×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

E-Passport Cloned In Five Minutes

kdawson posted more than 7 years ago | from the if-more-proof-were-needed dept.

Privacy 259

Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

259 comments

Well then, (5, Insightful)

QuantumG (50515) | more than 7 years ago | (#17281836)

"It is hard to see why anyone would want to access the information on the chip."
I guess that's what they call a failure of imagination.

Re:Well then, (5, Insightful)

l2718 (514756) | more than 7 years ago | (#17281904)

Well, it's true that if you already possess a passport and want to copy it, it's essentially the same problem with and without an RFID. It's also true that the RFID chip does stop the basic hack of replacing the photo in the passport (since the data on the chip is persumably read-only, and the chip can't be replaced without mutilating the passport). I think what the esteemed spokesman missed is the privacy implications (I can now read your passport without your knowledge). In particular, you can clone these passports without actually holding the original. In the past to clone a passport you needed the co-operation of its owner (if you steal a passport it's known to be stolen). Now you can make your own sure-to-be valid passport by just stepping into the airport and choosing an appropriate victim (someone who looks like you, perhaps?).

Re:Well then, (-1)

Anonymous Coward | more than 7 years ago | (#17282318)

I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

Re:Well then, (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17282410)

Holy shit. I haven't seen this piece of misinformation in two years.

Re:Well then, (1, Informative)

ChowRiit (939581) | more than 7 years ago | (#17281980)

RTFA: The chip contains no information not in the passport, and as the chip can't be cloned remotely, you'd have the passport in order to clone the chip.

Re:Well then, (4, Insightful)

nonlnear (893672) | more than 7 years ago | (#17282328)

UYFB (Use Your F***ing Brain): Do you want all the info on your passport's personal details page readable by absolutely everyone you walk by?

Passport cloning isn't even the primary security concern here. Cloning a passport has become no harder or easier thanks to RFID. But Identity theft will become much much easier.

Then why put it on? (0)

Anonymous Coward | more than 7 years ago | (#17281984)

Would seem a logical question ...

Re:Then why put it on? (4, Insightful)

Schraegstrichpunkt (931443) | more than 7 years ago | (#17282476)

Simple: Now you can be blamed for crimes committed with a clone of your passport, because obviously such passports are impossible to clone.

Re:Well then, (4, Insightful)

Zemran (3101) | more than 7 years ago | (#17282202)

"It is hard to see why anyone would want to access the information on the chip."

Just like it is hard to see why anyone would want to blow up an aircraft? I think that people are still thinking within the sandbox and not realising that the real risk is what we have not yet thought of. There will be lots of reasons to want to access the information and to change it or learn to create false IDs that Joe Average security assumes to be valid because it is state of the art.

Re:Well then, (1)

pilgrim23 (716938) | more than 7 years ago | (#17282322)

Well thank goodness! and here I was worried that the cost of fake paper was going to climb out of the range of the petty crook. I want to thank the developers and the bone heads in government for insuring the future of honest crooks.

Was the Home Office spokesman an idiot? (4, Insightful)

Salvance (1014001) | more than 7 years ago | (#17281838)

"It is hard to see why anyone would want to access the information on the chip." Hmmm... it's also hard to see why anyone would want my credit card information, SSN, address, etc. I'm sure nobody really wants to know any personal information about me at all, and I'm sure nobody would ever want to forge any of my identifying documentation.

Something is just wrong with the UK's Home Office. Today I read that they will now classify panty theifs as sex offenders [sundaymirror.co.uk] , receiving the same long-term classification on the sex offenders' registry as child abusers, rapists, and child pornographers.

and if your name is written on said panties (2, Funny)

EmbeddedJanitor (597831) | more than 7 years ago | (#17281884)

it is also identity theft.

Re:and if your name is written on said panties (5, Funny)

prichardson (603676) | more than 7 years ago | (#17281952)

If my name is written on someone else's panties, I demand to know why!

ob Simpsons:
Skinner: Oh, it's a miracle no one was hurt.
Otto: I stand on my record - fifteen crashes and not a single fatality!
Lou: Let's see your license, pal.
Otto: No can do. Never got one. But, if you need proof of my identity, I wrote my name on my underwear... Oh wait, these aren't mine!
Skinner: Well that tears it! Until you get a license and wear your own underwear, mister, you are suspended without pay!

Re:Was the Home Office spokesman an idiot? (0, Flamebait)

Miseph (979059) | more than 7 years ago | (#17282110)

Something is just wrong with the UK's Home Office. Today I read that they will now classify panty theifs as sex offenders, receiving the same long-term classification on the sex offenders' registry as child abusers, rapists, and child pornographers.


That's because stealing panties is a classic sign of a real sex offender getting up the courage to do something more serious. Unless I'm mistaken, and the purpose of this is to go after girls who steal from Victoria's Secret... but somehow I think not.

Re:Was the Home Office spokesman an idiot? (0)

Anonymous Coward | more than 7 years ago | (#17282182)

the purpose of this is to go after girls who steal from Victoria's Secret... but somehow I think not.

No, the purpose of this is to have a bigger book to throw at people who rob houses. Can the lady of the house remember how many pairs she had? No? Well, then the guy MUST have stolen some, let's make him a sex offender on top of all the other little crimes we're tagging him with!

Once upon a time punishment was supposed to fit the crime, at this rate, how long before we start executing people for coughing during a movie?

Re:Was the Home Office spokesman an idiot? (1)

painkillr (33398) | more than 7 years ago | (#17282348)

the conviction would be contingent on the theif being caught w/ the panties

Re:Was the Home Office spokesman an idiot? (4, Insightful)

LordLucless (582312) | more than 7 years ago | (#17282592)

Awesome. Let's book kids who sneak some booze when they're underage with the same charge as heroin dealers. They're probably just building up the courage to do something more serious. Of course, there's always the whacky notion that the punishment should fit the crime that was actually committed rather than what we think they might do in the future.

Re:Was the Home Office spokesman an idiot? (3, Insightful)

oohshiny (998054) | more than 7 years ago | (#17282624)

That's because stealing panties is a classic sign of a real sex offender getting up the courage to do something more serious.

Says who? You? Heck, why don't we start arresting people for thought crimes, then?

In a nation of laws, people get punished for what they actually do, not for some prediction of what they might or might not do in the future. Apparently, you prefer to live in a totalitarian nation, in which the state can charge anybody with absolutely anything if they just so please.

Re:Was the Home Office spokesman an idiot? (0, Offtopic)

nemoyspruce (1007869) | more than 7 years ago | (#17282724)

Says who? You? Heck, why don't we start arresting people for thought crimes, then? In a nation of laws, people get punished for what they actually do, not for some prediction of what they might or might not do in the future. Apparently, you prefer to live in a totalitarian nation, in which the state can charge anybody with absolutely anything if they just so please."
Yeah! Apparently YOU dont deserve to be TIME person of the year! oh, was that in another thread..damn.

Re:Was the Home Office spokesman an idiot? (0, Flamebait)

ronanbear (924575) | more than 7 years ago | (#17282150)

Today I read that they will now classify panty theifs as sex offenders [sundaymirror.co.uk] , receiving the same long-term classification on the sex offenders' registry as child abusers, rapists, and child pornographers.
Actually that's done with good reason. They are sex offenders and there is a high enough instance of such offenders going on to commit more serious offences to warrent classifying them as high risk. As such they shouldn't be allowed to hold jobs which give them unsupervised access to and influence over children. The sex offenders register is not about (and should never be about punishment). It's about protection. Keeps high risk individuals out of high risk occupations. It's the same as not wanting people with a criminal record in the police force. You want to be able to trust your policemen to be able to abide by the law, it's paramount. If you want to trust your children, the most precious thing you have, to someone then you don't want them to have ANY record.

Re:Was the Home Office spokesman an idiot? (1, Insightful)

sedmonds (94908) | more than 7 years ago | (#17282226)

You want to be able to trust your policemen to be able to abide by the law, it's paramount.


I don't know where you live, but I trust the police here about as far as I can throw them. I'll accept that most police are probably perfectly trustworthy as individuals, but it doesn't take many bad seeds to make the whole group untrustworthy. You just don't know if you're getting one of the 90 good ones, or one of the 10 lemons.

Based on the "thin blue line" good 'ole boys club that protects police from being held accountable for anything from traffic violations to premeditated murder, and the number of flagrant abuses of power by police that appear in reputable news sources, I don't trust policemen. Even if 90% of them are trustworthy as individuals, when they protect criminals in uniform they are no longer trustworthy as a group.

Re:Was the Home Office spokesman an idiot? (1)

ronanbear (924575) | more than 7 years ago | (#17282286)

True. Now imagine how much worse it would be if there were criminals before they joined. In theory they're already law-abiding when they start. If you don't think the standard is high enough now then imagine if it were to be lowered.

Re:Was the Home Office spokesman an idiot? (3, Funny)

Lord Bitman (95493) | more than 7 years ago | (#17282280)

Those are the longest leaps of logic I've seen since "I don't know where the universe came from" -> "God must have done it". Impressive.

Re:Was the Home Office spokesman an idiot? (0, Offtopic)

Fulcrum of Evil (560260) | more than 7 years ago | (#17282444)

As such they shouldn't be allowed to hold jobs which give them unsupervised access to and influence over children.

Why? These are sex offenders, which is different from pedophiles. Why would a rapist be interested in your kids?

Re:Was the Home Office spokesman an idiot? (4, Insightful)

timmarhy (659436) | more than 7 years ago | (#17282472)

what a fucking crock of shit. someone stealing a womens underwear off the line is a LONG jump to being a pedo. what possible connection can there be between a weirdo taking an adult womens underwear and them being sexually attracted to children? thats right there isn't. it's same bogus thinking that links homosexuals to pedo. and that crap has been debunked for decades. oh and as for your "it's about protection" argument, yeah they will take your liberty all the while softly whisphering in your ear "it's for your protection"

Re:Was the Home Office spokesman an idiot? (0)

Vegeta99 (219501) | more than 7 years ago | (#17282598)

Did you actually do a sociological study, or did you just pull that assumption out of your twisted panties?

Oh, ok.

Not saying that Home Office did either, tho.

Re:Was the Home Office spokesman an idiot? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17282760)

It is up to the person who makes the positive claim to provide evidence for his claim. The positive claim here is that those who engage in theft of undergarments are also likely pedophiles. The negative claim here is that an overlap between these two seperate populations has not been shown.

In closing, take your smug 'you don't know, you're just guessing' and learn what the burden of proof fallacy is and why it is a fallacy [google.com] .

Re:Was the Home Office spokesman an idiot? (1)

oohshiny (998054) | more than 7 years ago | (#17282600)

They are sex offenders and there is a high enough instance of such offenders going on to commit more serious offences to warrent classifying them as high risk.

Says who? Paranoid politicians bent on reelection through spreading fear? Police chiefs who want more power?

If you want to trust your children, the most precious thing you have, to someone then you don't want them to have ANY record.

You also have a responsibility: not to turn your children into paranoid imbeciles before loosing them on society, and it looks to me like you're failing. Besides, under what circumstances do you have to "trust" your children to anyone? Both my parents were working, but growing up, I don't remember ever being left in the care of any strangers in situations where I could have been abused or harmed. Maybe you're simply a bad parent.

And maybe we should throw constitutional rights out the window for the sake of the children and take away all children from their parents at birth; after all, a large percentage of child abuse and molestation happens at the hands of family members. Think of the children! We need to protect them from this danger!

Re:Was the Home Office spokesman an idiot? (4, Insightful)

RexRhino (769423) | more than 7 years ago | (#17282840)

This is absolute bullshit. There has been absolutly no research to determine if an 18 year old who has sex with a 17 year old classmate, or a guy streaking as part of a college fraternity prank, or a guy who has consentual sex with other adult men in a public-park lavatory, or the couple who park up on "lovers lane" to have sex, or a married couple who has oral sex in Arkansas, or the 90% of "sex offenders" who never did anything that wouldn't be legal or a misdemeanor if they where only done in San Fransico or Amsterdam, are likely to do anything!

Only a tiny fraction of the people who are being branded second class citizens for life, and being subjected to a lifetime of harrasment and violence at the hands of vigilantes, did anything remotely like rape or molestation. Most commited only voluntary, consentual sex acts with people their own age.

Sex offender lists, and their sister paranoia law enforcement, Do Not Fly list, are part of our societies current irrational, paranoid, fear of boogie men - being afraid of sex offenders or terrorists depending on where you live and your political beliefs. Personally, I am far more disturbed by the people who believe their friends or neighbors are all devious sexual preditors lurking to rape their kids - If anything I would be far more worried about the guy who is constantly paranoid of sex offenders (ala Mark Foley), than I would the college football players who get arrested doing a panty raid on the girls sorority. Or I would be far more frightened of the people who think everyone named "Mohammed" may be a terrorist, than I would be of someone named "Mohammed" sitting next to me on a plane.

Maybe read Author Miller's "The Crucible" ( http://en.wikipedia.org/wiki/The_Crucible [wikipedia.org] ) to get a good idea of the sort of Moral Panic ( http://en.wikipedia.org/wiki/Moral_panic [wikipedia.org] ) our society is in today.

Re:Was the Home Office spokesman an idiot? (4, Funny)

Dunbal (464142) | more than 7 years ago | (#17282172)

they will now classify panty theifs as sex offenders

      Thank God stealing a bra is still ok...I was worried for a second there.

Re:Was the Home Office spokesman an idiot? (2, Funny)

StikyPad (445176) | more than 7 years ago | (#17282704)

In related news, the number of women on the sex offender list has skyrocketed due in part to a crackdown on shoplifting at Victoria's Secret.

In other news, bureaucrats develop sentience (4, Insightful)

zuki (845560) | more than 7 years ago | (#17281906)

As it may be, the people in charge of budgetary approval for the programs which put all of these RFID solutions
into place will steadfastly deny that anything is wrong until they are forced to do so, as agreeing that those are
potentially high security risks would otherwise equate it with having to backtrack on what they previously approved,
even though they were amply forewarned by many in the security-related field.

It's really about not losing face at any cost, lest people start questioning other methods they employ.

Human nature, really. Look no further than the voting machines controversy for parallels here in the US.

Z.

At least they can publish this... (5, Interesting)

rrohbeck (944847) | more than 7 years ago | (#17281914)

Now another researcher has shown how to clone a European e-Passport in under 5 minutes.

Thanks to a software he himself has developed, called RFdump, he downloads the passport's data onto his computer and then onto a blank chip.


How long would it take for some 3 letter agency to show up at their door in the US?

Re:At least they can publish this... (0)

Anonymous Coward | more than 7 years ago | (#17281932)

~5min I would think.

Re:At least they can publish this... (1)

Nasajin (967925) | more than 7 years ago | (#17281942)

How long would it take for some 3 letter agency to show up at their door in the US?
If the computer's not connected to the net, then never.

Re:At least they can publish this... (1)

DigitAl56K (805623) | more than 7 years ago | (#17282460)

Why would they bother? The details of the encryption are already public. This guy announced that he wrote some code to do it. How many other people with perhaps more sinister intent have already done the same unannounced?

RFID is not for security (0)

BadAnalogyGuy (945258) | more than 7 years ago | (#17281922)

It is merely an electronic mechanism that replaces error-prone human readers with electronic systems that can read the same information into a computer system and automatically link the information with a database for easy identification of possible problems.

No one has shown that the passport can be forged. No one has shown that the RFID on the passport can be overwritten. No one has shown that an agent who receives a clones passport can't tell it from an official one. The RFID itself doesn't contain any information that wouldn't be accessible by simply reading the passport.

RFID does not enhance security in any way, but it does not detract from security in any way either. It is simply part of the progression of technology from an error-prone human system to a reliable electronic system.

Re:RFID is not for security (0)

Anonymous Coward | more than 7 years ago | (#17282106)

"reliable electronic system" is a oxymoron.

RFID is absolutely TERRIBLE for security (5, Insightful)

arete (170676) | more than 7 years ago | (#17282122)

RFID IDs are TERRIBLE for personal security, because it adds RANGE to detection and forgery. Parent post has ABSOLUTELY missed the point.

No one is claiming that magnetic stripes and/or bar codes are bad for security. In both cases they make it very marginally harder to copy and virtually eliminate data-entry errors. RFID has a BIG problem beyond that: It can be read without the knowledge of the holder.

No one can read the inside of my paper passport without me giving it to them - nor my magstripe nor bar code. I have complete control over who sees it. Sure, I might be conned into showing someone, but they have to con me. RFID means that:

1. They can copy my information without me ever showing it to them.
2. They can READ my information without me ever showing them, allowing them to identify me from a distance.
3. Even with a perfectly random RFID system, they can identify your nationality from afar, which obviously may make you a target in some circumstances.

To be SAFE, an RFID system must have a) zero emissions in the closed state (eg a tested foil cover) AND b) No non-random information broadcast from the chip. (that is, a random passportID that is broadcast that has NO other information until you look it up in the appropriate database.)

"b" is necessary because "a" alone still allows someone nearby you to snoop whenever you have to show your passport somewhere.

Re:RFID is absolutely TERRIBLE for security (3, Insightful)

complete loony (663508) | more than 7 years ago | (#17282266)

RFID in general could have even worse implications. Just picture the following:

- That person is carrying a passport
- Someone with a passport is probably a tourist
- A tourist would normally need to carry largish amounts of cash
- So lets mug them or double our prices.

If you're a tourist in another country, the LAST thing you would normally want to do is advertise that fact.

Re:RFID is absolutely TERRIBLE for security (1)

c_forq (924234) | more than 7 years ago | (#17282538)

If the passport cover was some sort of Faraday cage wouldn't this block remote reading unless it is open, or the foil like you pointed out? And if they put Faraday cages around areas where the chip is supposed to be read wouldn't this make attempted remote reading very suspicious? Would some system like this meet your approval?

Re:RFID is absolutely TERRIBLE for security (0)

Anonymous Coward | more than 7 years ago | (#17282602)

"b" is not really an option as what is an appropriate database and for whom?
I VERY much doubt that countries will be happy to transmit the details of EVERY passport holder to EVERY other country in the off chance that a passport holder will travel to that country.
Would you like all of your details transmitted to North Korea, Russia etc so that they can create their own database just so that you don't need to carry your own details with you when you travel?

Re:RFID is absolutely TERRIBLE for security (1)

RexRhino (769423) | more than 7 years ago | (#17282634)

Or, you could just store your passport in a metal case or wrap it in aluminum foil... problem solved!

Re:RFID is absolutely TERRIBLE for security (3, Informative)

bigberk (547360) | more than 7 years ago | (#17282854)

There is a serious misunderstanding of the technology, yes even among slashdot users. The problem is that the media and slashdot refer generically to 'rfid' when they talk about two different things:

1) Simple RFID chips that can be scan and read by anyone
2) Contactless smart cards (ISO 14443 etc), with crypto

Both use the same frequency band and similar hardware, but they are different beasts: one has crypto and the other doth not.

Identity information can be put on a contactless smart card but depending on how it is implemented (hopefully securely) you probably will NEED A KEY otherwise the crypto will prevent access. Take a wireless payment card or credit card (#2 category) for example. You can't just read/dump the bank account numbers on it. There is a crypto protecting the data.

On the other hand, walmart uses the non-crypto rfid chips. Yes you can just read the info on them, there is no encryption.

So when you say "RFID is terrible for personal security" you're right, RFID (#1 above) is completely inappropriate for privacy. But contactless smart cards (#2 above) is totally appropriate, and the passports use #2

Re:RFID is not for security (1)

b0s0z0ku (752509) | more than 7 years ago | (#17282138)

No one has shown that the RFID on the passport can be overwritten.

Of course it can be. All you'd need to do would be to somehow zap the old RFID and attach another one in an inconspicuous fashion - possibly somehow inject it into the edge or the paperboard cover. Either that, or have a transmitter (concealed in a cell phone?) that happens to transmit the correct data at higher power when the passport is swiped. To activate it, pretend to scratch your leg.

But, same as before, the passport # keys to a database of passport data, so (at least some) immigration inspectors will be able to verify the authenticity of the thing to some extent at least.

-b.

Re:RFID is not for security (2, Interesting)

mabhatter654 (561290) | more than 7 years ago | (#17282316)

Sure it makes things wildly insecure. You know lazy tired TSA workers will only glance at the passport and just trust what the display says. The usefulness works like this... I'm an evil terrorist, I know I can't get on planes.... I can remotely grab another passengers RFID tag in line at the boarding pass counter with a ticket on same flight I wish to perform evil deeds... even easier than pickpocketing!! Now I get THEIR pass info, forge my hacked RFID chip with their passport ID...it doesn't have to be a "real" ID chip, just report to the reader like one. remember, it will probably be in those little folders anyway... as long as the reader sees my hacked on first, and again the agent is too lazy to remove the document from it's case and inspect the passport for tampering, I'm in with their ticket and ID...


Before the goons come to get me!! I'll say I know NOTHING about these new passports beyond what's on slashdot. I got no expertise in RFID beyond looking at it. A good security system should have something in place to prevent this sort of "cloning" attack... you'd hope like hell that somebody's thought about this!!! and they don't just send the goons to cover it up.. after all, that's the new policy for scientific reports now... and has been the policy for security reports since 9/11.

completely ignores the point (1)

spoco2 (322835) | more than 7 years ago | (#17281924)

"It is hard to see why anyone would want to access the information on the chip."
Even if the info on the chip is just the same as what's printed in plain sight as they say... it's still defeating one of the security measures in short shrift. How is that not a concern? The fact that the electronic portion of it can be read and copied without actually needing the item (just need to be near it) is a great concern.

Also, the article states that the key to some encrypted information on the chip is something that's printed, in plain sight, on the passport... oh man.

It's a scary world when those who are old and have little clue about technology (the politicians) are told they need a high tech solution to a security issue. They hear a buzzword (RFID) and tell their people "Get something that used RFID into market STAT!"

Plus, I bet they don't even know what STAT means.

Re:completely ignores the point (4, Insightful)

Dunbal (464142) | more than 7 years ago | (#17282048)

It's a scary world when those who are old and have little clue about technology (the politicians) are told they need a high tech solution to a security issue.

      Careful. The hippies used to complain about how all the old farts in power didn't have a clue back then. Now they're running things, and look where we are. I shudder to think about what the world will be like when it's YOUR turn...

Re:completely ignores the point (1)

spoco2 (322835) | more than 7 years ago | (#17282096)

The problem isn't so much the generation itself, but moreso the people who end up being polititions.

As Billy Connelly so aptly said once "The desire to be a politician should automatically disqualify you from ever being one" (Quoted from memory, may be paraphrasing)

Re:completely ignores the point (0)

Anonymous Coward | more than 7 years ago | (#17282412)

Douglas Adams, not Billy Connelly.

Re:completely ignores the point (1)

spoco2 (322835) | more than 7 years ago | (#17282510)

Douglas Adams, not Billy Connelly.
 
Well, I saw Billy say it in a stand up performance (the one with his name in large pink letters behind him), and a quick check on the web for the quote finds it being attributed to him by all I come across.

Re:completely ignores the point (1)

Fastolfe (1470) | more than 7 years ago | (#17282682)

It's conceivable that both said the same thing, in their own way, with no influence from the other. From The Restaurant at the End of the Universe (emphasis mine):

The major problem—one of the major problems, for there are several—one of the many major problems with governing people is that of whom you get to do it; or rather of who manages to get people to let them do it to them.

To summarize: it is a well known fact, that those people who most want to rule people are, ipso facto, those least suited to do it. To summarize the summary: anyone who is capable of getting themselves made President should on no account be allowed to do the job. To summarize the summary of the summary: people are a problem.

Words of wisdom!

Re:completely ignores the point (1)

HappyEngineer (888000) | more than 7 years ago | (#17282702)

They both may have said it, but several variations on that quote were present in Hitchhiker's Guide to the Galaxy (and possibly a few of the other books in that series.).

See: http://www.quotationspage.com/quote/27540.html

Re:completely ignores the point (1)

mwillems (266506) | more than 7 years ago | (#17282564)

No, the hippies are NOT running things. I guess I am an aged hippie and if I were running things we would have a biometric/RFID passport when hell freezes over.

Re:completely ignores the point (2, Funny)

humungusfungus (81155) | more than 7 years ago | (#17282088)

Plus, I bet they don't even know what STAT means.

Of course they do, many of them are so old, latin was probably their mother-tongue.

Re:completely ignores the point (1, Informative)

Anonymous Coward | more than 7 years ago | (#17282146)

Also, the article states that the key to some encrypted information on the chip is something that's printed, in plain sight, on the passport... oh man.

I'm no fan of the new passports, but if I understand it correctly ...

The passports are encrypted with a bunch of information which is printed on the passport (and probably in a barcode or some other machine readable format), yes. A few different items make up a key. The RFID chip doesn't automatically spit out the encrypted information when blindly queried, but only if presented with an request derived from the key data. So, it's not like you arbitrarily query passports in people's bags and crack the encypted response later, because it won't respond if you don't know the key. And guessing that key to get the data would involve you sitting next to the passport for a Long Time.

This key allows someone on a desk with visual access (and barcode reader or mag swipe) to the passport to query it by presenting the right key and thereby "verify" the passport with the info on the RFID.

Now it should be relatively (for clever crypto people) simple given this that someone can copy the passport (it would suprise me that the data was not signed by some PKI tough) as they already what the key is.

So anyway, that's why the key is based on printed info, and why you cannot read abitrary passports without seeing them to get the key fields.

That's all down to my (incomplete) understanding of it based on watching a film with one of these crypto guys and some googling afterwards.

Re:completely ignores the point (1)

IWannaBeAnAC (653701) | more than 7 years ago | (#17282718)

See my other reply to the GP, the security hole is that the key is make up of information that is not single-purpose. The expiry date of your passport, you date of birth, and your passport number. None of these are particularly secret, and someone could obtain them without arousing any suspicion and read the passport from your pocket (or the envelope it was posted in....).

If, alternatively, the key was some random string that was ONLY used for the key, then (1) it wouldn't be possible to guess it without opening the passport, and (2) it would be hard for someone to get the key without attracting interest.

The receptionist at the youth hostel asking for your passport number, expiry and date of birth is not suspicious - indeed in some countries they are required to collect this information anyway. Then the bad guy doesn't even need to see your passport, it can be cloned while it remains in your back pocket. On the other hand, if the key was some random string then it would be a bit harder for the bad guy to obtain (although still not too hard).

The new passports probably make it very difficult, if not impossible, to copy/steal a passport and substitute a different photo. But it sounds like they are ridiculously easy to clone, so instead of taking at minimum a few minutes with physical access to the passport, it now takes a few seconds with a remote scanner. If the bad guys work somewhere where lots of people are passing by (the reception of a youth hostel, for instance!), they can just wait until someone goes by who looks similar to the person they want the fake passport for. This is much harder to detect.

I can see this as leading to a big push for more biometrics, in fact. "The terrorists have started cloning passports of similar looking people, to stop this we need to put your fingerprints and iris scan on the passport too!". Was this always the plan?

Re:completely ignores the point (2, Insightful)

IWannaBeAnAC (653701) | more than 7 years ago | (#17282218)

Well, the key needs to be printed somewhere on the passport.

The big, huge security hole though, is that the key is made up of the passport number, the date of birth of the holder, and the expiry date, none of which are hard to come by. For example, the postman delivering your new passport can probably find your date of birth (when did you late get a birthday card?), and can make a pretty good guess as to when it expires (10 years plus or minus a few days), so if he can guess what the passport number is, then he can read and clone your passport without even opening the envelope!

I don't know what idiot dreamed up using that particular data as the 'secret' key, they deserve to be shot. Why not make the key some random digit string, printed inside the passport in machine-readable text? Then it would at least be impossible to read the passport without opening it.

Re:completely ignores the point (2, Insightful)

Fastolfe (1470) | more than 7 years ago | (#17282752)

Why not make the key some random digit string, printed inside the passport in machine-readable text? Then it would at least be impossible to read the passport without opening it.

Off the top of my head (might be missing something obvious), by forcing the key to be made up of useful data, it becomes impossible to divorce the key from the holder's identifying information, as printed on the passport. By requiring the operator to enter the user's data as part of the key to decode the electronic data, it sort of requires that the printed data match the electronic data. Without this check, the operator would have to visually compare the two, which might make it slightly easier to attempt low-tech forgeries where the information doesn't actually match.

Of course, even if that were one of their reasons behind the design, that wouldn't excuse them from not mixing the passport holder's data with a random number in the manner you suggest.

Re:completely ignores the point (1)

IWannaBeAnAC (653701) | more than 7 years ago | (#17282798)

The operator will never normally need to enter the data, it is in the machine-readable (optical) section of the passport.

Open Rights Group - Biometric passport (4, Informative)

rimberg (133307) | more than 7 years ago | (#17281938)

The Open Rights Group [openrightsgroup.org] (Think UK EFF) have a wiki page that provideds more information on this an othere issues with the British Biometric Passport [openrightsgroup.org] The European version of the biometric passport is planned to have digital imaging and fingerprint scan biometrics placed on the Radio Frequency chip. The government of UK thinks that the public has a negative opinion of RFID chips so instead they call it a contactless chip.

Re:Open Rights Group - Biometric passport (2, Interesting)

bigberk (547360) | more than 7 years ago | (#17282896)

There is a huge difference between "RFID chips" and "contactless smart cards"! They both use the same frequency band and similar communication protocols, but RFID chips have no crypto while contactless smart cards have all the AES, MAC, etc. stuff plus secure filesystem storage.

There is a huge difference, I keep posting this but nobody seems to get the point: the walmart RFID chips have zero crypto, but the passport, payment cards have a ton of crypto. You can't just dump their contents

The government calls them contactless smart cards because that is what they are, of course the media and everyone else uses the blanket term "RFID" to refer to all of it and works themselves up into a frenzy while not understanding the characteristics of the technology.

This is all FUD (1)

goldcd (587052) | more than 7 years ago | (#17281964)

Yes I'm sure it's not very hard to 'read' what's stored on the Passport - but then it's never been very hard to visually look at it and read the paper - god knows how many photocopies there are of my passport in hotels and car-rentals across the planet.
The point of the RFID passport et al is to be able to verify it's genuine. You wave the passport at a border, it summons the electronic version and a check can be made that they match - i.e. verifies that somebody hasn't inserted an alternate photo etc.
If the RFID is just containing a serial number - then why not just use a barcode etc. If passport is broadcasting full details including photos, then the crack that's interesting is if somebody concocts their own passport - and then gets it recognized as a fully signed valid one.
Seeing as most passport fraud is just a genuine one, obtained by a similar looking (or even using the photo of the person going to use it), non-travelling person - then all these schemes are pointless. The weakest link is right at the start with the passport application process. The person who issues your passport hasn't got the slightest clue who you are - and as passports by their very definition are international, if you have trouble getting one in one country, you can just try from another.

Re:This is all FUD (2, Interesting)

rrohbeck (944847) | more than 7 years ago | (#17282076)

but then it's never been very hard to visually look at it and read the paper

Not when it's in my pocket.

I can't believe how juicy this is. Imagine being able to get your dirty fingers on the theft prevention system at the doors or a department store. Just a slight modification of the frequency and code, and let the harvesting begin.

and at best you'll end up with thousands (2, Insightful)

goldcd (587052) | more than 7 years ago | (#17282104)

of copies of the id pages of passports - much the same as you'd have if you'd taken a summer job working for Hertz.

huh? (5, Insightful)

jshackney (99735) | more than 7 years ago | (#17281974)

It is hard to see why anyone would want to access the information on the chip.

If no one would want to access that information, then why is it on the chip? Why even bother with the chip? Why even bother with the information?

Re:huh? (1)

RexRhino (769423) | more than 7 years ago | (#17282620)

The information on the chip is just information that is already printed on the passport. Having an RFID chip, however, makes it easier to read into a computer. Normally a border guard has to manually type your passport information into a computer. If you have ever waited 20 minutes for a border guard who doesn't speak or write english, to type in your passport information (imagine if you were trying to type up someone's cyrillic passport) - A quick swipe of an RFID card would turn the process into a 2 second swipe.

HO: It's okay, the taxpayer pays for our failure (0)

Anonymous Coward | more than 7 years ago | (#17281988)

Almost every government IT project is a complete failure in the UK. Strike up another win for cronyism and public-private partnerships. At least seeing that smug criminal Tony Blair imprisoned will take our minds off of how totally fucked the UK is.

Could someone address the points raised? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17281990)

1. They claim that there is little useful on a passport's details page. Can someone confirm whether this is the case for the purposes of general information theft?

2. If the passport page contains anything useful, how easy or difficult will it be to get hold of this information? Can you stand next to someone in a queue and scan the passport in their carry bag, or do you actually need to hold it close? My ID card at work has an RFID chip, that works only at about 4cm.

3. Is it correct that forging RFID passports will be more difficult? Obviously, if you used to have to manufacture a passport or switch a picture, and you now need to _both_ do that _and_ insert or change an RFID chip, then that raises the bar. So the followups to this question are;

3a. Will passport controls be replaced by RFID scans, or in addition to? I would hardly think the former, but please inform.

3b. Is it possible to change the information on an RFID chip without actually having physical access to the circuitry? As in, are there read/write scanners so you can avoid having to manufacture a chip and replacing it in a passport?

If the answers to these are no, difficult, yes, in addition to and no/no, then I can certainly see it providing additional security. And vica versa. Someone in the know?

Re:Could someone address the points raised? (1)

b0s0z0ku (752509) | more than 7 years ago | (#17282164)

3. Is it correct that forging RFID passports will be more difficult? Obviously, if you used to have to manufacture a passport or switch a picture, and you now need to _both_ do that _and_ insert or change an RFID chip, then that raises the bar. So the followups to this question are;

Not really. I'm sure RFID writers are cheap enough for those who "need" them anyway to afford them. The biometrics afford the security. You could have (say) a retinal scan or a point map of a face saved in the RFID chip and encrypted with a private/public key algorithm. The agency encodes it with a private key in a secure location. Then they decrypt it with a public key. Without knowing the private key, it'll be harder (nothing is impossible) to alter the bio. data. Also, keep the *same* data in a database. Not all border posts will have connection to the database, but with those which do, you can use the passport number to pull the database contents to see if the passport has a valid record backing it.

-b.

Re:Could someone address the points raised? (1)

b0s0z0ku (752509) | more than 7 years ago | (#17282174)

3b. Is it possible to change the information on an RFID chip without actually having physical access to the circuitry?

With a skillful forgery or alteration, one could just insert a new chip, no?

-b.

And the problem is... (2, Interesting)

b0s0z0ku (752509) | more than 7 years ago | (#17282102)

How is this different than Xeroxing a 2D barcode? Isn't that why there's biometric data on the passport and a digitally encoded photo - to render it useless even when cloned? Not to mention that the passport # *could* key to a database with the same data for verification purposes - the database should also contain records of passport #'s invalidated due to theft, cloning, or whatever. The data on the RFID chip is *meant* to be read. Rerecording the bitstream is a trivial exercise.

Cheers,
-b.

Or maybe there should be no database? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17282376)

The answer isn't to come up with some elaborate system like you propose. That's the worst thing to do. The real solution is to ditch these stupid passport schemes.

Passports and other pieces of identification never bring a nation security or safety. The best way to remain safe is to avoid alienating those who could bring you harm. And yes, that means staying out of the affairs of regions on the other side of the world.

Re:Or maybe there should be no database? (2)

b0s0z0ku (752509) | more than 7 years ago | (#17282430)

Passports and other pieces of identification never bring a nation security or safety.

Ok, but the fact is that we *already* have a lot of pissed-off people wanting to fuck the "West" in any way they can. We do want to prevent them from entering our countries and doing harm. Far better to stop them at the borders rather than enacting Draconian *internal* security measures to protect against terrorism. And, BTW, there's already a database of passport data (at least in the US) - even in the 80s when I was traveling with my family as a kid, I remember seeing the passport inspectors at JFK keying passport numbers into a terminal.

From a privacy standpoint, a robust passport security system is at the very bottom of my list of worries, as long as the passport is only used as a legitimation for foreign travel.

-b.

Re:Or maybe there should be no database? (0)

Anonymous Coward | more than 7 years ago | (#17282874)

We do want to prevent them from entering our countries and doing harm. Far better to stop them at the borders rather than enacting Draconian *internal* security measures to protect against terrorism.

I don't disagree. That's an ideal situation. But again, passports and other forms of identification are worthless at doing that. We all saw how useless they were a little over five years ago. If somebody wants to get into a nation, they will, regardless of whether or not they're carrying a (real or fake) passport.

Of course, what we see here in Britain is exactly what you're striving to avoid. We not only try to pointlessly rely on a passport system for security, but we now have the Draconian ID cards being proposed. It's only a matter of time before such crap arises in America, if it hasn't already.

Breaking news... (1)

neax (961176) | more than 7 years ago | (#17282152)

....in further breaking news: "...we would like to encourage the terrorist tourism trade to the UK; why would they cause any problems?"

If this happened in the 3rd world... (1)

bogaboga (793279) | more than 7 years ago | (#17282178)

If this happened in the 3rd world, those in countries like these (the 1st world) would say:

"What do you expect?" "It's the 3rd world."

They need more "technical assistance" from us who are more developed.

But I am not surprised, after all the US, which is the "most technically advanced" country in the world, cannot secure its borders. But is it?

Re:If this happened in the 3rd world... (1)

Vegeta99 (219501) | more than 7 years ago | (#17282542)

Actually, the United Kingdom Home Office isn't in the United States.

I knew that, and I'm from Pennsyltucky!

The Solution is Obvious (4, Funny)

serutan (259622) | more than 7 years ago | (#17282204)

Throw the researchers in jail for showing the weakness in the system. Problem solved!

Re:The Solution is Obvious (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17282422)

Hackers, not "researchers". Calling hackers researchers dirties the title.

why indeed? (3, Insightful)

dredson (620914) | more than 7 years ago | (#17282220)

"It is hard to see why anyone would want to access the information on the chip."
If that's true, then why use a chip at all?

a simple way to correct cluelessness (2, Informative)

spasm (79260) | more than 7 years ago | (#17282242)

"It is hard to see why anyone would want to access the information on the chip."

I think it's time someone cloned his passport and got busted importing drugs or weaponry or child porn or similar while on that passport. Hell, he's probably got a diplomatic passport == no search. Pure gold to anyone wanting to move anything *really* profitable.

Re:a simple way to correct cluelessness (1)

b0s0z0ku (752509) | more than 7 years ago | (#17282474)

I think it's time someone cloned his passport and got busted importing drugs or weaponry or child porn or similar while on that passport.

Isn't that the point of the biometric data/electronic photo - to make cloning the passport more difficult since the data in the chip has to match the person. If the bio. data is encrypted with a private key, the forger would have to know that key before forging the passport. They could even use, say, 10,000 different private keys to encrypt depending on the value of a hash of birth year, eye color, height, name, etc, so that one private key leaking won't spoil security for everyone's passport.

-b.

yes minister ... (1)

petes_PoV (912422) | more than 7 years ago | (#17282324)

.... was the name of a very funny tv series during the 80s. Its main characters were a clueless minister of state and his conniving private secretary.

This answer "...it's hard to see why...." is a line right out of this show. It doesn't say that the information is worthless, nor does it criticise e-passports for being insecure. Instead it says that the spokesman found something (irrelevant) hard to imagine. That's something completely different.

A masterpiece of misdirection, IMHO and just illustrates how hard it is to get a straight answer out of the b@$+@%ds

6 years ago... (1)

Potatomasher (798018) | more than 7 years ago | (#17282368)

i'm sure people were wondering "why would you want to fly planes into buildings ?"

Re:6 years ago... (0)

Anonymous Coward | more than 7 years ago | (#17282470)

All of the 9/11 hijackers had valid passports. On topic, but the post seems to miss the point about all-too-easy passport creation.

Tinfoil (2, Informative)

Shadyman (939863) | more than 7 years ago | (#17282384)

You can always get one of these [difrwear.com] or just wrap your passport in tinfoil.

BRB, I'm making a tinfoil hat for my passport, so it matches mine.

encrypted data is printed on the passport anyway (1)

fihzy (214410) | more than 7 years ago | (#17282398)

The various articles seem to suggest that the data accessible on the RFID chip is actually printed on the passport anyway. So what's the big deal? For anyone sufficiently inclined to obtain the data they could simply open your passport and read it. Granted the chip makes it easier to obtain this "sensitive" data, but to own and operate the technology to achieve this seems to be no less complex than having a $20 pick-pocket help you get it. In addition, who cares whether it can be copied to another RFID chip? To make that "cloned" data useful, the actual physical passport still needs to be adequately forged and that's not trivial. This "hack" does not seem to have a negative impact on the security of passports. Sure, it doesn't advance their security any, but neither does it detract from it?

Re:encrypted data is printed on the passport anywa (1)

RuBLed (995686) | more than 7 years ago | (#17282450)

It might not be that big of a deal but the very idea is disturbing. Sure, one could get the data by hiring a pickpocket but that is more troublesome given the fact that the passport holder would surely know that his/her passport was missing and would give warnings/alerts to ensure that it would not be misused. But now, you only need to setup a clever RFID reader/scanner and just sit beside the person. That person would never know what hit him. If someone gets any data from one's passport, that doesn't necessarily mean they would use that to create another passport. Whatever is in that chip could be used for other purposes.

Re:encrypted data is printed on the passport anywa (1)

BrianRoach (614397) | more than 7 years ago | (#17282492)

"but to own and operate the technology to achieve this seems to be no less complex than having a $20 pick-pocket help you get it."

Do you travel? I ask because I do, and I would like to see a "$20 pick-pocket" take my passport. I don't exactly carry it where this would be possible. And when I'm not carrying it, it's usually in a hotel safe. I tend to want to be able to get back into my country, so I'm carefull like that.

Putting an RFID chip on it changes this game. Unless I have a cage around it, the inside pocket of my jacket and the hotel safe no longer provide any security for the informaion contained therin.

And the idea that "The information printed on the passport is the same" doesn't really hold water. People doing menial jobs are, generally, lazy/unattentive. For example, my wife and I have credit cards that are the kind with your photograph printed on them. I've tried this a number of times (because I'm silly like that), and it has only failed once - I'll take her card and use it (without her with me or in view). Except for *one* time, I've never had a problem using her card. Nevermind that the picture on it obviously isn't me, the name on the card isn't right, and the signature certainly doesn't match.

The only way this passport RFID thing would work is if they actually came up with a worldwide system and simply encoded an ID number into the passport. You wave your passport in front of the reader, and up on the computer screen pops your picture, info, etc from the database. The passport simply becomes record number, with no actual information on/in it.

Of course, this also assumes a computer/database/network system that can not be hacked ... but considering we have this with the banking systems (for the most part), this is not exactly an impossible task.

- Roach

The proper response is... (5, Insightful)

Todd Knarr (15451) | more than 7 years ago | (#17282402)

The proper response to that spokesman is "Well then, you won't mind lending us your passport for a minute, so we can copy it and put copies on sale in <district with notorious reputation>, will you?".

Some politicians simply need the problem made their personal problem before they'll see it.

You know who is to blame here? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17282526)

GEORGE BUSH!

How about a switch (2, Interesting)

phlipped (954058) | more than 7 years ago | (#17282690)

How about having an electronic switch built in to the passport, so that the chip only works when someone holding it wants it to work. For example, you could set it up so that the chip only works when the passport is opened flat on the details page at the front.

I can't imagine it being that hard in theory, although divising a reliable and rugged switch may be a bit more challenging.

Still, I bet it could be done, and it pretty much eliminates all the concerns about people reading the chip without your permission.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...