a terrorist to rig a bomb on a vehicle to detonate only when three Americans are within range? If you haven't thought that last one through it is very scary. You could plant bombs thoroughly in buses, private vehicles, trains, etc., then watch the spectacle. Random acts of violence with no bomb expert anywhere near the scene of the crime before they blow.

In the US you would likely get a coordinated response and vehicle searches to this sort of tactic, but if the devices are planted widely that can freeze transportation as every moving vehicle has to be inspected. In countries with a less coordinated response you wouldn't freeze transportation as effectively, but it would instill quite a bit of fear and having a longer lasting effect.

But no, I'm sure you're right, the only issue is being able to duplicate someone's passport.

Re:Why is this unfair? (1)

jlarocco (851450) | more than 5 years ago | (#26725655)

That's just not true. Maybe *you* should check the rest of the web for more info. [state.gov] The RFID chip only stores a database key - everything else is grabbed from the database using that key. In other words cloning somebody else's RFID is pointless because then it'll be showing the original owner's photo on the security guy's computer display. If the security guy isn't paying attention, then that's a problem with or without the RFID.

Also, the passport card isn't even required. With a regular passport you can destroy or remove the chip and use it as traditional passport. So if you're really that paranoid, skip the card, get a regular passport, destroy the chip and STFU while the rest of us enjoy the extra convenience. I really don't see why people are crying about this so much.

Re:Why is this unfair? (3, Insightful)

orclevegam (940336) | more than 5 years ago | (#26725843)

That's just not true. Maybe *you* should check the rest of the web for more info. [state.gov] The RFID chip only stores a database key - everything else is grabbed from the database using that key. In other words cloning somebody else's RFID is pointless because then it'll be showing the original owner's photo on the security guy's computer display. If the security guy isn't paying attention, then that's a problem with or without the RFID.

Ok, so instead of grabbing the RFID of the first guy that walks past, instead they wait around until they see someone that fairly closely resembles them and take that RFID instead.

Passports aren't even the biggest concern here though, it's more the move to put RFID into all manner if inappropriate items like credit cards, phones (which are then tied to credit cards), clothing (yes really, and not just for inventory tracking), and probably lots of other things we haven't thought of yet. It's one thing for them to clone your passport, it's another entirely for them to clone your credit card.

Also, the passport card isn't even required.

... yet. Pretty soon it will be mandatory, and destroying the RFID chip in your passport will invalidate the passport and earn you a full body cavity search for your trouble no doubt.

Who carries their US passport in the US? (0)

Anonymous Coward | more than 5 years ago | (#26724011)

Slim pickings methinks.

He might have better luck sitting outside the international departures terminal(s) at the airport. I'm sure he won't attract much attention there.

Re:Who carries their US passport in the US? (2, Interesting)

Clover_Kicker (20761) | more than 5 years ago | (#26724139)

Is his gear fast enough to sniff passports from cars moving at highway speeds? He could drive on public highways leading to the airport, or just sit in the parking lot of gas stations close to the airport.

Re:Who carries their US passport in the US? (1)

jrumney (197329) | more than 5 years ago | (#26724233)

Dammit, you've just ensured that next time I'm a little early to pick someone up from the airport, I'll be moved on from the nearby gas station's carpark by Homeland Security officers and forced to pay the exhorbitant rates for short term airport parking instead.

Re:Who carries their US passport in the US? (1)

cbiltcliffe (186293) | more than 5 years ago | (#26724587)

DHS reads /.?

I didn't think they were that creative....

Re:Who carries their US passport in the US? (1)

dasunt (249686) | more than 5 years ago | (#26724383)

If he's traveling at highway speeds as well? I presume so, since the relative speed difference would be minor.

Re:Who carries their US passport in the US? (1)

Clover_Kicker (20761) | more than 5 years ago | (#26724617)

I was thinking more about a narrow stretch where the oncoming lanes were really close, just across the jersey barrier kind of thing. You could drive around for a day and get within range of thousands of cars, maybe 10s of thousands.

Re:Who carries their US passport in the US? (2, Informative)

Canazza (1428553) | more than 5 years ago | (#26724901)

if it's RFID then the speed of the sources shouldn't really matter all that much. You're not going to get much doppler shift on a source moving 70mph.

Re:Who carries their US passport in the US? (0)

Anonymous Coward | more than 5 years ago | (#26724981)

It's about response time of the tag, not doppler shift. If it doesn't respond fast enough you could be out of range already.

Re:Who carries their US passport in the US? (1)

thered2001 (1257950) | more than 5 years ago | (#26724265)

Depending on the range of the device, he'd just have to drive around a residential neighborhood. But how many Americans actually have passports these days?

Re:Who carries their US passport in the US? (1)

Grimbleton (1034446) | more than 5 years ago | (#26724401)

What's the point? The US has enough climate and scenic diversity from one end to the other to make leaving the US unnecessary unless there's a specific thing you want to see outside of its borders.

Re:Who carries their US passport in the US? (0)

Anonymous Coward | more than 5 years ago | (#26724743)

Yeah, nobody wants to see Aztec pyramids or Roman ruins or Greek temples or Uluru or Victoria Falls or Stonehenge or the Rose Window at Chartres, etc.

Re:Who carries their US passport in the US? (1)

Stewie241 (1035724) | more than 5 years ago | (#26724969)

I believe he covered that under: "unless there's a specific thing you want to see outside of its borders". Anyhow, many people are quite content without seeing those things, and will go their whole lives without doing so.

Re:Who carries their US passport in the US? (0)

Anonymous Coward | more than 5 years ago | (#26725285)

I can see goatse on my computer. Everything else pales in comparison.

There is a very good reason he didn't clone it. . (5, Insightful)

nehumanuscrede (624750) | more than 5 years ago | (#26724027)

Recall the man who made his own airline tickets
not all that long ago?

Recall the sh*t storm that brought about ?

Folks are learning the best way to keep the
lawyers and police off their back is to prove
the point, but don't go as far as producing any
thing illegal.

Re:There is a very good reason he didn't clone it. (5, Funny)

bytethese (1372715) | more than 5 years ago | (#26724481)

Wow, they moved on from cloning RFID tags to cloning <br> tags!

Re:There is a very good reason he didn't clone it. (1)

dwarg (1352059) | more than 5 years ago | (#26725051)

It was a poem you insensitive clod!

Bring out the T I N F O I L ! (3, Informative)

redelm (54142) | more than 5 years ago | (#26724033)

Seriously ... not tinfoil hats but around your wallet. These RFIDs seem to have greater range than advertised and that is a huge security risk for sniffing.

Some sort of Faraday Cage will block RFID, or at least their power supply. I do not know whether ferromatnetics like iron and steel are more effective than non-magnetics like aluminum.

Re:Bring out the T I N F O I L ! (3, Informative)

jo_ham (604554) | more than 5 years ago | (#26724051)

I was going to post this too. A simple solution would be to make a passport holder that blocked the RFID signals, that you could purchase if you wanted to be sure your details weren't being scanned from afar.

Re:Bring out the T I N F O I L ! (1)

SirGarlon (845873) | more than 5 years ago | (#26724199)

A simpler solution would be for the U.S. government to stop paying taxpayer money to embed RFID chips into passports. That saves money and eliminates the risks to everyone, not just the tech-savvy.

I wonder how much money the government would save if they just stopped doing everything that is stupid. (I realize that in order to do that Congress would have to agree on what constitutes stupidity, and agreeing on things ain't their strong suit. Still, I wonder how much money.)

Re:Bring out the T I N F O I L ! (1)

dotancohen (1015143) | more than 5 years ago | (#26724567)

I have such a wallet that I bought from Ebay. To test it I put my cellphone in and called it. The phone rang just like it should. Is there a better way to test the effectiveness of these wallets?

Re:Bring out the T I N F O I L ! (2, Informative)

jo_ham (604554) | more than 5 years ago | (#26724747)

A cellphone has a powered transmitter, and a boosted receiver with a specialised antenna. An RFID chip must rely solely on the radio energy it receives to power itself up and transmit back, so I'm not sure that a cellphone is an adequate test.

The signal power you're talking about for a phone is going to be so much higher, and likely at totally different frequencies.

I think the only way to test it effectively would be to see if the RFID reader at the airport still works with the wallet, assuming the person working the desk doesn't mind you testing it out.

Re:Bring out the T I N F O I L ! (2, Insightful)

miserere nobis (1332335) | more than 5 years ago | (#26725423)

...except when you pulled your passport out of the holder to use it, and got it scanned not only by the customs agent, but by the guy sitting on a chair nearby stealing your info, who knows that the airport is a great place to come and do that. Seriously, why would they think it is a good idea to put your data into a form that broadcasts over the air? There are lots of good uses for RFID, and I can't see how this is one of them.

Re:Bring out the T I N F O I L ! (3, Informative)

dlaudel (1304717) | more than 5 years ago | (#26724215)

Thinkgeek actually makes a passport holder that blocks RFID signals. http://www.thinkgeek.com/gadgets/security/910f/ [thinkgeek.com]

Re:Bring out the T I N F O I L ! (1)

MollyB (162595) | more than 5 years ago | (#26724329)

Yes, but your linked page also states

Availability: [ info ]
Out of stock. (Est. 1-3 Weeks)
[ Email me when available ]
This product is not available
for purchase at this time.

Re:Bring out the T I N F O I L ! (2, Informative)

Civil_Disobedient (261825) | more than 5 years ago | (#26724987)

Just replying to confirm that the ThinkGeek wallets DO, in fact, work as advertised. I realized this after trying to leave my office's parking lot by fruitlessly waiving my newly-acquired RFID-blocking wallet (with parking pass inside) at the entry gate's sensor.

Re:Bring out the T I N F O I L ! (1)

Ioldanach (88584) | more than 5 years ago | (#26724797)

Like the one at Thinkgeek? [thinkgeek.com]

How's it unfair? (3, Informative)

jc42 (318812) | more than 5 years ago | (#26724035)

The summary clearly says:

During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said.

Anyone with even minimal English fluency would understand this as saying that he collected the data but didn't do anything with it.

We don't even need an automotive analogy, since the data was collected from one car by reading passport RFIDs in other passing cars.

Re:How's it unfair? (1)

furby076 (1461805) | more than 5 years ago | (#26725097)

Stealing data, even if the person is not going to use it for anything malicious, can still land said person in dog shit land. What he should have done was use this on his and his friends passport. Maybe asked a few colleagues to help. But instead he collected the information of innocent bystanders. How would you feel if it was your info? How do you know this guy won't sell the information, leak it, or accidentally lose it? Now these people (hopefully they will find out it was them) will need to get new passports to be sure this guy doesn't have up-to-date info. Even worse these people may get flagged so the next time they try to board a plane they get the extra TLC from the TSA.

Re:How's it unfair? (3, Insightful)

Hyppy (74366) | more than 5 years ago | (#26725511)

I'm not sure what your definition of "stealing" is, but he certainly didn't deprive the people of their personal information.

The RFID chips in the passports are designed to spew forth their data when asked for it. You can't accuse someone of "stealing" information that they read off a billboard, which is effectively how the RFID chips in these passports work. (I said effectively, so don't go down the tired road of debating which perfect analogy fits)

Re:How's it unfair? (1)

HungryHobo (1314109) | more than 5 years ago | (#26725615)

Stealing data in this case being akin to reading a sign glued to someones forehead.
If you write your social security number on your chest and walk around the public streets you have no right to bitch if passing researchers write it down as part of a study into how retarded it is to walk around with your SSN on your chest.
They didn't hack anything, they didn't crack any security. They read something that was being broadcast to all and sundry.

Re:How's it unfair? (1)

blueskies (525815) | more than 5 years ago | (#26725651)

I think their data was being shouted across a crowded room...unencrypted.

Maybe they shouldn't be broadcasting their data if they care about it being private?

Re:How's it unfair? (1)

Dare nMc (468959) | more than 5 years ago | (#26725867)

might land them in dog shit land, but it's not illegal in the US. IE I look at the company web page all the time to match a photo with a persons name, if you carry something that willingly broadcasts your name and photo that's your business, all these guys did was let you know thats what your doing carrying a passport that is not held securely closed, or wrapped in a conductor.
    The FCC is the only one allowed to impose laws against wireless communications (in US), and outside the cellular bands "as long as the communication is not divulged or does not `benefit' the interceptor." [fcc.gov]

So collect all the names photos, etc of everyone you can, business cards, etc. As long as you don't start using those in a criminal manner, your good.

Re:How's it unfair? (0)

Anonymous Coward | more than 5 years ago | (#26725513)

This is like taking a photo of a car and claiming you can now manufacture them.

Protective Sleeve (5, Informative)

Jamie's Nightmare (1410247) | more than 5 years ago | (#26724037)

The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

Per usual, security usually fails because of the user.

Re:Protective Sleeve (2, Insightful)

clickety6 (141178) | more than 5 years ago | (#26724211)

The protective sleeve only works if you never have to open the passport.

Of course, you might want to open the passport to, say, actually use it as ID. Or maybe just to let something read the RFID chip...

Re:Protective Sleeve (0)

Anonymous Coward | more than 5 years ago | (#26724227)

The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

Didn't they already show that tinfoil hats don't work?

Re:Protective Sleeve (3, Funny)

houghi (78078) | more than 5 years ago | (#26724399)

The thing is very small. I have embedded it in a pilots cap, that way I have an alibi that I was elsewhere when I actually am somewhere completely different. The governement things they are smart, but I am one step ahead of them.

Be explaining more later, but there is a knock on the door.

Re:Protective Sleeve (4, Insightful)

qazwart (261667) | more than 5 years ago | (#26724495)

Making security difficult and then blaming people for its failure is no solution.

For example, computers could be much more secure if people change their passwords every month and passwords must be a string of at least 120 random letters. Except that everyone will write down their password or never log out or let their computer go to sleep. You now have your nice super-duper security protocol all set, but your computer is less secure than ever because you've made it impossible to use.

How many people will use that sleeve if you have to struggle with it every time you have to show your passport? How long will that sleeve last? How vulnerable do people understand their passport to be? Do people even understand that their passport could be read while riding in a taxi?

A better solution would be to put this "sleeve" inside the passport. The pages where the RFID chip is on should be the sleeve. When the passport is closed, the chip is protected. The chip can only be read when the passport is opened.

Of course, that's even if this type of security even works.

Changing passwords (1)

thethibs (882667) | more than 5 years ago | (#26725175)

For example, computers could be much more secure if people change their passwords every month

Really? What happens on day 32 that I need to change my password to prevent? What threat cannot be realized in a month, but can be realized in two?

The idea behind changing passwords is to have a new password before the current one can be broken by a determined attacker. The current reality is that a weak password can be broken in hours, and a strong password can't be broken in anyone's lifetime.

Changing passwords monthly (or daily for that matter) is not effective if you use weak passwords and it's not needed if you use strong passwords.

Re:Changing passwords (1)

Hyppy (74366) | more than 5 years ago | (#26725583)

If you're using a strong password that is compromised by methods other than brute-force discovery, changing it on a regular basis reduces the window in which the attacker can access the system relatively undetected.

Re:Protective Sleeve (4, Informative)

dotancohen (1015143) | more than 5 years ago | (#26724601)

The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

Per usual, security usually fails because of the user.

I don't know about the Passport Card, but the US Passport comes with no such sleeve.

Re:Protective Sleeve (0)

Anonymous Coward | more than 5 years ago | (#26725049)

neither did my UK-issued passport (Peterborough office, England,September 2008)

-1, Wrong (4, Insightful)

u38cg (607297) | more than 5 years ago | (#26724751)

Security doesn't fail because of the user; if the user is getting it wrong then it is bad security. Theoretical security is (in principle) not hard. Practical security is very hard indeed, and easy to get wrong. Is there any reason this card needs RFID as opposed to a standard credit-card style chip which requires physical contact?

Re:-1, Wrong (1)

speculatrix (678524) | more than 5 years ago | (#26725481)

a well designed security system will take typical users into account, e.g. two-factor authentication, to avoid security breaking by stupidity... but it can only mitigate some of the problems unless the user wants to cooperate with the security.

Mod parent up (0)

Anonymous Coward | more than 5 years ago | (#26725683)

Relying on the end user for security is a bad idea. It is very easy for example to overestimate the user's intelligence. In practice people often simply don't understand what security issues there are and what to do about them, even after being told of said issues. And if they do, it is often very hard to understand the implications, not just because it's hard, but also because the consequences can be out of reach of most people's imagination. This then leads to the security issue sinking on the user's priority ladder, causing the user to disregard it in favour of, say, convenience. And even if you can make them grasp all that, you've still got to remember that the end user probably comes in contact with lots more products, each of which may have something associated with them to be mindful of, security related or otherwise. Can you really expect people to juggle all that in their heads all the time? I think even highly intelligent people will unavoidably have a security lapse every now and then if you rely on them to be mindful of it all the time.

Re:Protective Sleeve (3, Interesting)

Shadow-isoHunt (1014539) | more than 5 years ago | (#26724989)

Actually the sleeve tends to make the passport stay partially open and act as a parabola, amplifying the signal from a distance.

Re:Protective Sleeve (0)

Anonymous Coward | more than 5 years ago | (#26724995)

As long as you never take the passport out of the sleeve, your ok. This, of course, defeats the purpose of a passport, since you can't take it out and show it when travelling, but atleast it's safe.

US Passports Need Ninnle Protection! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26724065)

Only the power of Ninnle Linux can protect US passports from this type of shenanigan.

Unfair?? (1)

GerardAtJob (1245980) | more than 5 years ago | (#26724071)

Sniffing is actually a good way to get the data... it's not unfair at all... What is a shame is the RFID company that sued him... instead of working on a solution with him.

Tinfoil is the answer. Seriously! (4, Insightful)

Bearhouse (1034238) | more than 5 years ago | (#26724115)

As a very frequent traveller, (including to some fairly scary places), I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport. Works a treat. Why do this, well:

1. FTA:

Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a âkill codeâ(TM) (which can wipe the cardâ(TM)s data) and a âlock codeâ(TM) that prevents the tagâ(TM)s data being changed.

However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

2. What information can they get? Well, depending on the passport type, at least your picture, and sometimes your fingerprints too.
See:
http://en.wikipedia.org/wiki/Biometric_passport [wikipedia.org]

And all this while you are having a drink at a roadside café with your passport 'safely' in your pocket...

Re:Tinfoil is the answer. Seriously! (1)

LittleLebowskiUrbanA (619114) | more than 5 years ago | (#26724163)

How did you test this to make sure?

Re:The kill bit testing (2, Interesting)

Technician (215283) | more than 5 years ago | (#26724909)

How did you test this to make sure?

In a link in the old article was the full testing. In a nutshell, they cloned some Washington Drivers licenses into the same chip. Then tested sending the kill command at low power, when there is not enough power to complete the operation, the chip reports a low power comman fail. After the power needed to produce low power fails and kills, it was tested on real licenses to see if the kill was enabled or protected by a PIN. It is unprotected.

Here is the info;
PDF alert http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/EPC_RFID/Gen2authentication--22Oct08a.pdf [rsa.com]

See table 4 in the PDF for the kill bit testing on Washington State Drivers Licenses.

Re:Tinfoil is the answer. Seriously! (1)

Bearhouse (1034238) | more than 5 years ago | (#26725369)

To test they can't read it? Simple, asked the guy at the airport to try and read my passport while it was still in the wallet.

Re:Tinfoil is the answer. Seriously! (1)

martijno (533960) | more than 5 years ago | (#26724181)

Well, depending on the passport type, at least your picture, and sometimes your fingerprints too. See: http://en.wikipedia.org/wiki/Biometric_passport [wikipedia.org]

US Passport card != ICAO passport

Re:Tinfoil is the answer. Seriously! (2, Interesting)

Anonymous Coward | more than 5 years ago | (#26724283)

And not only passports, I just won a fight with my credit card company (Chase) about their use of RFIDs in their new credit cards. I refused to carry them and came close to canceling the account before they finally sent me a new card without one. By that time I had two useless cards with the RFID chips in them, so I stuck them in the microwave to see what would happen. It was spectacular. A couple of seconds and they burst into flame! And to my surprise, there was an embedded loop antenna in the cards that extended most of the card's length and about half the width. Someone could have read that card from a hundred meters with even simple equipment. Oh, and the icing on the cake: every time I called about this issue they tried to sell me extra "protection" against identity theft. I think it was "only" $9 a month.

BillyDoc

Re:Tinfoil is the answer. Seriously! (0)

Anonymous Coward | more than 5 years ago | (#26724937)

RFID blocking wallet --> http://www.thinkgeek.com/gadgets/security/8cdd/

Re:Tinfoil is the answer. Seriously! (5, Informative)

swillden (191260) | more than 5 years ago | (#26725135)

I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport.

Note that you're talking about something completely different.

The US passport CARD is different from the passport BOOK which you use in international travel. The passport card only works when traveling between the US and Canada or Mexico; it's not accepted anywhere else.

If your passport BOOK is a US-issued one, you don't need the tinfoil because it's already built into the cover. Even if it weren't, the BOOK requires a cryptographic authentication using a key derived from data printed on the inside of the book, so someone has to either see the inside of your book or guess the data.

The CARD does not require cryptographic authentication and has no closeable cover.

Unfair for what? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26724179)

Unfair because he didn't make a fake passport? What are the editors gonna say when he DOES make an illegal fake passport? That too is unfair because he didn't actually attempt to fly with it to prove it would pass the passport security checks?

He got the data. He can write it back into another cloned RFID chip. Good enough I say to prove the point that it can be done. No need to go further, I'm sure the gov't already wants to silence him, don't give them a good ripe excuse to do so!

People, we have tools to solve problems like this! (0)

Anonymous Coward | more than 5 years ago | (#26724183)

Bam! [thinkgeek.com] Problem solved. Nothing more to see here folks, let's move it along.

Forgery is illegal.. how is it unfair ? (3, Interesting)

brufar (926802) | more than 5 years ago | (#26724337)

Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport.

Of course he only sniffed the data and didn't make a fake passport.. If merely sniffing the data proves your point, why would you subject yourself to penalties for forgery ?

U.S.C. Â 1543 provides:

Whoever falsely makes, forges, counterfeits, mutilates, or alters any passport or instrument purporting to be a passport, with intent that the same may be used; or

Whoever willfully and knowingly uses, or attempts to use, or furnishes to another for use any such false, forged, counterfeited, mutilated, or altered passport or instrument purporting to be a passport, or any passport validly issued which has become void by the occurrence of any condition therein prescribed invalidating the same

Shall be fined not more than $2,000 or imprisoned not more than five years, or both.

I certainly would have stopped at successfully sniffing the data. besides all a terrorist has to do is rig the bomb so it will automatically go off when it detects a pre-specified number of US RFID passports in the vicinity.. Now, don't you feel that RFID in your passport has made you more secure ?

Re:Forgery is illegal.. how is it unfair ? (1)

Hyppy (74366) | more than 5 years ago | (#26725787)

What about the "with intent that the same may be used" qualifier? Making a forgery doesn't seem to be illegal, as long as it's not used.

Security threat (4, Interesting)

grolaw (670747) | more than 5 years ago | (#26724347)

Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

Re:Security threat (4, Interesting)

vlm (69642) | more than 5 years ago | (#26724623)

Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

RFID passports are the ultimate tool for terrorists. You have to wonder if the government people pushing them are sleeper cell agents or something. Maybe just good ole americans but taking bribes from terrorists.

In the old days they set off IEDs using switches. Follow the wires back to they hidey hold and shoot them. End of terror threat.

Then they moved to cell phone (a most impressive "ringtone"). With some cooperation w/ the phone company, you track down the caller and shoot them (only the stupid ones of course, the smart ones smash the caller phone seconds after the callee phone goes boom and both will have clean records)

Now you just build a mine that waits for a passport RFID. No need to decode fully, just, is there a passport signal, if so kaboom. No way whatsoever to stop them anymore.

You're doing a heck of a job, american passport design department! Heck of a job stacking up american corpses I mean.

Re:Security threat (1)

powerlord (28156) | more than 5 years ago | (#26725193)

The one problem with this type of mine is that RFID requires energy.

Most RFID tags do not just actively broadcast, they are passive devices that only transmit when you hit them with a signal.

This means:
1) Your mine now needs a much bigger power source (depending on how long it needs to broadcast looking for an RFID).

2) It is BROADCASTING A SIGNAL which might make it very easy to find (once you know to look for it).

Re:Security threat (1)

NoisySplatter (847631) | more than 5 years ago | (#26725315)

Sure, the RFID enabled mine could probably be considered a terrorist's wet dream. Think about it for a bit though.

It's going to need to be inconspicuous and run off of battery power. Because of these requirements the antenna is going to be less than optimal and it won't have much power at its disposal. If you compensate and let it draw lots of power it won't have much run time.

It's also going to need a logic package to analyze the signal it's getting back from the tags and determine if the situation is explosion worthy. This also needs power, further decreasing the run time.

You will never get the components back in the event of a successful detonation, so there's the cost factor of the ingredients. Every time one is used that's going to be a few hundred dollars of equipment going with it.

Basically, it would be way easier to keep using the current method with human observation. The RFID bomb is too impractical.

The biggest risc is not cloning (2, Interesting)

chrisarn (613220) | more than 5 years ago | (#26724355)

But the fact that you could use this technique to drive around and look for American citizens. Maybe combined with triangulation and there is your kidnap victim...

Re:The biggest risc is not cloning (1)

kdubb1 (930778) | more than 5 years ago | (#26724415)

You don't need triangulation; for RFID to work you have to be somewhat close. Add to that the ability to access the holders picture (which is apparently possible) and now you are fairly close to the person with a high quality image of their face. Shouldn't be too hard to find them.

Re:The biggest risc is not cloning (0)

Anonymous Coward | more than 5 years ago | (#26724681)

It's simpler than that. You don't need a specific photo. Just look for the one wearing a baseball cap, a jogging suit and crocs.

Proof of concept though (0)

Anonymous Coward | more than 5 years ago | (#26724387)

Even if he didn't go all out making a passport (which would get him in a world of trouble), he showed proof of concept for getting the data and how simple it was to do so.

If I build this device and go sit outside an airport, I won't pick up most passports due to the RFID chips being "blocked". I don't think that's hard to imagine. But if I'm looking to steal data, all I need is that 1% (or less) to have their RFID passport "open".

I understand the want of the RFID chip in a passport. The guard can easily scan it and pull up all relevant data he needs on me. But there still needs to be a second verification of some sort in place.

It's important to remember, no security is flawless. We can just do the best job we can with the tools we've got.

recycle (1)

daxia (543981) | more than 5 years ago | (#26724439)

just use one of those innocuous bags or envelopes that hard drives and PC boards come in. They block the signals pretty well since they block static electricity, they'll block the signal as well. Unless the "cruiser" uses a signal strong enough to penetrate, which would mean that it would probably be detrimental to the person holding the passport, too, it might give them away. (As if the giant power supply wouldn't.)

Re:recycle (1)

Muad'Dave (255648) | more than 5 years ago | (#26724687)

Probably not. They're only slightly conductive (it doesn't take much to drain off static), and do not represent an effective Faraday shield or bulk attenuator.

European Union Passports (1)

miknix (1047580) | more than 5 years ago | (#26724503)

The new standardized EU passports have digital biometric information on them too. Although I don't think it is RFID.

Last time I used my passport, I had to specifically show the first page (where my photo is) faced down to the reader. Other page/orientation combinations didn't work.

So I think they read the information by infra-red. I didn't Google, it's only a guess.

Re:European Union Passports (1)

Muad'Dave (255648) | more than 5 years ago | (#26724865)

The reason you had to show the first page was because the security key to read biometric data from the the chip is in the additional characters tacked onto the Machine Readable Zone [wikipedia.org] line with your name.

The encoding of the tag data is spelled out in ICAO Doc 9303, Parts I, II, III, which used to be downloadable. Now you have to buy them. Humm....

More details (3, Interesting)

Muad'Dave (255648) | more than 5 years ago | (#26724629)

The information he read was from an EPC Class1 Gen2 [epcglobalinc.org] encoded UHF tag. It was encoded as a Global Document Type Identifier (GDTI-96) [epcglobalinc.org] . The Company Prefix is 0893599002, and the Document Type is 1. The serial numbers of the documents are there, but I'm not going to post them. I don't have access to the GS1 [gs1us.org] Company Prefix database, and it's not searchable here [gs1.org] . - anyone else have those mappings?

It is trivial to program an arbitrary tag ID into a blank Gen2 tag - I do it all the time wrt DOD-encoded tags.

Why do passports need RFID? (5, Interesting)

Logical Zebra (1423045) | more than 5 years ago | (#26724677)

What is the point in putting RFID into passports other than to make them easier targets for cracking?

Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense [wikipedia.org] ? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

Re:Why do passports need RFID? (4, Informative)

swillden (191260) | more than 5 years ago | (#26725253)

Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense [wikipedia.org]? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

The chips in passport books (not cards) ARE the same sort of device that's in the CAC. The old CAC cards are contact-only, which doesn't work well for a passport book because it would be difficult to build a reader. The CACs are being replaced by PIV cards which are dual-interface (contact and contactless).

Other than the contact vs RF interface, though, these so-called RFIDs in passport books (not cards) are exactly the same sort of technology as CAC cards. The chips have plenty of storage and provide cryptographic authentication capabilities.

It appears that a different, longer-range technology with no cryptographic authentication requirements was used for the passport cards.

Don't get one. Get a passport book. It costs a little more, but it can be used for visiting countries other than Canada and Mexico, and it doesn't have these security issues.

A politician needs to consult an engineer (2, Interesting)

Demonantis (1340557) | more than 5 years ago | (#26724695)

The sin cards used in cellular phones use an algorithm to confirm identity. The network will transmit a number that is then manipulated to form a new number by the phone. The number is transmitted and compared to what the network was expecting from the individual the phone is claiming to be. If they match then the person is who they say they are. The algorithm is impossible to duplicate without having the sin card and brute forcing to find the algorithm(still next to impossible). The credit card industry is now introducing this because it makes it impossible for someone sniffing the data transferred to use it productively.

Re:A politician needs to consult an engineer (1)

Erikderzweite (1146485) | more than 5 years ago | (#26725577)

I also heard there are bombs which react to people's brainwaves. Now if one of THOSE is deployed, it will be very scary.

Probably nothing to worry about if you are of US origin though. And to disarm a high-sensitive version you can always call George W. Bush and tell him tere are salty crackers inside -- chances are, he'll break it in no time.

San Francisco? (1)

fulldecent (598482) | more than 5 years ago | (#26724817)

If you want results, try it in Washington DC.

It's not about the passport data. (1)

Animaether (411575) | more than 5 years ago | (#26724851)

I don't think that Mr. Paget was trying to make a point for "hey, look, Passport data!" at all. In fact, he states in his video himself that all he got were the unique IDs for the RFID, which have a prefix which indicates whether it is, say, a passport.

What I got from his video - and which is a perfectly valid argument against RFID *in general* - is that he now -has- that unique ID. Presumably, you are the only one with your (passport) ID. Next up, link that to an RFID scanned at the very same time.. except this time it's just some grocery store's RFID. It doesn't come with encryption up the wazoo - why would it.. it's just for you to get grocery 'discounts' and for them to know wtf a person may be buying throughout periods of time. But instead of a store ID that correlates to name data somewhere in their database, they decided to just store the name right on the card itself.

Now you have a name to go with the ID from the passport. Congratulations, you can now track not just an ID, but a person.

Yes, I know, you're still 'only tracking that one RFID chip', and sure.. it could be on somebody else's person. Again, though, with a (passport) ID - how likely is that?

EPIC FAIL, Taco (1)

Rogerborg (306625) | more than 5 years ago | (#26724889)

Proof once again that the "editors" don't even read Slashdot any more [slashdot.org] . Dupe from yesterday, Taco. Yesterday.

Proof of concept is enough (2, Insightful)

thethibs (882667) | more than 5 years ago | (#26724979)

Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport

Perhaps he wanted to avoid going to jail? This is a case where it's sufficient to show that a forgery is possible, without breaking the law and actually doing it.

Story title (0)

Anonymous Coward | more than 5 years ago | (#26725025)

Why make up a story title whose claims are unsupported by TFA? Nothing was 'cloned' here. And the 'cloning' that is mentioned in the summary refers to the RFID chip, not the passport as a whole. Does Taco not understand the difference, or does he see his role as editor in making stuff up? Neither possibility is very flattering, IMO.

Re:Story title (2, Informative)

Technician (215283) | more than 5 years ago | (#26725267)

Why make up a story title whose claims are unsupported by TFA? Nothing was 'cloned' here.

The cloned chip article is here;

http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/EPC_RFID/Gen2authentication--22Oct08a.pdf [rsa.com]

It was on pasport and Washington Driver license chips.

*US Passport Cards*, not real passports (2, Informative)

lobsterturd (620980) | more than 5 years ago | (#26725689)

It's absolutely worth noting this is about cloning US Passport Cards, which are completely useless outside the US, not real passports.

Passport Cards use a simple RFID system (EPC) where the chip simply spits its ID number out.

Passports, on the other hand, require a reader to authenticate by passing a hash of (passport number, date of birth, date of expiry). I don't think that's nearly enough information to ensure security, but at least it's better than nothing.

Signing (0)

Anonymous Coward | more than 5 years ago | (#26725851)

Why don't they just put a little cpu in there to add some random numbers (maybe a timestamp) and sign the whole message - changing every minute or some such interval?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>