Forgot your password?
typodupeerror
Security Technology

RFID Passports Cloned Without Opening the Package 168

Posted by ScuttleMonkey
from the step-one-cut-a-hole-in-a-box dept.
Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."
This discussion has been archived. No new comments can be posted.

RFID Passports Cloned Without Opening the Package

Comments Filter:
  • Ohhh (Score:5, Funny)

    by Anonymous Coward on Wednesday March 07, 2007 @03:07PM (#18265652)
    10 seconds in the microwave sounds about right!
    • Re: (Score:3, Funny)

      by mdm-adph (1030332)
      I've heard smashing it with a hammer works just as well, and it doesn't invalidate the passport. Someone correct me if I'm wrong about this!
    • by kpainter (901021)
      That sounds like an excellent idea to me, seriously. I wonder what the effect of doing that would be on the user though?
      • Re:Ohhh (Score:4, Informative)

        by Sunburnt (890890) on Wednesday March 07, 2007 @03:23PM (#18265922)
        Not sure about the effects on a UK passport holder, but you can still use [state.gov] a U.S. passport if the RFID is disabled. The only advantage of having one seems to be shorter lines at Immigration. (Which isn't true yet, at least at LAX as of two weeks ago. They're probably waiting for more people to get the new passports before they set up the equipment.)
        • Re:Ohhh (Score:5, Insightful)

          by misterhypno (978442) on Wednesday March 07, 2007 @04:19PM (#18266634)
          It doesn't matter if YOU disable the chip, because it can be cloned BEFORE THE OWNER EVER GETS THE FRENORKING THING!!

          If you read the article, the cloning took place while it was IN TRANSIT TO the intended receipient - which means that ANYONE getting a Passport through the mail could have their Passport cloned BEFORE they ever GET it.

          Without the package that the Passport is shipped in EVER BEING OPENED!

          Try reading for content next time.

          So, even if you disable the RFID after you GET it, the thing has been compromised BEFORE you ever get your hands ON it!

          RFID = Real Fast Identity Destruction... courtesy of Homeland Security and the rest of the paranoids who don't understand technology up on the Hill who probably think that RFID is "totally tubular, man! Like the internets!"

          And I will bet long odds that this post gets me audited - again - too.
          • by Sunburnt (890890)
            Not sure all the SHOUTING is necessary, but I was replying specifically to a question about what the effect would be of going through immigration without working RFID. I wasn't referring to the potential of compromise at all, in fact.

            Try reading for content next time.
            Good advice for you to follow.
        • by NerveGas (168686)
          My suspicion is that you don't necessarily get the shorter line with the RFID, but that you will get a MUCH longer line if your RFID doesn't work...

          That's based on a trip back east a few years ago where the travel agent booked the tickets with my wife's maiden, not married name. She was able to get the tickets by producing various documents, but each time through security, we would be told "No, the two of you step over here, please." Let's just say that it was a good thing that we arrived early. :-(
  • by Aurelfell (520560) on Wednesday March 07, 2007 @03:12PM (#18265728)
    It was the game show with the Whammies that stole your money. As I recall, there was a guy who watched the show long enough that he figured out a pattern that would let him win every time. He played for like three days, and won a crazy amount of money. The show went of the air, but I remember reading that the programmers who created the game board offered to make it 'true random' for another $600, and the network refused to pay it.

    This article reminds me of that story.
  • Packaging (Score:3, Insightful)

    by Radon360 (951529) on Wednesday March 07, 2007 @03:13PM (#18265736)
    I guess they should have considered mailing them inside a sealed aluminum foil pouch inside the envelope. Not that something like that would stop all of the other vulnerabilities, however.
    • Re: (Score:2, Insightful)

      by VorpalRodent (964940)
      In every article we've seen on this, there is always the discussion of the government's position of "no one can read it if it's closed". What happened to that? I don't recall my passport arriving opened inside the pouch.

      This implies, at least to me, that there is no security whatsoever protecting it from being read, closed or open. Are we to believe that this is seriously the best that they could come up with?

      • Re:Packaging (Score:4, Interesting)

        by Sunburnt (890890) on Wednesday March 07, 2007 @03:26PM (#18265964)

        In every article we've seen on this, there is always the discussion of the government's position of "no one can read it if it's closed". What happened to that? I don't recall my passport arriving opened inside the pouch.
        Mine did, actually, but the article is referring to the U.K. passports. Different kind of RFID on the U.S. models, and the cover is definitely a different (and thicker) material than the older passports.
      • by dgatwood (11270)

        Are we to believe that this is seriously the best that they could come up with?

        Sadly, it probably is.

        You see, there's a little problem of the laws of physics. A passive RFID package, AFAIK, typically produces output proportional to the input signal. As a result, to get a hotter output, you just need to provide a hotter input. Up to the limit of the chip, then, you can get around any thickness of shielding simply by increasing both transmitter and receiver gain. I suspect you'll find that it would

        • Why can't they just toss in other "random" RFID chips in the packaging or tape a throw away on to the inside of the passport? RFID scrambling. Is it possible to discriminate between multiple signals originating from less than a mm apart?
    • by Billosaur (927319) *

      I guess they should have considered mailing them inside a sealed aluminum foil pouch inside the envelope. Not that something like that would stop all of the other vulnerabilities, however.

      Mmmmmmmmm... vacuum-packed for freshness!!

    • Which is precisely why I've put a sheet of copper mesh in my passport at the page where the little RFID beastie lives... bastards... never ever consider the possibility that the thing could be read in transit... I did consider accidentally on purpose squishing the little black blob with a pair of pliers so it would break... but... that would only case me more hassle than it's worth...

      apparently mine was "securely" delivered... but I got home to find it inside on the doormat... the postie had just slipped it
  • Same old Daily Mail (Score:3, Interesting)

    by goldaryn (834427) on Wednesday March 07, 2007 @03:14PM (#18265758) Homepage
    From the Daily Mail article: "More significantly, we had the details which would allow a fraudster, people trafficker or illegal immigrant* to set up a new life in Britain. The criminal could open a bank account, claim state benefits and undertake a myriad financial and legal transactions in someone else's name. "

    So basically, exactly what goes on now, except for the new false sense of security. Great!

    * I knew they'd bring this up
    • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday March 07, 2007 @03:34PM (#18266062) Homepage Journal

      I knew they'd bring this up

      You know, it's not just governments concerned about illegal immigration. It's residents, too. Illegal immigration does help keep prices low, but it also helps drive down wages by reducing the value of laborers.

      As such, they would be remiss in not mentioning it, as it is of interest to their readership.

      • by geekoid (135745)
        First off, you need to look at the jobs they do.

        I do know that in the US, there are farms that can not get american laborers at over 10 bucks an hour with benefits.

        It's the type of work someone will do day in and day out when setting up a new life.

        So, that farmer cuold pay more, but they don't have the funds right now, and how much are we willing to buy a potato for?

        Looking at the history of migrant labor, the US was a lot better off when migrant laborers went backa nd forth across the border. It was when i
        • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday March 07, 2007 @04:45PM (#18266938) Homepage Journal

          First off, you need to look at the jobs they do.

          Having grown up in Santa Cruz, which is in a highly agricultural area, and now living in Kelseyville, which is/was the Pear capital of the world (lots of pears coming out and grapes going in these days though) I'm pretty highly aware of the jobs they do.

          I do know that in the US, there are farms that can not get american laborers at over 10 bucks an hour with benefits.

          What? That sentence doesn't really say anything. There are no farms, for example, that could not get American laborers at 30 bucks an hour. That's over 10 bucks an hour. Maybe we could revisit this point?

          It's the type of work someone will do day in and day out when setting up a new life.

          I'm not sure what that has to do with anything. Lots of people in the US need a new life, too.

          So, that farmer cuold pay more, but they don't have the funds right now, and how much are we willing to buy a potato for?

          Well, that's precisely my point. The farmer needs to charge more in order to pay more. As long as some employers are happy to hire illegals, they can charge less, and that makes them more competitive. So their competitors are forced to do the same thing.

          Consequently we have cheap produce... but it's only cheap at the store. The simple fact is that every taxpayer in America is subsidizing that "cheap" food. We're paying for medical care for these immigrants, for example. Their employers work them part-time or they otherwise do not receive benefits. They do not pay taxes, or if they do pay taxes, their income is underreported and they're using someone else's SSN (in fact one used mine one year, but they reported only a few dollars of income so it didn't actually harm me.) There is also a very real issue with Mexican (in particular) gangs, especially in California. This is not a joke, this is not a made-up problem designed to scare people. It's real, and it's here. And it is largely a result of illegal immigration.

          Now, look at the alternative to illegal immigration. If people are here legally then they can afford to report labor code abuses, because they don't just get kicked out of the country when they interface with the law. So this tends to have the result that people who are worked full-time actually get their benefits, and they have health insurance. So now they no longer need to depend on the taxpayer for medical care.

          Of course, it also has the effect that food appears more expensive on the store shelf, or in the produce aisle, et cetera. But in fact the ACTUAL costs may go down overall! I say "may" because let's face it, I am not an economist, and I have not run the numbers. But I'm also not a complete idiot and I'm capable of understanding simple cause and effect.

          What we have created is a system that encourages unemployment. It reduces not only the total number of jobs, but also the number of jobs capable of supporting a family. Wouldn't it be better if food cost a little more, or in some cases even a lot more, and the actual cost were reflected directly at the store shelf?

          Looking at the history of migrant labor, the US was a lot better off when migrant laborers went backa nd forth across the border. It was when it became really difficult to go back did we start to see problems.

          That's not really true. We only see different problems now. One issue is that we the US have constantly sought to degrade the quality of life south of the border in order to protect our pool of ready and willing labor. NAFTA, for example, was simply another way to fuck over the Mexicans. And now that manufacturing is cheaper in other countries, we just take whatever is valuable (even for scrap) and abandon the factories to sit and rust on the polluted ground we left them on, and move our manufacturing, so that Mexico really gets nothing out of it. But long be

          • by bogjobber (880402)

            OK, you started out good but you ended up sounding like an ill-informed maniac. There is no way you can attribute the US or NAFTA as degrading the quality of life in Mexico. Absolutely no fucking way. We give billions of dollars in aid to Mexico. Mexico was one of the first countries to undergo the Green Revolution, with major help from the US. This started Mexico's move from an agricultural economy, and allowed them to become a net exporter of food instead of importing. By moving manufacturing into n

            • by walt-sjc (145127)
              The problem we had in Mexico, is that the quality of the resulting products was HORRIBLE. No matter what manufacturers did, they could not get the quality up to minimum standards. So what happened? Manufacturing moved to China, where the quality was much better for less effort.

              But don't get me started on the quality of most all products today - it's just crap. For some reason, all the high quality stuff - tools, appliances, etc. come from Germany. Kudos to German manufacturers who have figured out that some
              • Re: (Score:3, Interesting)

                by drinkypoo (153816)

                For some reason, all the high quality stuff - tools, appliances, etc. come from Germany.

                My dad makes the assertion that at least in cars, the germans believe that good components make a good car, whereas the japanese believe that it's good system design that makes the difference. These days, though, both BMWs and Mercedes are big pieces of shit, and VW actually makes a more reliable car. So obviously things are a-movin' and a-shakin' over there.

                The Germans DO seem to make the best tools around, though, st

            • by drinkypoo (153816)

              OK, you started out good but you ended up sounding like an ill-informed maniac. There is no way you can attribute the US or NAFTA as degrading the quality of life in Mexico. Absolutely no fucking way. We give billions of dollars in aid to Mexico.

              And where does that money actually go? The majority of it goes into the pockets of the already-wealthy.

              Mexico was one of the first countries to undergo the Green Revolution, with major help from the US. This started Mexico's move from an agricultural economy, and

              • by bogjobber (880402)

                Sorry for being an asshole in advance, but I don't think you addressed my points. Once again, rants and hyperbole. You provide no evidence either through statistics or historical example of how Mexico is worse off because of the United States. Since the passage of NAFTA (which you attacked) per capita income across Mexico has jumped dramatically. Poverty has decreased. Life expectancy has increased. The number of people employed, especially in northern areas around Monterrey and Tijuana, has also incre

          • They do not pay taxes, or if they do pay taxes, their income is underreported and they're using someone else's SSN (in fact one used mine one year, but they reported only a few dollars of income so it didn't actually harm me.)

            No according the IRS, fourteen million undocumented aliens did pay income taxes last year. They've been paying taxes since the 90s.

            The IRS is/was pragmatic enough to accept, campaign for, and scare undocumented aliens into paying income taxes. Granted, probably many undocumented
            • by drinkypoo (153816)

              No according the IRS, fourteen million undocumented aliens did pay income taxes last year. They've been paying taxes since the 90s. The IRS is/was pragmatic enough to accept, campaign for, and scare undocumented aliens into paying income taxes.

              No. The IRS is/was pragmatic enough to scare the farming companies into reporting some of that income so that it can be taxed. That's where the real impetus comes from. "Pay their taxes, or we'll take away your business."

              Granted, probably many undocumented aliens st

  • by StewedSquirrel (574170) on Wednesday March 07, 2007 @03:15PM (#18265788)
    One of the primary problems with RFID is that it is "wireless" in nature. It is also designed to be "simplistic" for the simple case of economic savings.

    While it is a great technology for information such as Barcode scanning and inventory tracking, its use in biometrics, identification and access controls is less secure. Transmitting significant and irrevocable information in an RFID pulse is irresponsible.

    Where a barcode is ubiquitous and the concept of "stealing" it is silly, and even where the ID number of a "proxmity card" employee ID badge is easily revocable, information stored on a passport, such as biometrics, permanent identification numbers and the like are not revocable.

    If you have such a passport, it is advisable that you either fry the RFID chip (i am not responsible for the legal issues surrounding it) or you store your passport in a metal safe, where RF cannot pass. There are already bags on the market with an integrated faraday cage, it is not entirely practical to keep your RFID identity perpetually in this bag while traveling (not to mention the headache at the airport screening area with a metal-laced bag). [tgdaily.com]

    In short, this new RFID identity system is one of the most ill-advised and potentially dangerous (vulnerable to easy identity theft) systems in recent history, and is simply ASKING for people to duplicate it, while providing no benefit other than the government control ("papers please") that it demands.

    Stewed
    • by Sandbags (964742) on Wednesday March 07, 2007 @03:33PM (#18266054) Journal
      RFID may be easy to copy or crack, but someone gets that info on their screen and still validates it against the hard copy when entering/exiting using a passport. You don't just wave it and go on... Passport information by itself is not enough to steal someone's identity or bank account. You still need physical proof. This first pass with RFID is simply making data tracking easier. It was not designed to be secure, just difficult to completely copy or forge. A truly secure passport system would have to include fingerprinting, pass codes, facial scanning technology, or some other system to prove the identity of the bearer. Of course, the RFID could not be responsible to pass that information, it would likely merely possess some simply information allowing it to access a secure database system that actually contains the remainder of the data. That data could be on a government server, or even an integrated SIM in the passport itself requiring connection to a proprietary system. 3 point data validation would work, but it would be very expensive. You'd still need hard copy for entering nations that do not yet have the technological capacity to electronically scan passports. One solution I hear proposed was that not only would the passport itself have an RFID tag, but also the person himself embedded under the skin, plus the addition of a fingerprint and 6 digit pin number. All 4 would have to match, be combined, and then be compared to a CRC value stored in an international database. All this would be simply for identity confirmation and nothing more, with the FBI and other similar branches still needing to cross validate your identity to your criminal record or a watch list. Are we really that concerned/paranoid?
      • Re: (Score:3, Insightful)

        by Jah-Wren Ryel (80510)
        RFID may be easy to copy or crack, but someone gets that info on their screen and still validates it against the hard copy when entering/exiting using a passport. You don't just wave it and go on... Passport information by itself is not enough to steal someone's identity or bank account. You still need physical proof. This first pass with RFID is simply making data tracking easier. It was not designed to be secure, just difficult to completely copy or forge. A truly secure passport system would have to incl
  • by mpapet (761907) on Wednesday March 07, 2007 @03:16PM (#18265814) Homepage
    I know the average /.'er will be up in arms about how insecure the new passport is but it's simply not one of the design goals.

    The primary goal is to have a document that's harder (it's never impossible) to forge and easier to collect and process entry/exits. That's it. End of story.

    It's not a silver bullet. Treating it as such is demanding something you won't ever get.
    • Re: (Score:3, Insightful)

      Seems like it's actually *harder*, to process and *easier* to forge though, not easier. Or am I the only one that thinks so?
    • Re: (Score:3, Insightful)

      by EdMack (626543)
      You're missing the point. It *is* now easier to forge, since the chip is easily copied without the receiver knowing, and people perceive the chip to be more secure and harder to copy.
      • Re:No No! No! (Score:5, Insightful)

        by mpapet (761907) on Wednesday March 07, 2007 @03:40PM (#18266150) Homepage
        Here's the how-to on forging a new passport:

        1. Create a falsified passport jacket capable of holding a chip and antenna.
        2. You embed the _right_ chip with the _right_ number encoded (oh yeah, you need to encode the chip) AND the _right_ antenna required for the chip in your garage into the faked passport jacket.
        3. Create secure paper used in passport.
        4. You'll need to work up all of the print security features.

        It's not trivial, it's not a silver bullet it's not a fake ID you used to buy beer in college. Stop expecting more from the new passport than the design requirements fulfill.
        • Re: (Score:2, Insightful)

          by maxume (22995)
          Is the chip required to get through customs? If not, the procedures is more like:

          1. Read and crack data without being detected(this is perhaps easier than stealing a traditional passport).
          2. Forge now even more legitimate passport using cracked data.
        • if it was so hard to forge a passport then they wouldnt need the extra security they claim the rfid chip gives. but guess what, passports are already being forged.

          the rfid chip contains photo biometrics certainly (not a high res picture either, theres only a tiny amount of storage space), but fingerprints arent included yet in many cases (and were never mandated by ICAO) it also doesnt include your signature.

          so somebody that looks a bit like you, enough to pass casual observation (we all know computer face
      • by Kristoph (242780)
        No, I think it is you are missing the point. If you *copy* the chip you will copy the picture / fingerprints of the original owner of the passport. You will thus be immediately caught when attempting to use the passport because the 'biometrics' will not match. If you change the picture or other biometrics the key of the password will no longer be valid and thus it will be identified as a forgery.

        So the fact that someone can copy your the chip is more of a privacy issue then a security issue.

        ]{
      • by AK Marc (707885)
        It's harder to forge. In addition to having to physically forge the passport, as always, they must also forge the RFID. That may be trivially harder, but it is still harder. You can't just scan an RFID, take it to your passport printer and print out a perfect forgery. Reading the RFID adds complexity, not reduces it. The RFID doesn't have all the information necessary to make a valid forgery. Thus, it is not useful to take just the reading and forge something from it. You must still have physical acc
    • Re: (Score:3, Insightful)

      The primary goal is to have a document that's harder (it's never impossible) to forge and easier to collect and process entry/exits. That's it. End of story.

      So if you "need" a chip to handle the data, what's wrong with using a CONTACT-read chip like those on credit cards?

      Sticking the passport in a slot is THAT much more inconvenient than waving it over a reader that you have to make the passport subject to drive-by scanning?

      (Just imagine the next generation of "wardrivers". The term might end up being lite
      • ironically you have to stick these rfid passports through a slot reader anyway.

        an optical reader decodes the printed values on the bottom edge of your passport in order to construct the key to connect to and decrypt the rfid data.
  • by Sunburnt (890890) on Wednesday March 07, 2007 @03:20PM (#18265880)
    I received one of the new U.S. Passports - the day I handed in my application happened to be the first day of the change, and I had my order expedited, so I have one of the first new passports.

    There's no "chip:" the electronic storage is embedded in the photo page of the passport, among a series of wires covered with laminate. The Department of State says the cover of the new passports prevents RFID scanning when closed, which probably explains why the cover is a different thickness and flexibility than the previous passports.

    Funny thing, though: the passport itself was opened flat in the shipping envelope from the passport center. So, presumably, it could be read. I wonder what sort of security the USDoS is using on these things?

    The article has nothing to do with U.S. passports, since the Brits are using a different RFID mechanism. So, no help there. I wonder how many people read the article summary (which fails to mention this detail - it probably should, since this is a rather U.S.-centric website) without RTFA and are busy microwaving their new U.S. passports?

    • by Arker (91948)
      IIRC the British and US passports are using essentially the same mechanism, so as to be compatible with each others readers. The US passports added the cover-shield, which is of dubious value as you note, but other than that I think they'll have the same vulnerability. Could be wrong though.
    • by drinkypoo (153816)

      USDoS

      What are you talking about? Every department of the US government is about denial of service. They deny you service at every step.

      But seriously, I'm sure they ship them flat specifically so that they CAN read them. Exactly why they would want to do this is anyone's guess.

      I'd say that so long as they don't have the same weak-key problem (or similar) as UK passports, who cares? The issue isn't reading my passport when it's in the mail. The issue is reading my passport when it's on me, and knowing thin

      • by Sunburnt (890890)

        But seriously, I'm sure they ship them flat specifically so that they CAN read them.

        It was stiff enough that it appeared to have never been closed. I think this is innocuous: there's no way to distinguish passports when they're closed, and they certainly don't want to send them to the wrong person, so this is probably to facilitate sorting. There's certainly no reason for the government to scan them as they travel through the mail; they already know you have a passport, and they're already tracking the p

    • When was this? I got a new passport mailed about two weeks ago, and now I'm curious if mine has that (I would check, but its at home... I glanced at it and put it back in the envelope for now).
      • by drew (2081)
        FWIW, my wife got her new passport a week or two ago, and as far as I can tell it's not one of the RFID ones.
        • They still seem to have some old blanks, and they're going to use them up. So some of the passport offices are issuing the new kind, and some the old kind, and sooner or later, they'll all be on the new kind. Me, I went out a few months ago and got one of the old kind (even though I virtually never travel) just to be safe.
      • by Sunburnt (890890)
        They made the change sometime in January. Easy to tell; there's a little gold symbol under the words, "of America" on the front cover that looks like a box with a circle in the middle.
  • by OriginalArlen (726444) on Wednesday March 07, 2007 @03:30PM (#18266026)
    ...that's Adam [rfidiot.org] Laurie [google.co.uk]! The godlike genius of Shepherd's Bush! Seriously though... he's something of a geek hero to me. Dunno why (apart from respect for a fellow-survivor of Bush) -- lots of other people write code and do research, but he just seems like such a nice chap with it.
  • Secretary Chertoff, US Department of Homeland Security: RFID passports to be abandonded [playfuls.com].

    That said, it looks like some of these passports are out there already. Secondly, I haven't come across a definitive statement or timeline from DHS as to when RFID passpots will be abandonded.

    • by drinkypoo (153816)

      Secondly, I haven't come across a definitive statement or timeline from DHS as to when RFID passpots will be abandonded.

      Right after all the people they really want to track either a) have one or b) have been tagged with RFID through other means. You can make a passive RFID tag the size of a grain of rice (smaller!) now. You could trivially hide it inside of anything... a key chain, or even a key! With the right design, in fact, you could probably use a key as an antenna.

  • by unPlugged-2.0 (947200) on Wednesday March 07, 2007 @03:34PM (#18266070) Homepage
    As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving.

    And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that RFID in and of itself is insecure.

    The truth is that tags can be secure or they can be cheap but very rarely both. It is impossible to be able to have them both with the current economies of scale. The ones used in the passport are most definitely not the high-end tags with memory and cryptographic capabilities. There are some active tags that can do public/private key validation but they also cost a fortune. The governments are going to go with the cheapest version.

    They know full well it is going to be cracked. It is not a big deal as it is not that hard to steal or copy the current passport anyways so they have not really digressed. This was meant to be a pilot (that somehow went into production) to check how efficient it could be and also serve as a vehicle for making further enhancements and putting more data.

    As other slashdotters have pointed out it is still impossible to actually modify the information on the tags. When this is possible then that is really newsworthy because now people can actually change other people's information and wreak havoc.

    But until then there are far easier and cheaper ways to find out someone's Social Security and date of birth on the web.

    • Re: (Score:3, Interesting)

      by drinkypoo (153816)

      As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving. And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that

      • Those are some good points but methinks you should should go a little light on the X-Files reruns. Just kidding, pardon my dry humor and I love X-Files too before they got all wacky.

        The bottom line is that RFID is not any more secure or any less secure than what you currently have. Do you have a credit card? A bank card? Then you are have already been violated.

        The RFID used in credit cards and passports are HF (13.56 mhz). The range on these tags is incredibly small. Even with the best equipment you c
        • Re: (Score:3, Interesting)

          by drinkypoo (153816)

          The bottom line is that RFID is not any more secure or any less secure than what you currently have. Do you have a credit card? A bank card? Then you are have already been violated.

          No card in my wallet is remotely readable, at least to the best of my knowledge. You missed the point entirely.

          The RFID used in credit cards and passports are HF (13.56 mhz). The range on these tags is incredibly small. Even with the best equipment you cannot read farther than 6 - 12 inches. You can build a fancy contraption wi

          • I guess we can agree to disagree :)

            I think the government has much more information on you anyways than you would think they do with an RFID card. The RFID tag is just another identification marker. It is slightly more secure, more convenient than Barcodes and that is all. Yes it can be read at a range and sometimes you may not know they are being read but the costs and effort to do that is astronomical. Wireless also is easy to track. There are gps, cell phones and a host of other markers as well.

            One
            • by drinkypoo (153816)

              I think the government has much more information on you anyways than you would think they do with an RFID card.

              Currently, they don't know my whereabouts at every moment. This would give them orders of magnitude more information about my position than they have now. Currently they can find out where I am only by either actually watching me, which involves following me around; or by reviewing my use of my electronic identities like credit cards and the like, which only works at the moment I use them.

              Yes it

  • RFID (Score:5, Funny)

    by mypalmike (454265) on Wednesday March 07, 2007 @03:43PM (#18266184) Homepage
    RFID = Ready For Immediate Duplication?
  • ... you have to do it yourself.

    If you want something done really wrong (and very expensive) — have the government to do it.

    It boggles the mind, that despite continuous and numerous reports of various government screw-ups, the majority of fellow Slashdotters still seem to favor things like "Municipal WiFi"...

    Oh, yeah, "local government" is supposed to be better than federal... But is it really? Not in my experience...

    • The federal, state and city government do a lot of things right. In fact most of there projects are quite successful. The media shines a light on the problems* so thats all most people here.

      Most agencies are more fiscally responsible then most corporations.

      Go the the ligrary and look at all the projects that get done.

      remember, with a company all you here is the success, with the government all you hear about is the problems.

      90% of all government projects are done on time, 90% of all corporate projects fail.

      *and they should
      • by mi (197448)

        90% of all government projects are done on time, 90% of all corporate projects fail.

        Could I have the source of these statistics, please? Thank you.

    • Muni wi-fi is good. Just like freeways.

      It gives a lot more power to the people then private corp. would do.

    • by AK Marc (707885)
      If you want something done really wrong (and very expensive) have the government to do it.

      Social Security is a fund management system that beats all major private funds in overhead costs. Yes, that's right, the private sector is less efficient than the government. There are plenty of other examples, but it only takes one to show you to be completely wrong. But thanks for playing into the government-hating FUD.
  • I know I'm not. I'm not a dyed-in-the-wool free marketeer (or rather I am, but there's no such thing as a truly free market), but a long held belief of theirs is that government produces NOTHING. I don't necessarily agree with that statement 100%, but these new passports are emblematic of what the government is getting into the business of. They are getting into the business of providing security, and, quite frankly, they are not very good at it.

    Of all the things I can think of that the government ought
  • This is so funny (in a sarcastic kind of way),

    we keep readin about RFID tags being breached for this, or for that, that the content can be read if you do this, hacked if you do that.

    LOL.

    How many holes in your armor do you need before you understand that its not bulletproof ?

    Its like those electronic voting machines. As far as my knowledge goes, there is yet to exist a tamper proof machine for safe e-Voting. Why are they still going this way how many millions are they gonna spend before they realize it costs
  • A copy of 'biometric' passport information has no value in a security context. If a copy of a passport is created using the biometric information then, obviously, that biometric information will not match the passport holder which will mean he/she will be identified as carrying a forged passport. If the biometrics are changed the digest of the passport information will be invalid and so, again, he/she will be identified as carrying a forged passport.

    This is really only an issue because someone can get your
  • Isn't this exactly what RFID passports are intended for? I mean, facilitating ID theft? :)
  • Summary: UK Passports vulnerable to brute force attack
    CVE: None
    Date: Mar 07 2007 10:25PM
    Credit: Adam Laurie is credited with discovering this issue
    Vulnerable: UK Passport >= 2006
    Not vulnerable: UK Passport < 2006

    Lack of security checking or strong passwords allows an attacker to gain access
    to personal details stored on the passport by launching a brute force or
    dictionary attack. An attacker would need access to a region of a few
    centimeters around the

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...