×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Clone E-Passport

timothy posted more than 7 years ago | from the thank-heavens-for-black-hat dept.

185

mrops writes "I guess the skeptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

185 comments

"No Shit," ollectively the masses said. (5, Insightful)

hkgroove (791170) | more than 7 years ago | (#15839291)

But this unfortunately is not going to stop the governments from wasting money on them.

What's more... (5, Insightful)

vain gloria (831093) | more than 7 years ago | (#15839358)

But this unfortunately is not going to stop the governments from wasting money on them.

Our money.

Re:What's more... (0)

Anonymous Coward | more than 7 years ago | (#15840633)

Its not YOUR money, its THEIR money they PRINT to CONTROL society. Thats what money is, CONTROL.

Wake up.

I've got one (4, Interesting)

Spad (470073) | more than 7 years ago | (#15839297)

I just renewed my passport, hoping to get in before the "biometric" passports became mandatory in the UK (Not that there's actually *any* biometric data on them), but sadly I've ended up with a RFID chip embedded in the back page of my new one.

The booklet that comes with it helpfully suggests ways to damage the chip, such as microwaving it, but doing so will render the passport useless, unfortunately. Anyone know where I can get a good tinfoil wallet from?

Re:I've got one (2, Insightful)

HugePedlar (900427) | more than 7 years ago | (#15839323)

Shit. I was planning on doing the same thing. Might as well not bother now.

It both scares and infuriates me that my government wants to roll out a vastly more insecure (and expensive!) system than that which already exists, while proclaiming the opposite. Seriously, how the hell is this allowed to happen??

Re:I've got one (2, Informative)

Spad (470073) | more than 7 years ago | (#15839379)

Get it done anyway - come October the price of a renewal goes up to cover the costs of the RFID system.

Re:I've got one (4, Funny)

hkgroove (791170) | more than 7 years ago | (#15839393)

Seriously, how the hell is this allowed to happen??
The boxes told them they were lost.

Still do it. (1, Interesting)

Anonymous Coward | more than 7 years ago | (#15839802)

Even though it has RFID, the ones coming in October will cost more (£93) and you will be entered into the National Identity Register (read: Be interrogated, DNA-swabbed and fingerprinted like a criminal).

Do it now (like I will) and get RFID, or do it later and get life-long surveillance on the NIR (where a simple clerical error can ruin your life). If I ever get to the point of having to go on that database, Im leaving the country.

Wait for the ID Theft (3, Insightful)

aplusjimages (939458) | more than 7 years ago | (#15840261)

Just wait it out. A year from now they will see they made a mistake. Unfortunately it will be at the expense of travelers. But hey the only way politicians will listen is after the bad thing you predict will happen happens. They only wear hindsite glasses.

Re:I've got one (1)

badfish99 (826052) | more than 7 years ago | (#15840357)

The last I heard, they were rolling out the chipped passports in phases. I got mine renewed (from the Peterborough office) a few weeks back, after the rollout started, and I was lucky enough to get one of the old ones. So it's still worth trying.

How to get a non-RFID UK passport (2, Informative)

njdj (458173) | more than 7 years ago | (#15840489)

Renew your passport at a consulate overseas. Incidentally, this is also much quicker than renewing it in the UK (typically takes 2 weeks). The only snags are the obvious ones that you need to stay out of the UK for long enough to get your new passport, and you need an overseas address (maybe a friend's).

I would not advise trying the obvious trick of just mailing your old passport to a friend in country X with all the forms, and asking them to post them to the consulate as though you were in X, then post the passport back to you when it arrives at their address. Cross-border postal mail is checked more often than most people realize, and I have heard of cases where identity documents have been removed.

Re:I've got one (5, Informative)

Lurker187 (127055) | more than 7 years ago | (#15839359)

I believe that those anti-static bags that many computer boards come in will block an RFID signal. They certainly look exactly like the bag I was given with my RFID remote toll-paying tag, and putting the tag in the bag supposedly blocks it from being read.

(What, you don't have any old computer parts in their original anti-static bags?!? That's it, no /. for you! ;) )

Re:I've got one (1)

From A Far Away Land (930780) | more than 7 years ago | (#15839433)

You could potentially test this bag theory by getting a friend to wave a RFID keyfob in a bag, in front of their Fob-door opener. If it opens, I'd discount your theory. If it doesn't, I'd keep testing.

Re:I've got one (5, Informative)

plantman-the-womb-st (776722) | more than 7 years ago | (#15839679)

Nope, the keys for my marina are RFID and I tested this very thing. The machine read the card as usual.

Re:I've got one (3, Informative)

Lurker187 (127055) | more than 7 years ago | (#15840167)

Excellent detective work, thanks!

I checked online with my state issuing authority (Maryland, US) for my toll-paying RFID tag, and I was able to request online that they send me 4 (the limit) free "read-prevention bags". This may only be of use to those in the northeastern US, but if any toll collector in your area uses a similar device, you might be able to find a bag easily.

Re:I've got one (1)

Tim C (15259) | more than 7 years ago | (#15840232)

(What, you don't have any old computer parts in their original anti-static bags?!? That's it, no /. for you! ;) )

No, of course I don't - I have old computer parts in the anti-static bags of the new parts that replaced them!

Re:I've got one (2, Funny)

plover (150551) | more than 7 years ago | (#15839389)

Roll your own! [rpi-polymath.com] The duct-tape wallet made out of foil duct tape, with an extra flap to cover any RFID cards.

It's actually better designed than the passport itself!

Re:I've got one (1)

clickclickdrone (964164) | more than 7 years ago | (#15839738)

Don't worry about it too much. When is the last time the UK govt have successfully delivered a large IT project either to time, budget or spec? The database that sits behind the ID card plans will be an utter disaster and probably never go live. That said, with our idiot govt, I can imagine them going live complete with bugs and starting to arrest people left right and centre for not matching what the database says. "Hey, you, Mr Smith, says here you should be a 4 foot 8inch woman, not a 6ft man. You must be a terrorist! Quick, ship him off to the US for processing"

FUCK (0)

Anonymous Coward | more than 7 years ago | (#15839840)

Fuck! And I just sent off my passport renewal today. Fuck. Guess the only way we will get rid of this ID card malarky is if the tories get in, and I dont think many people want that.

Anyways - your passport will still "work" if you fuck the RFID. People (lawysers when you try to pay fees, bank folk when you open an account, check-in staff at the airport) will look at the picture, check it conforms to your face, and accept it as ID. Passports issued earlier this year will be valid for 10 more, so people won't _require_ RFID for another 5 at least. And that is time to elect a better government, or failing that move to another country (I am seriously considering somewhere else in Europe) -- speaking of which the CAPATCHA says "ferries"!

German consultants (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15839301)

Don't German security consultants also specialize in building super-bunkers for Islamic terror states like Iran?

And now they've compromised the future US passport as well?

3 words to describe this -

state sponsored terrorism.

Re:German consultants (3, Informative)

Yvanhoe (564877) | more than 7 years ago | (#15839597)

Don't German security consultants also specialize in building super-bunkers for Islamic terror states like Iran?

And now they've compromised the future US passport as well?

3 words to describe this -

state sponsored terrorism.


I know you are humorous. But you are insightful in your humor. See how easy it is to put something against anyone in the "war on terror" ? Now in three sentences, that is far-fetching, but if it was released day after day in news report, I am confident you could turn the majority of US opinion against any country in the world.

Re:German consultants (2, Insightful)

CreatureComfort (741652) | more than 7 years ago | (#15839742)


Now in three sentences, that is far-fetching, but if it was released day after day in news report, I am confident you could turn the majority of US opinion against any country in the world.

Too late. The majority of US opinion is already against every country in the world, "Freedom" fries anyone? The only exceptions to this are a few countries like England and Australia, which most Americans think of a funny sidekicks to Uncle Sam, as long as they know their place and don't start getting uppity. Or countries like Sweden, Norway, etc. who most Americans never think of at all, and would never remember if asked to name all the countries in the world.

There is one exception that does prove your rule though... the US itself. Just look at the idiocy, promoted day-after-day in the media, being perpetrated by the American govt. and all you get is angry comments, from the general public, to the effect of "why does the NYT hate America?"

At least it won't work for a drive-by cloning (4, Interesting)

plover (150551) | more than 7 years ago | (#15839309)

According to TFA, in order to read the data from the passport you have to enter a key printed in the passport itself. This will at least prevent a surrepetitious cloning while sitting in an airport chair (like the guys who cloned the Mobil SpeedPass keytags.)

Of course, that won't stop the mad bombers with their IEDs from detonating their bombs in the presense of an ePassport. The video [youtube.com] from TFA shows yet another weakness in this crappily designed (i.e. vendor driven) system.

Re:At least it won't work for a drive-by cloning (1)

Spad (470073) | more than 7 years ago | (#15839334)

According to TFA, in order to read the data from the passport you have to enter a key printed in the passport itself.

Well that's fucking secure - chalk up another one for security through stupidity.

Re:At least it won't work for a drive-by cloning (4, Insightful)

IAmTheDave (746256) | more than 7 years ago | (#15839565)

Well that's fucking secure - chalk up another one for security through stupidity.

Ya know, there is not a thing that Homeland Security has done that has made us more secure. Even the one or two instances where they actually tracked down a terrorist cell instead of wasting government money on vacations and useless Katrina relief trailers could easily have been done by the individual agencies themselves.

It's almost difficult to fathom what anyone that requires this shit is thinking. There is no evaulation of technology, and a complete lack of understanding of security. Unfortunately, those that make the decisions often disregard for political reasons the constant cries of the actual technology folks in those agencies that actually point out these flaws. Unfortunately, their cries fall on deaf ears (although, a big thanks for not giving up the good fight). But politics outweighs information, and RFID gets put into passports, despite the overwhelming evidence that they are a very bad idea.

Almost all of this is politically motivated now, in one of two avenues - to "appear" to be taking some action to protect security, or in an effort to more easily collect information on anyone that steps foot one into this country - be ye citizen or visitor.

Checks and balances, being the glory of the past but just about dead now, make sure that these unilateral decisions can be made without any oversite. And with Bush just giving himself more power [theonion.com] (a parody, but eerily poignant) there is no end in site to this stupidity.

Re:At least it won't work for a drive-by cloning: (4, Informative)

undef (682662) | more than 7 years ago | (#15839420)

Safe from surreptitious cloning? Big deal. You routinely hand over your passport at hotels, etc... while in Europe.

Re:At least it won't work for a drive-by cloning: (1)

tomstdenis (446163) | more than 7 years ago | (#15839698)

Really? Where?

I've been at hotels in Ireland, France and England and never once gave them my passport. I might use it as ID e.g. to prove I'm me. But they don't keep it.

Most of the time they don't care. They just swipe your credit card and are glad to take your money....

Tom

Re:At least it won't work for a drive-by cloning: (0)

Anonymous Coward | more than 7 years ago | (#15840170)

I've had to leave it at the front desk of European casinos, while I was gambling.

Re:At least it won't work for a drive-by cloning: (1)

undef (682662) | more than 7 years ago | (#15840485)

According to TFA, the passport is needed only long enough to scan it. That could be sitting on a pad behind the hotel's registration desk for 15 seconds. It's doesn't say anything about keeping it

Re:At least it won't work for a drive-by cloning (2, Interesting)

Billosaur (927319) | more than 7 years ago | (#15839489)

According to TFA, in order to read the data from the passport you have to enter a key printed in the passport itself. This will at least prevent a surrepetitious cloning while sitting in an airport chair (like the guys who cloned the Mobil SpeedPass keytags.)

So I can't simply read the information and then brute force the key? One presumes that all somebody needs is to get their hands on one or more of these passports, figure out the key schema, and then write a program to try to crack the RFID information using the most likely keys.

Security of passports is nebulous at best, even without the RFID technology.

RFID is the latest buzz. (4, Funny)

Skynet (37427) | more than 7 years ago | (#15839339)

Now if we could only enabled these RFID passports to download XML via SOAP on a Web 2.0 platform with XmlHttpRequest, Ruby on Rails would finally take off.

Re:RFID is the latest buzz. (1)

nanio (937692) | more than 7 years ago | (#15839503)

Snakes On A Plane?

This isn't news. (5, Informative)

4815162342 (940334) | more than 7 years ago | (#15839357)

While the headline sounds scary, when you examine it closer, this isn't really surprising. The ability to copy the passport is not the issue here. The key point of the technology was to have the issuing government digitally sign the information contained in the passport. This means that a forger cannot simply tip-ex out the name and and put in a new one ;-) The article did not mention if the German passport contains bio-metric data. i.e. a digital copy of the photo. This combined with a digital signature of the photo would make the system very secure indeed. The passport inspector simply scans the data and compares the photo to the person standing before him. I don't see how this "hack" compromises the security of the system, except in cases where the inspecting authority misuses or misunderstands the basis of security in the system.

Re:This isn't news. (5, Insightful)

plover (150551) | more than 7 years ago | (#15839457)

The weakness happens if the inspector examines only the paper copy and relies on the electronic copy to perform the security checks in the background. That's likely to become a common occurance -- look at the passport, scan the passport, chat with the guy asking if he's here on business or holiday, wait for a green "OK" screen in the corner of your eye, and wave him through. It'll happen a hundred times a day, and the inspectors will make mistakes.

Probably the better question is "will the bad guys be willing to risk trying this?" No doubt there'll be an endless stream of stolen passport data available on line from crooked hotel clerks -- skimmed e-passport RFID data will be the next hot hacker item for sale.

Re:This isn't news. (0)

Anonymous Coward | more than 7 years ago | (#15840296)

The scenario is pretty remote. Officer and/or inspection system has to perform couple of well defined steps in the process, no matter the technology. One is to verify that document belongs to the passenger. This is currently done by looking at photo and then at the person. Checking that document is valid (not forged or exipired) is completely another story.

So, if the system only verifies document validity, no security officer will skip verification that document belongs to the holder (by looking to printed photo, photo on the screen and actual person).

In the article, Grunwald correctly observes that the chip contents cannot be modified. He states that since one can read data from chip, he could produce a copy, which is not really very useful.

Chip is a smartcard and can produce RSA key pair in a way that prevents everybody, including the chip producer, from reading private key.

So, you can read data from chip, but cannot read ALL the data from chip, and there's ICAO recommended method, based on this, that prevents chip copying and Grunwald actually got it wrong that the standard has such obvoious weakness. Actual inspection systems are different story.

How to make a passport somewhat secure (1)

jonwil (467024) | more than 7 years ago | (#15840462)

1.Every passport that has one of these RFID chips should contain a unique number burned into the RFID chips in a way that can never be changed but can be read back.
2.When the passport data is written to the RFID chip, the data is encrypted using an RSA (or similar) key that only the government has which will prevent "drive by data dumping" as long as the other half of the key is only embedded in passport machines and is kept tightly controled. Also (and more importantly), it is digitally signed using the same key (including the unique number burned into the RFID chip). This would prevent anyone from even being able to make a 1:1 copy of a passport.

Re:This isn't news. (2, Insightful)

Yvanhoe (564877) | more than 7 years ago | (#15839639)

Well, would you take the risk to leave copies of your passport in the wild ? Here is how to use a copied passport : Find someone of your size with a beard. Taint your hairs, use lens for the color of your eyes, stop shaving, get used to be called 'Gunter'.

Photos are anything but secure. I wouldn't even trust fingerprints for anything serious.

e-passports (1)

falconwolf (725481) | more than 7 years ago | (#15840490)

The key point of the technology was to have the issuing government digitally sign the information contained in the passport. This means that a forger cannot simply tip-ex out the name and and put in a new one ;-) The article did not mention if the German passport contains bio-metric data. i.e. a digital copy of the photo. This combined with a digital signature of the photo would make the system very secure indeed.

Ah, but a forger can do just that. Unless whoever scans the passport, customs agent for instance, has immediate access to a database where all the info including a photo is located there's no way to guaranty the holder is who s/he says s/he is. Even then though there's no guaranty, the database is manned by people and one or more of them can turnaround modify the data, sale said info, or can create new ids. I seem to recall a few years back where someone at the IRS was arrested and charged with selling personal data including SSNs.

Falcon

And yet again... (1)

ThomsonsPier (988872) | more than 7 years ago | (#15839361)

...people are trying to use technology instead of hard work instead of for assistance. The addition of extra identifying characteristics to the passport system widens the skillset required to accurately produce a forgery. As few people are capable of the full range of these skills, the cost of the forgery increases and thus its value goes down.

To create a full passport it would therefore be necessary to clone the passport itself, physically alter the appearance of the picture to match yours and ensure all the data is consistent. That is, until the authorities decide that technology is foolproof and stop using visual checks in addition the electronic ones, but I'm sure none of the high-up types in these industries would consider such an absurd notion.

And this helps... how? (3, Informative)

Moraelin (679338) | more than 7 years ago | (#15839372)

So he cloned a passport. As in, a verbatim copy with the same name, date of birth, etc. He explicitly says that he _can't_ (at the moment) change his name, date of birth, etc, because of the hashes.

So his grand achievement is... what? That that a fellow called John Smith could thus make a fake passport that still says John Smith?

Ah yes, so he could clone someone else's chip, if he can steal their passport, and place it on his own passport. Except now he has a passport that says John Smith and a chip that says Jane Doe. As he himself acknowledges it, it will work only if someone at the border/airport/whatever would just swipe the thing over a reader, but not bother actually reading it. And, oh, if also their scanner is broken and doesn't also read the "John Smith" printed in OCR letters on the real pass.

It sounds like some clever hack, but frankly, then what's the improvement over just stealing a passport and using it as it is? If the condition of passing for Jane Doe instead of John Smith is hoping that they'll just swipe it over the reader and not actually look at it, then simply a stolen passport would work just as well and with far less of a hassle.

So, basically, this is just someone's verbal masturbation, rather than some clever hack.

Re:And this helps... how? (1)

Spad (470073) | more than 7 years ago | (#15839399)

Step 1: Figure out how to clone Passport
Step 2: Figure out how to alter clone
Step 3: ???
Step 4: Profit!

Bingo. And it's step 2 that's the problem (2, Insightful)

Moraelin (679338) | more than 7 years ago | (#15839557)

Step 1: Figure out how to clone Passport
Step 2: Figure out how to alter clone
Step 3: ???
Step 4: Profit!


Let's just say that the same applies then to forging a digitally signed document:

1. copy the document
2. figure out how to change it while hashing to the same digital signature
3. ???
4. profit

Yes, but see, step 1 is a non-achievement there. Step 2 is the real issue. _That_ what digital signatures really prevent. Seeing some idiot come up and say "ha ha, digital signatures are useless, because I just copied a CD that had a digitally signed file on it" would just tell me that the poor idiot is completely clueless and doesn't even know what he's talking about. It wasn't step 1 that was supposed to be made harder by those signatures, it was step 2 all along. Wake me up when you achieve that.

Same applies here.

Copying a RFID chip verbatim is a non-issue and non-achievement. It's like copying a floppy or a CD. _Of_ _course_ it can be copied, and only a complete ignoramus would make that their grand achievement.

Wake me up when you can actually change the data. And for that matter when the plan is less retarded than hoping that noone will look in the pass _and_ that they'll let you scan a building pass together with / instead of the passport. It's such a "cunning" plan that only Baldrick of Black Adder fame could honestly think it "cunning".

Re:And this helps... how? (4, Informative)

Tweekster (949766) | more than 7 years ago | (#15839426)

Do you think its hard to snag someones passport?

How about a pickpocket at the airport, they can even turn it in to the lost and found afterwards. Suddenly being John smith isnt that bad now...

and secondly, gee I really wonder if the people at the border are gonna be lazy and not bother to check but simply swipe it.... oh wait they are lazy and will do exactly that!

As for the need to steal a passport right now to do this...wait a week, im sure someone will figure out how to take this one step further.

Duplicate and sell them to people who look similar (1)

Visaris (553352) | more than 7 years ago | (#15839492)

1) Steal 1000 e-passports.
2) Duplicate and sell them to people who look similar.
3) ...
4) Profit!

Re:And this helps... how? (0)

Anonymous Coward | more than 7 years ago | (#15839533)

John Smith could hire a lookalike to use his passport to travel while he kills Jane Doe thus giving him an alibi. The photo ID isn't that great and we already know that fingerprints can be faked.

The question becomes how much biometric data will be on the cards and used to verify the person at checkpoints. Blood type? Irises? It has to be both secure and reasonably quick so people don't reject the system.

Re:And this helps... how? (3, Insightful)

rs232 (849320) | more than 7 years ago | (#15839608)

"Seriously why is this a big deal? .. as far as I understand it is an additional measure of security, not the only measure", MoneyT

Allow me to explain it to you. The move to e-passports was so as you couldn't counterfeited them like the paper ones. One of the measures required, if not the primary one is the ability to not be cloned. Thats why they call them e-passports

"his grand achievement is... what? That that a fellow called John Smith could thus make a fake passport that still says John Smith?", Moraelin

No, that a follow called Osama could pass through an airport if it used electronic scanning. Or as the article mentions an electronic device could be activated when 'John Smith' opened his passport.

The same lack of thought seems to have gone into fingerprint scanning. As this article [diva-portal.org] demonstrates it is possible to forge these as you leave your prints all over the place.

Re:And this helps... how? (3, Insightful)

SyncNine (532248) | more than 7 years ago | (#15839868)

OK, seriously. You sound like George Bush. Just stop talking.

Let me explain this as simple as possible so that I'm sure that we're all on the same page:
Someone can duplicate the DATA on a passport and NOT edit it, and you say 'OMFGZ OSAMA BIN LADEN ROFLOL'.
Give the Osama argument a rest.

Let us play out this scenario of yours:

Osama Bin Laden finds himself in possession of a stolen/cloned passport for one 'John Smith' of the USA.
This passport, while stolen and cloned, is still digitally signed -- meaning that the information on it cannot be changed.
Osama Bin Laden attempts to enter the USA with this passport.
The electronic scanner reads 'John Smith' and provides a picture of 'John Smith'.
Osama Bin Laden is NOT 'John Smith'.
Osama Bin Laden is taken into custody.

The only way that "Osama could pass through an airport if it used electronic scanning" is if he found a way to re-digitally sign the contents of the passport, OR if he could do enough facial modification that he looked like 'John Smith'.

So, what we're saying is, if he's willing to do the plastic surgery or to spend the time to crack the RSA encryption on the contents of the RFID chip and is able to RE-digitally sign it after he edits it, he can get into the country. Gee. Sounds a lot less secure than our current method of ... uh ... looking at a piece of paper that could be edited by anyone with enough time and the holograms to make it look right.

Or, the more likely scenario, he'll just waltz across the Mexican border because the USA doesn't seem to give a crap about the fact that thousands of people illegally cross it daily. Without passports. Or extensive facial modification.

On to your second mention that someone could have an electronic device that activates when an RFID chip is within range:
YIPPEE. Anyone could make an electronic device that would activate when your Chase Blink card or your FastPass or your Building Key Card is within range. THIS IS NOT NEW, NOR IS IT EXCITING OR DANGEROUS.

Quit with the FUD posts and actually take a step back to find out that, YES, RFID passports are not perfect. YES, the concept has its inherent flaws. NO, they really aren't (yet) worse than the standard passport flaws. NO, this does not mean that you can just drop a FUD post about Osama getting into the airport because of it without any factual basis behind it, whatsoever.

Re:And this helps... how? (2, Funny)

Ohreally_factor (593551) | more than 7 years ago | (#15840455)

I tried to read your comment, but at the first mention of Osama, I fainted and then crawled under my desk. Is it safe to come out?

Oh, crap! Look! In the line above this one! Osama! There it is again! OK, that's it. I'm not coming out. Where's my blankie?

Re:And this helps... how? (0)

Anonymous Coward | more than 7 years ago | (#15839632)

i think the key phrase of the parent post is "He explicitly says that he _can't_ (at the moment) change his name, date of birth, etc, because of the hashes."

once this is cloned, one could take it home and just brute force it at your leasure.

Re:And this helps... how? (1)

gutnor (872759) | more than 7 years ago | (#15839683)

With this argument I wonder why we are not using a "print you own" passport service. Much faster, the administration send you a pdf and you print it on your own printer at home. After all, it is only a matter of having it properly checked.

Personally if my country issue an official document that identify myself I expect it to be a little more harder to copy than using a simple copier. There are tons of places where checks will be weaker than at airports (at least in Europe where a lot of countries uses an ID Card). That is in those places where they will rely on electronic only checking.

Re:And this helps... how? (1)

Yvanhoe (564877) | more than 7 years ago | (#15839726)

Just the first step. Now they can try to alter chips without invalidating their own passports. If the encryption isn't bulletproof, it won't take long to see Osama with a tourist visa.

Re:And this helps... how? (4, Interesting)

Dare nMc (468959) | more than 7 years ago | (#15839754)

>Ah yes, so he could clone someone else's chip, if he can steal their passport, and place it on his own passport.

Except that 2 major stated purposes of RFID in passports is nullified by his actions.

IE:
RFID passports are more secure/no the digital portion can be copied easier than the paper.
RFID passports will speed customs/no the RFID download can't be trusted, without thourgh comparison to the paper.

also Identity theft occurs within families. So if I were 18 year old George W Bush Jr, I snag W Bush Sr's passport, make a copy of the chip, return it. Unless a photo is on the RFID chip, their are only 3 differences in our passports, 1) Age, 2) a additional roman numeral (ie III instead of II) 3) SSN

not to mention their are 3 unrelatead Jim Jones within 5 miles of my house, all within 5 years of age to me, likely at least 2 have the first 3 digits of their SSN the same as me (most SSN's issued in my home state, of simular issue dates started with number in the range of 478 to 480)
So if I were to become a felon on Parol with a travel ban,
1) have my name legaly changed to Jim Jones
2) Break into Jim Jones' houses, cloan digital chip, Jim never knows.
3) I now have 4 passable unique ID's to use anywhere I want, 1 piece of paper, 3 chips to swap.

Re:And this helps... how? (1)

technococcus (990913) | more than 7 years ago | (#15839776)

Who says it needs to offer an improvement over traditional passport stealing? The thing is, the mere fact that there's yet another way to steal that information means that this "security improvement" has made that data less secure than it was before.

Oh, and there is an improvement, btw: that John Smith doesn't report his passport as stolen (because, as far as he knows, he has the only copy), so no one is even remotely on the lookout for this passport theif.

reminds me of that classic Star Trek episode... (1)

gravyface (592485) | more than 7 years ago | (#15839373)

where the two dudes in the Oreo jumpsuits are locked in an eternal struggle -- why is it that security vs. hackers struggle should be any different? Do security innovators really think that they're going to invent the "unbreakable" technology?

Well... (1)

brunokummel (664267) | more than 7 years ago | (#15839412)

Unless he's trying to get into USA as an american citizen, I don't see why a german would like to pass as an american in any other place in the world, considering that, unfortunattely, american people are the favorite target of terrorists around the planet.

Of course there's the "I told you so" factor, just to prove that he could do it, but anyways we all knew that this E-passport thing wouldn't take much time to be proved wrong, i guess we just didn't know that it would be that fast!

Well... Viva Mexico!

Re:Well... (1, Informative)

Anonymous Coward | more than 7 years ago | (#15839582)

I think Israeli citzens are still numero uno on the terrorist hit lists.

And thanks to "poodle" Blair, UK citizens are not a very distant third.

Re:Well... (1)

earthlingpink (884677) | more than 7 years ago | (#15839774)

Depends what we mean by "terrorist" doesn't it?

Appalling numbers of Iraqis are being killed by what some would define as "terrorists."

I think the purpose of Grunwald's experiment was to demonstrate that this technology was by no means foolproof and indeed that the current, non-encrypted implementation, would permit people to quickly copy data.

The introduction of RFID-passports has been driven by the current US administration: countries included in the visa waiver programme have had to meet these American standards to continue in the programme.

Meanwhile, the American fear of Johnny Foreigner continues.

Re:Well... (1)

grimJester (890090) | more than 7 years ago | (#15840093)

Unless he's trying to get into USA as an american citizen, I don't see why a german would like to pass as an american in any other place in the world, considering that, unfortunattely, american people are the favorite target of terrorists around the planet.

Out of curiosity, how many US tourists have been killed by terrorists? I can't recall a single case.

Re:Well... (1)

sickofthisshit (881043) | more than 7 years ago | (#15840622)

A few listed on

http://avpv.tripod.com/AmericanVictims.html [tripod.com]

Two U.S. AID officials killed on hijacked Kuwait Airlines flight (1984)
U.S. Navy enlisted man killed on hijacked TWA flight 847 (1985)
Leon Klinghoffer killed on Achille Lauro (1985)
Pan Am flight bound for NYC downed in Lockerbie, Scotland (1988)
Pan Am flight hijacked en route to Frankfurt from Karachi, two Americans among 22 killed by hijackers (1986)
TWA flight en route to Athens, bomb on board killed four Americans. (1986)
Abu Nidal assault on El Al in Leonardo da Vinci airport in Rome: five Americans among 13 killed. (1985)

I've omitted a bunch of American expatriates and embassy officials.

To be fair, most tourist victims are targeted for being Western, not particularly American. For example, bombing tourist buses or restaurants frequented by Westerners. Many of those targeted are in Israel, and I didn't count the numerous listings of "American-Israeli" because that's not necessarily an ordinary tourist, as opposed to a long-term resident. Being carefully selected out of a group because of one's American passport is not as common as one might think.

Re:Well... (1)

kalirion (728907) | more than 7 years ago | (#15840525)

As I understand it, their own neighbors are the favorite targets of terrorists around the planet.

Next you'll know ... (1)

Midnight Thunder (17205) | more than 7 years ago | (#15839414)

Next you will have these automated gates and the immigration people saying that it was amazing that the president came through the airport ten times in the last hour. He must have been very dicrete since no one noticed him.

Wait wait wait... (2, Insightful)

MoneyT (548795) | more than 7 years ago | (#15839455)

you mean data can be copied? Holy fuck! Stop the presses and halt the manufacturing this is clearly useless because data can be copied. Seriously why is this a big deal? Was it any real suprise that data could be cloned? The purpose at least as far as I understand it is an additional measure of security, not the only measure. Yes, if you only go off the chip, you're screwed, but hey, that's why you don't only go off the chip. No one is saying this will stop forgeries, just that it will make it more difficult. It's one more thing that needs to be done and done right which means it's one more way to possibly catch a forgery. Surely no one thinks the new coloring on new money is going to stop forgery but it will hopefuly make it more difficult and time consuming. Is the coloring worthless because forgery can still happen?

Re:Wait wait wait... (1)

vertinox (846076) | more than 7 years ago | (#15840100)

Is the coloring worthless because forgery can still happen?

If someone breaks your really expensive lock on your front door and steals your belongings, then what is the difference between it and the cheap lock you had up there last week. Sure it might have hassled the thief a bit more, but if the lock still fails its purpose the end result is still the same... You know... Lose all your belongings to the thief and with the passport, get a terrorist slipping past the border guards.

Not so bad really... (4, Insightful)

MobyDisk (75490) | more than 7 years ago | (#15839470)

After reading this article, the RFID thing isn't nearly as bad as I thought.

1) They aren't eliminating the physical passports. So all the physical protections (watermarking) still apply.
2) They are shielding the passports so they can't be remotely read.
3) You need to send a cryptographic key which makes it even more difficult to read remotely (although I don't understand how this works).
4) They are hard to tamper with because of the hashes (assuming they are good hashes, this is comparable to watermarks).

Having said that, I'm not sure why the RFID thing is even useful. A bar code would be simpler, although no more or less tamper proof. And there are existing machines which can read passports by scanning them and OCRing. They are very reliable since passports use high-quality printed text with the characters in known fonts and positions.

The "rationale" for RFID passports (2, Insightful)

alienmole (15522) | more than 7 years ago | (#15839843)

Having said that, I'm not sure why the RFID thing is even useful.
Government agencies. Shiny new people-tracking technology. Huge tax-funded budgets don't spend themselves, people!

Re:Not so bad really... (0)

Anonymous Coward | more than 7 years ago | (#15839856)

"Having said that, I'm not sure why the RFID thing is even useful. A bar code would be simpler, although no more or less tamper proof. And there are existing machines which can read passports by scanning them and OCRing."

Of course that RFID is not useful... for check passports in the airports...
But I think that this is not the real reason because the passports has RFID. You can track every citizen with this tecnology..

"2) They are shielding the passports so they can't be remotely read."

Well.. I suppose it dependes of how powerful is your transmiter and sensitive is your receiver..

Orwell was an optimistic. :-(

Re:Not so bad really... (1)

hcob$ (766699) | more than 7 years ago | (#15839977)

Well.. I suppose it dependes of how powerful is your transmiter and sensitive is your receiver..
Since you have a FARADAY CAGE around the device when it's closed. You're not going to penetrate to the reciever. Also if you were to build a machine powerful enough to penetrate the cage, it would surely melt said cage and overload your target...

Specs here (5, Insightful)

hughk (248126) | more than 7 years ago | (#15839519)

You can find a copy of the specs on the ICAO website [icao.int] .

It doesn't give away a lot, it doesn't have to. A passport must be inspectable by anyone so the spec on how to read it must be pretty much public. There is an (optional) electronic signature mechanism, but this predicates an international public key infrastructure. The bank where I work has enough problems getting one of those together, let alone an international organisation. PKI is very hard. Google for references on this.

Key compromise means that all issues documents are then compromised. Can you imagine a country recalling all its passports?

Secure Documents don't need RFID (5, Insightful)

davidwr (791652) | more than 7 years ago | (#15839666)

In order to be "secure" against fakery a passport, or any document should:

1) Have an digital signature of all the data, or at least a signature of a strong one-way hash.
2) Have a means to verify the signature, and that the signer's key hasn't been repudiated.
3) Have a means to verify the hash is legit, i.e. rehash the data on the spot.
4) Have a means to verify the data in question matches the printed version of the document, e.g. a computer screen that shows the digitized picture and the other data that should be on the printed document. A human, or perhaps a computer, can then compare that with the actual document.

Steps 1, 2, and 3 are at the heart of any digitally-signature-validation scheme. Step #4 will detect misuse, as someone using a cloned passport will "look" the same as someone using a stolen-but-legitimate one to the checker.

An alternative, where bandwidth is available, is to have the document-issuing authority validate the document: Upload the document to the authority, and have it send back a "valid" or "not valid" response. This is essentially what happens with credit cards: the name, card #, and expiration date are passed on to the bank or the bank's agent, and the merchant gets back a code saying "card is valid," "card not valid," or one of several other codes such as "card reported stolen/missing."

There are still 2 problems with this approach:
1) The identical twin or look-alike problem.
2) Privacy issues if passport data is compromised.

The twin problem is mitigated by the digitized version of the handwritten signature, a fingerprint, notation of scars, or other items which look-alikes are less likely to share. Privacy issues are in principle no more than they are today with stolen passports, ASSUMING no information that is not on the printed passport finds its way to the embedded electronic data. However, electronic data is much easier to deliver to fraudsters than paper data, and passport theives aren't likely to spend the time typing or scanning in data from a paper passport. The best cure for this is to encrypt the data.

RFID is not required for a secure document. All RFID does is make the data easier to read, which is good for those who want to read the passports without contact them, be they freind or foe. Hmm, maybe someone should invent an RFID tag with an "on" switch.

RFID tag with an "on" switch (5, Insightful)

davidwr (791652) | more than 7 years ago | (#15839688)

I'm not even an expert in the field, but an RFID tag with an "on" switch seems pretty obvious. Just put the switch between the antenna and the rest of the device. It can be either a traditional on-off switch or a pressure-sensitive "off when not pressed" switch. Imagine an RFID-enabled passport that ONLY broadcasts when someone was holding down the "broadcast" switch.

I really should RTFA before commenting (2, Informative)

davidwr (791652) | more than 7 years ago | (#15839780)

Appearently, the US Government will be doing exactly this - they have hashes to prevent altering the data and human inspectors to prevent data mismatch.

Still, is RFID that's activatable without human intervention really necessary? I say no.

Is lack of encryption irresponsible? I say yes.

They don't want Americans traveling abroad (5, Insightful)

MikeRT (947531) | more than 7 years ago | (#15839687)

An insecure, RFID-driven passport is the perfect thing for making it too dangerous for Americans to travel safely abroad. If an American had one of these in Lebanon, Hezbollah could walk through a public place with a RFID reader and discretely find some good targets of hostage-taking opportunity. It'd be easier for the Chinese police, for example, to track American visitors.

Don't go abroad! Don't see the world except through the lens of CNNABCCBSNBCFOXNPR! That's how the political class wants it. A population that is scared to travel is a population that can't as easily see the world on its own and make its own decisions.

Re:They don't want Americans traveling abroad (5, Funny)

el_womble (779715) | more than 7 years ago | (#15839892)

Trust me. Foreigners don't need RFID to spot an American from 100 meters :)

Good thing Emvelope.com has a solution (1, Informative)

Anonymous Coward | more than 7 years ago | (#15839699)

They've got passport cases, wallets, and wallet inserts that block RFID and other electromagnetic signals. Emvelope.com [emvelope.com]

Just like the NYT (1)

scaryjohn (120394) | more than 7 years ago | (#15839838)

Lukas Grunwald is a traitor for exposing weaknesses in our programs to keep Americans safe from Tara.

. . .

What do you mean: We can't arrest a German for treason against the United States?

*weee*EEEE*oooo*

Dammit, is this mic still on?

"They're not increasing security at all." (1)

iminplaya (723125) | more than 7 years ago | (#15839876)

That was never the intention. It's strictly for tracking purposes. But now that it can be so easily spoofed, it won't serve that purpose very well either. It will serve to plant false evidence though, and many organizations, non-government and government alike, will "need" that.

challenge-response? (3, Interesting)

tilminator (970595) | more than 7 years ago | (#15839901)

Why is it so hard to implement a challange-response mechanism to avoid airing the entire passport data?

Especially when they are going to store fingerprints /images/iris scans on the chips, I would expect the passport chip to do the matching up. (Of course, it has to legitimate itself, too.) Just imagine having to change your fingerprints because of identity theft. Americans already have a taste of this with social security numbers.

BTW, if all you'd like to broadcast is your name and number, just print a barcode. That works perfectly fine in Chile (or Colombia? sorry).

Re:challenge-response? (1)

tilminator (970595) | more than 7 years ago | (#15840313)

Somebody is going to say "what's the point to challenge-response if you have to transmit the data and hash anyway?"

Well, take a look at the e-coins system: Each coin has several signatures on it, and the bank randomly selects a certain fraction of them for checking (half?). For example, hash the data + known number postpended. Now, even if a cracker intercepts communication once, he cannot fully copy the passport.

SSL connections are set up by selecting a random number derived from both parties' input that never went over the wire. If you use this algorithm to select which signatures to check, you could force the malicious hotel clerk or thief to read out the passport several times, ideally for a rather long period of time. Say, 1x checking per second, 300 signatures, 10 to check.

Security, shmecurity. (4, Interesting)

RunzWithScissors (567704) | more than 7 years ago | (#15839955)

Unfortunately, we've already seen that governments place a higher importance on the appearence of security rather than actual security. For direct evidence, just look at airport screening.

I'll conceed that x-ray'ing baggage would highlight obvious weapons like knives or guns. However, as we've seen from the likes of Yousef Josef and other terrorists, people can smuggle bomb components on plains using items, such as watches, which would not be picked up by the usual airport screening proceedures. Add to that the ever so effective comparison of the name and date on my boarding pass with the name on whatever casually inspected ID I provide. Please don't even get me started on how rediculous making me take off my shoes is.

If governments were really serious about airport security, they would adapt a model similar to the one used in Israel. Roving groups of heavily armed, well trained commandos that stop "interesting" individuals and select them for additional screening. However, this method would be too inconvienent and intrusive for travelers (Americans).

This is the state of governmental security. To the not very determined to violate it, lay individual, it appears that there is SOME kind of security in place. With a slight bit more investigation, someone with a bit of desire can easily violate it, thereby rendering the "security" utterly useless. But hey, they have to have some way to spend our tax dollars, right?

-Runz

e-passport is not about security. (0)

Anonymous Coward | more than 7 years ago | (#15840053)

it is about ease of tracking folks. All it means is that we can track all citizens.

This is harder than cloning metrocards (0)

Anonymous Coward | more than 7 years ago | (#15840054)

This would be quite surprising to me. It is true that you can copy any personal detail you want into these cards.

But besides some personal details passports are also supposed to have a secret in them that gets proved without revealing it. The article makes no mention of it. Its called "active authentication", RSA labs has been writing about it [iacr.org] for years. The US and many others are supposed to require it. IIRC it is done by having the passport sign a challenge with a secret key or something like that.

The only way to get to a secret in the chip would be to really mess with the chip, acids, electron microscopes, side channels, the article mention just "reading" it.

The RFID tag is supposed to tamper resistant. That is, it is supposed to forget whatever secrets it holds if it detects any attempt to tamper with the chip. One manufacturer advertises with [philips.com] voltage, frequency, temperature and light sensors.

Philips also appears quite serious about preventing side channel analysis [utwente.nl] attacks as well.

Now I have the impression that the whole point of standardizing on complex contactless cards was to keep little players out of the market. (RFID is covered by several patents and hard to implement power efficiently without serious fabrication facilities) The only excuse I heard for requiring contactless cards was that it somehow saved time standardizing the readers....

This is why I would expect other big manufacturers to have done their homework as well.

Is there a chance this attack only clones the parts that are supposed to be readily accessible? Fooling a reader without the "active authentication" is easy. And since a reader would need a government public key I guess getting a reader with it would be a little harder than just buying one.

(Also the Basic Access Control feature sucks. With moderate computing power you can understand the communication between passport and reader at an airport without seeing the passport.)

Active Authentication (3, Informative)

Anonymous Coward | more than 7 years ago | (#15840102)

The German passports do not employ the optional active authentication standard as specified by ICAO. Active authentication means that there is a private key within the passport. This private key can be used in a challenge-response authentication of the passport chip. The public key itself is stored in a data group on the passport, which is protected against alteration in the same way the biometric data is protected against alteration (a digital signature from the state).

Nobody seems bothered to even *look* at the ICAO specifications, including 100% of the previous responses on e-Passports on slashdot. Why the hell should politicians even bother with citizens if not even the technological top 1% takes an interest?

http://www.icao.int/mrtd/download/documents/TR-PKI %20mrtds%20ICC%20read-only%20access%20v1_1.pdf [icao.int]

Check out chapter 2.3.2, 3.2.2, Annex D, Annex G.1.2

Terrorist activity (1)

Big Nothing (229456) | more than 7 years ago | (#15840224)

Obviously, mr. Grunwald is a terrorist and will be detained within short. The rest of us are better off looking the other way.

Yes, that means you!

RFID...I'd like to know.... (1)

Slashdot Junky (265039) | more than 7 years ago | (#15840381)

Hey,

RFID seems to get nothing but bad press. Security is a huge problem with RFID, and it use in retail for price tags seems to be a huge problem as well. I'd like to know where it's being used or could be use where it's apparent flaws have not impact.

Later,
-Slashdot Junky
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...