RFID Passports Cloned Without Opening the Package

Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."

Ohhh

[by Anonymous Coward]

10 seconds in the microwave sounds about right!

Re:

[mdm-adph (1030332)]

I've heard smashing it with a hammer works just as well, and it doesn't invalidate the passport. Someone correct me if I'm wrong about this!

Re:Ohhh

[db32 (862117)]

Temporal hammer? You would have to smash it before you get it.

Re:

[kpainter (901021)]

That sounds like an excellent idea to me, seriously. I wonder what the effect of doing that would be on the user though?

Re:Ohhh

[Sunburnt (890890)]

Not sure about the effects on a UK passport holder, but you can still use [state.gov] a U.S. passport if the RFID is disabled. The only advantage of having one seems to be shorter lines at Immigration. (Which isn't true yet, at least at LAX as of two weeks ago. They're probably waiting for more people to get the new passports before they set up the equipment.)

Re:Ohhh

[misterhypno (978442)]

It doesn't matter if YOU disable the chip, because it can be cloned BEFORE THE OWNER EVER GETS THE FRENORKING THING!!

If you read the article, the cloning took place while it was IN TRANSIT TO the intended receipient - which means that ANYONE getting a Passport through the mail could have their Passport cloned BEFORE they ever GET it.

Without the package that the Passport is shipped in EVER BEING OPENED!

Try reading for content next time.

So, even if you disable the RFID after you GET it, the thing has been compromised BEFORE you ever get your hands ON it!

RFID = Real Fast Identity Destruction... courtesy of Homeland Security and the rest of the paranoids who don't understand technology up on the Hill who probably think that RFID is "totally tubular, man! Like the internets!"

And I will bet long odds that this post gets me audited - again - too.

Re:Ohhh

[Clazzy (958719)]

I can see it now, get an RFID-enabled passport and get a tin foil hat for free!

Does anyone remember Press Your Luck?

[Aurelfell (520560)]

It was the game show with the Whammies that stole your money. As I recall, there was a guy who watched the show long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The show went of the air, but I remember reading that the programmers who created the game board offered to make it 'true random' for another $600, and the network refused to pay it.

This article reminds me of that story.

Re:Does anyone remember Press Your Luck?

[rufey (683902)]

Yes, this really did happen on Press Your Luck. The contestant was Michael Larson. He had spent quite a bit of time before appearing on the show analyzing how the different squares on the board flashed and in what sequence. He managed to win over $100,000 USD on the show.

More can be found at Snopes [snopes.com] and at Wikipedia [wikipedia.org].

Re:

[GizmoToy (450886)]

I'd never heard of that story before. I looked it up, and it turns out it was pretty interesting. I used to watch that show long ago.

Thanks for the tip!

Re:

[BarryJacobsen (526926)]

Off the topic of TFA, more info relating to Michael Larson (the PYL contestant mentioned in the post above) http://en.wikipedia.org/wiki/Press_Your_Luck#Micha el_Larson [wikipedia.org] and http://gscentral.net/larsen.htm [gscentral.net]

Packaging

[Radon360 (951529)]

I guess they should have considered mailing them inside a sealed aluminum foil pouch inside the envelope. Not that something like that would stop all of the other vulnerabilities, however.

Re:

[VorpalRodent (964940)]

In every article we've seen on this, there is always the discussion of the government's position of "no one can read it if it's closed". What happened to that? I don't recall my passport arriving opened inside the pouch.

This implies, at least to me, that there is no security whatsoever protecting it from being read, closed or open. Are we to believe that this is seriously the best that they could come up with?

Re:Packaging

[Sunburnt (890890)]

In every article we've seen on this, there is always the discussion of the government's position of "no one can read it if it's closed". What happened to that? I don't recall my passport arriving opened inside the pouch.

Mine did, actually, but the article is referring to the U.K. passports. Different kind of RFID on the U.S. models, and the cover is definitely a different (and thicker) material than the older passports.

Re:

[Billosaur (927319)]

I guess they should have considered mailing them inside a sealed aluminum foil pouch inside the envelope. Not that something like that would stop all of the other vulnerabilities, however.

Mmmmmmmmm... vacuum-packed for freshness!!

Same old Daily Mail

[goldaryn (834427)]

From the Daily Mail article: "More significantly, we had the details which would allow a fraudster, people trafficker or illegal immigrant* to set up a new life in Britain. The criminal could open a bank account, claim state benefits and undertake a myriad financial and legal transactions in someone else's name. "

So basically, exactly what goes on now, except for the new false sense of security. Great!

* I knew they'd bring this up

Re:Same old Daily Mail

[drinkypoo (153816)]

I knew they'd bring this up

You know, it's not just governments concerned about illegal immigration. It's residents, too. Illegal immigration does help keep prices low, but it also helps drive down wages by reducing the value of laborers.

As such, they would be remiss in not mentioning it, as it is of interest to their readership.

Re:Same old Daily Mail

[drinkypoo (153816)]

First off, you need to look at the jobs they do.

Having grown up in Santa Cruz, which is in a highly agricultural area, and now living in Kelseyville, which is/was the Pear capital of the world (lots of pears coming out and grapes going in these days though) I'm pretty highly aware of the jobs they do.

I do know that in the US, there are farms that can not get american laborers at over 10 bucks an hour with benefits.

What? That sentence doesn't really say anything. There are no farms, for example, that could not get American laborers at 30 bucks an hour. That's over 10 bucks an hour. Maybe we could revisit this point?

It's the type of work someone will do day in and day out when setting up a new life.

I'm not sure what that has to do with anything. Lots of people in the US need a new life, too.

So, that farmer cuold pay more, but they don't have the funds right now, and how much are we willing to buy a potato for?

Well, that's precisely my point. The farmer needs to charge more in order to pay more. As long as some employers are happy to hire illegals, they can charge less, and that makes them more competitive. So their competitors are forced to do the same thing.

Consequently we have cheap produce... but it's only cheap at the store. The simple fact is that every taxpayer in America is subsidizing that "cheap" food. We're paying for medical care for these immigrants, for example. Their employers work them part-time or they otherwise do not receive benefits. They do not pay taxes, or if they do pay taxes, their income is underreported and they're using someone else's SSN (in fact one used mine one year, but they reported only a few dollars of income so it didn't actually harm me.) There is also a very real issue with Mexican (in particular) gangs, especially in California. This is not a joke, this is not a made-up problem designed to scare people. It's real, and it's here. And it is largely a result of illegal immigration.

Now, look at the alternative to illegal immigration. If people are here legally then they can afford to report labor code abuses, because they don't just get kicked out of the country when they interface with the law. So this tends to have the result that people who are worked full-time actually get their benefits, and they have health insurance. So now they no longer need to depend on the taxpayer for medical care.

Of course, it also has the effect that food appears more expensive on the store shelf, or in the produce aisle, et cetera. But in fact the ACTUAL costs may go down overall! I say "may" because let's face it, I am not an economist, and I have not run the numbers. But I'm also not a complete idiot and I'm capable of understanding simple cause and effect.

What we have created is a system that encourages unemployment. It reduces not only the total number of jobs, but also the number of jobs capable of supporting a family. Wouldn't it be better if food cost a little more, or in some cases even a lot more, and the actual cost were reflected directly at the store shelf?

Looking at the history of migrant labor, the US was a lot better off when migrant laborers went backa nd forth across the border. It was when it became really difficult to go back did we start to see problems.

That's not really true. We only see different problems now. One issue is that we the US have constantly sought to degrade the quality of life south of the border in order to protect our pool of ready and willing labor. NAFTA, for example, was simply another way to fuck over the Mexicans. And now that manufacturing is cheaper in other countries, we just take whatever is valuable (even for scrap) and abandon the factories to sit and rust on the polluted ground we left them on, and move our manufacturing, so that Mexico really gets nothing out of it. But long be

Re:

[drinkypoo (153816)]

For some reason, all the high quality stuff - tools, appliances, etc. come from Germany.

My dad makes the assertion that at least in cars, the germans believe that good components make a good car, whereas the japanese believe that it's good system design that makes the difference. These days, though, both BMWs and Mercedes are big pieces of shit, and VW actually makes a more reliable car. So obviously things are a-movin' and a-shakin' over there.

The Germans DO seem to make the best tools around, though, st

Re:

[Rob the Bold (788862)]

And shouldn't they have? Immigration is Britains #1 problem.

You seem to be forgetting national dental care, the horrible rise of drug abuse, particularly among the working class and the minorities, the removal of troops from Northern Ireland, the parking situation in Benchley, and preventing Liam Gallagher from leaving Oasis.

One of the problems with RFID

[StewedSquirrel (574170)]

One of the primary problems with RFID is that it is "wireless" in nature. It is also designed to be "simplistic" for the simple case of economic savings.

While it is a great technology for information such as Barcode scanning and inventory tracking, its use in biometrics, identification and access controls is less secure. Transmitting significant and irrevocable information in an RFID pulse is irresponsible.

Where a barcode is ubiquitous and the concept of "stealing" it is silly, and even where the ID number of a "proxmity card" employee ID badge is easily revocable, information stored on a passport, such as biometrics, permanent identification numbers and the like are not revocable.

If you have such a passport, it is advisable that you either fry the RFID chip (i am not responsible for the legal issues surrounding it) or you store your passport in a metal safe, where RF cannot pass. There are already bags on the market with an integrated faraday cage, it is not entirely practical to keep your RFID identity perpetually in this bag while traveling (not to mention the headache at the airport screening area with a metal-laced bag). [tgdaily.com]

In short, this new RFID identity system is one of the most ill-advised and potentially dangerous (vulnerable to easy identity theft) systems in recent history, and is simply ASKING for people to duplicate it, while providing no benefit other than the government control ("papers please") that it demands.

Stewed

Re:One of the problems with RFID

[Sandbags (964742)]

RFID may be easy to copy or crack, but someone gets that info on their screen and still validates it against the hard copy when entering/exiting using a passport. You don't just wave it and go on... Passport information by itself is not enough to steal someone's identity or bank account. You still need physical proof. This first pass with RFID is simply making data tracking easier. It was not designed to be secure, just difficult to completely copy or forge. A truly secure passport system would have to include fingerprinting, pass codes, facial scanning technology, or some other system to prove the identity of the bearer. Of course, the RFID could not be responsible to pass that information, it would likely merely possess some simply information allowing it to access a secure database system that actually contains the remainder of the data. That data could be on a government server, or even an integrated SIM in the passport itself requiring connection to a proprietary system. 3 point data validation would work, but it would be very expensive. You'd still need hard copy for entering nations that do not yet have the technological capacity to electronically scan passports. One solution I hear proposed was that not only would the passport itself have an RFID tag, but also the person himself embedded under the skin, plus the addition of a fingerprint and 6 digit pin number. All 4 would have to match, be combined, and then be compared to a CRC value stored in an international database. All this would be simply for identity confirmation and nothing more, with the FBI and other similar branches still needing to cross validate your identity to your criminal record or a watch list. Are we really that concerned/paranoid?

Re:

[Jah-Wren Ryel (80510)]

RFID may be easy to copy or crack, but someone gets that info on their screen and still validates it against the hard copy when entering/exiting using a passport. You don't just wave it and go on... Passport information by itself is not enough to steal someone's identity or bank account. You still need physical proof. This first pass with RFID is simply making data tracking easier. It was not designed to be secure, just difficult to completely copy or forge. A truly secure passport system would have to incl

Because It's a Dumb Chip!

[mpapet (761907)]

I know the average /.'er will be up in arms about how insecure the new passport is but it's simply not one of the design goals.

The primary goal is to have a document that's harder (it's never impossible) to forge and easier to collect and process entry/exits. That's it. End of story.

It's not a silver bullet. Treating it as such is demanding something you won't ever get.

Re:

[WinterSolstice (223271)]

Seems like it's actually *harder*, to process and *easier* to forge though, not easier. Or am I the only one that thinks so?

Re:

[EdMack (626543)]

You're missing the point. It *is* now easier to forge, since the chip is easily copied without the receiver knowing, and people perceive the chip to be more secure and harder to copy.

Re:No No! No!

[mpapet (761907)]

Here's the how-to on forging a new passport:

1. Create a falsified passport jacket capable of holding a chip and antenna.
2. You embed the _right_ chip with the _right_ number encoded (oh yeah, you need to encode the chip) AND the _right_ antenna required for the chip in your garage into the faked passport jacket.
3. Create secure paper used in passport.
4. You'll need to work up all of the print security features.

It's not trivial, it's not a silver bullet it's not a fake ID you used to buy beer in college. Stop expecting more from the new passport than the design requirements fulfill.

Re:

[Kristoph (242780)]

No, I think it is you are missing the point. If you *copy* the chip you will copy the picture / fingerprints of the original owner of the passport. You will thus be immediately caught when attempting to use the passport because the 'biometrics' will not match. If you change the picture or other biometrics the key of the password will no longer be valid and thus it will be identified as a forgery.

So the fact that someone can copy your the chip is more of a privacy issue then a security issue.

]{

Re:

[Ungrounded Lightning (62228)]

The primary goal is to have a document that's harder (it's never impossible) to forge and easier to collect and process entry/exits. That's it. End of story.

So if you "need" a chip to handle the data, what's wrong with using a CONTACT-read chip like those on credit cards?

Sticking the passport in a slot is THAT much more inconvenient than waving it over a reader that you have to make the passport subject to drive-by scanning?

(Just imagine the next generation of "wardrivers". The term might end up being lite

What about US passports?

[Sunburnt (890890)]

I received one of the new U.S. Passports - the day I handed in my application happened to be the first day of the change, and I had my order expedited, so I have one of the first new passports.

There's no "chip:" the electronic storage is embedded in the photo page of the passport, among a series of wires covered with laminate. The Department of State says the cover of the new passports prevents RFID scanning when closed, which probably explains why the cover is a different thickness and flexibility than the previous passports.

Funny thing, though: the passport itself was opened flat in the shipping envelope from the passport center. So, presumably, it could be read. I wonder what sort of security the USDoS is using on these things?

The article has nothing to do with U.S. passports, since the Brits are using a different RFID mechanism. So, no help there. I wonder how many people read the article summary (which fails to mention this detail - it probably should, since this is a rather U.S.-centric website) without RTFA and are busy microwaving their new U.S. passports?

Re:

[Arker (91948)]

IIRC the British and US passports are using essentially the same mechanism, so as to be compatible with each others readers. The US passports added the cover-shield, which is of dubious value as you note, but other than that I think they'll have the same vulnerability. Could be wrong though.

Re:

[drinkypoo (153816)]

USDoS

What are you talking about? Every department of the US government is about denial of service. They deny you service at every step.

But seriously, I'm sure they ship them flat specifically so that they CAN read them. Exactly why they would want to do this is anyone's guess.

I'd say that so long as they don't have the same weak-key problem (or similar) as UK passports, who cares? The issue isn't reading my passport when it's in the mail. The issue is reading my passport when it's on me, and knowing thin

Re:

[Prophet of Nixon (842081)]

When was this? I got a new passport mailed about two weeks ago, and now I'm curious if mine has that (I would check, but its at home... I glanced at it and put it back in the envelope for now).

That's no "security researcher"...

[OriginalArlen (726444)]

...that's Adam [rfidiot.org] Laurie [google.co.uk]! The godlike genius of Shepherd's Bush! Seriously though... he's something of a geek hero to me. Dunno why (apart from respect for a fellow-survivor of Bush) -- lots of other people write code and do research, but he just seems like such a nice chap with it.

RFID passports to be abandonded?

[mrtexe (1032978)]

Secretary Chertoff, US Department of Homeland Security: RFID passports to be abandonded [playfuls.com].

That said, it looks like some of these passports are out there already. Secondly, I haven't come across a definitive statement or timeline from DHS as to when RFID passpots will be abandonded.

Re:

[drinkypoo (153816)]

Secondly, I haven't come across a definitive statement or timeline from DHS as to when RFID passpots will be abandonded.

Right after all the people they really want to track either a) have one or b) have been tagged with RFID through other means. You can make a passive RFID tag the size of a grain of rice (smaller!) now. You could trivially hide it inside of anything... a key chain, or even a key! With the right design, in fact, you could probably use a key as an antenna.

RFID is not going to save the world

[unPlugged-2.0 (947200)]

As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving.

And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that RFID in and of itself is insecure.

The truth is that tags can be secure or they can be cheap but very rarely both. It is impossible to be able to have them both with the current economies of scale. The ones used in the passport are most definitely not the high-end tags with memory and cryptographic capabilities. There are some active tags that can do public/private key validation but they also cost a fortune. The governments are going to go with the cheapest version.

They know full well it is going to be cracked. It is not a big deal as it is not that hard to steal or copy the current passport anyways so they have not really digressed. This was meant to be a pilot (that somehow went into production) to check how efficient it could be and also serve as a vehicle for making further enhancements and putting more data.

As other slashdotters have pointed out it is still impossible to actually modify the information on the tags. When this is possible then that is really newsworthy because now people can actually change other people's information and wreak havoc.

But until then there are far easier and cheaper ways to find out someone's Social Security and date of birth on the web.

Re:

[drinkypoo (153816)]

As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving. And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that

Re:

[drinkypoo (153816)]

The bottom line is that RFID is not any more secure or any less secure than what you currently have. Do you have a credit card? A bank card? Then you are have already been violated.

No card in my wallet is remotely readable, at least to the best of my knowledge. You missed the point entirely.

The RFID used in credit cards and passports are HF (13.56 mhz). The range on these tags is incredibly small. Even with the best equipment you cannot read farther than 6 - 12 inches. You can build a fancy contraption wi

RFID

[mypalmike (454265)]

RFID = Ready For Immediate Duplication?

If you want something done right...

[mi (197448)]

... you have to do it yourself.

If you want something done really wrong (and very expensive) — have the government to do it.

It boggles the mind, that despite continuous and numerous reports of various government screw-ups, the majority of fellow Slashdotters still seem to favor things like "Municipal WiFi"...

Oh, yeah, "local government" is supposed to be better than federal... But is it really? Not in my experience...

Re:If you want something done right...

[geekoid (135745)]

The federal, state and city government do a lot of things right. In fact most of there projects are quite successful. The media shines a light on the problems* so thats all most people here.

Most agencies are more fiscally responsible then most corporations.

Go the the ligrary and look at all the projects that get done.

remember, with a company all you here is the success, with the government all you hear about is the problems.

90% of all government projects are done on time, 90% of all corporate projects fail.

*and they should

Re:Embedded Linux is a major security risk

[Lumpy (12016)]

Wow! I did not know that there were any oblivious morons left in the wild.
What number is on your ear tag? OH! are you one of the rare untagged morons? Where is my camera! National Geographic is gonna pay for a photo of a untagged wild moron!

hey, come back! this camera won't steal your soul....... dammit.

Re:So what?

[Arker (91948)]

Is this really a big deal?

Yes.

The issue with RFID passports would be if they could be forged... it doesn't matter if they can be duplicated.

A distinction without a difference. An organisation (and it doesn't matter if this is a terrorist group or a run-of-the-mill little mafia type operation) coöpts a few postal employees. Not particularly hard to do. Those employees use a relatively inexpensive piece of equipment to scan the passports that pass through their hands. This is nearly instantaneous, and non-invasive, so good luck noticing that. The passports go right along to their intended recipients with no delay, and no one's the wiser. Yet the organisation now has all the information needed to create forged passports with valid data, which will raise no flags when used and allow their operatives to assume the identity of the citizen. All the supposed security benefits of the plan are gone, in fact, it's worse than old-style passports from a standpoint of security.

Sure, there's a minor privacy issue if the passport can be read by proximity (how close do you need to be?

Depends on how good your receiver is. Just because customs will be using an el cheapo setup that needs to be within ten inches to read the signal doesn't mean that no one will be able to construct a better reader. You think that's a *minor* issue? That someone could steal your identity, or detonate a bomb, based on that information without even having to set hands on your passport? Sounds pretty major to me.

Re:

[Bill, Shooter of Bul (629286)]

I could be wrong, but I believe some of the information stored on the rfid ( or linked in a database of some kind) chips is biometric. Ie ( finger print information, retinal scan). So you'd have to beat that level of security as well. Not impossible, but not a walk in the park.

Re:So what?

[Kristoph (242780)]

I cannot believe this was voted insightful.

A copy of 'biometric' passport information has no value in a security context. If a copy of a passport is created using the biometric information then, obviously, that biometric information will not match the passport holder which will mean he/she will be identified as carrying a forged passport. If the biometrics are changed the digest of the passport information will be invalid and so, again, he/she will be identified as carrying a forged passport.

This is really only an issue because someone can get your personal information (for use in, for example, financial identity fraud) without having to actually open any of your mail.

]{

Re:

[jimicus (737525)]

The issue with RFID passports would be if they could be /forged/... it doesn't matter if they can be duplicated.

Not true.

There's a lot to be said for not bothering to forge passports anyway - sooner or later customs at most first-world countries will probably link up, so the passport number can be checked instantly against a database to make sure the details match up. The only way a "forged" passport will work then is if it's not forged at all, but rather made with the collusion of someone at the passport

I'm a "Law 'n Order Anarchist"

[Ungrounded Lightning (62228)]

I'm a libertarian so now I feel justified in supporting open borders. Having enough money to live in a gated community and owning machine guns is a private matter.

I, on the other hand, characterize myself as a "Law 'n Order Anarchist" (or "Law 'n Order Minarchist" on even-numbered days). That means I think we should get rid of all (or all but the minimum necessary) of the laws - but believe it must be done in the right ORDER or it makes things worse rather than better.

(Actually, I'm more of a "Constitutio

Re:

[istartedi (132515)]

If there are no borders, then there is effectively no government. This is one of my big problems with the Libertarians. Taking away borders would, in theory, lead to anarchy. In practice, any anarchy gives rise to power centers since nature abhors a power vacuum just as much as it abhors a physical vacuum. In the past, this vacuum was filled by feudal systems that coalesced into nation states. In the present, the porosity of borders combined with the mobility and rapid communications of technological s

Re:

[AJWM (19027)]

I'm a libertarian so now I feel justified in supporting open borders. Having enough money to live in a gated community and owning machine guns is a private matter.

You call yourself a libertarian and you can't see the internal inconsistency in that position?

Sigh, what happened to the good old days when libertarians were people who had read and understood Ayn Rand? Our borders are our gated community, how else keep out people who are opposed to the libertarian ethic? (I.e., who want to take things from us