RFID Passports Cloned Without Opening the Package

Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."

Re:Ohhh

[Sunburnt]

Not sure about the effects on a UK passport holder, but you can still use [state.gov] a U.S. passport if the RFID is disabled. The only advantage of having one seems to be shorter lines at Immigration. (Which isn't true yet, at least at LAX as of two weeks ago. They're probably waiting for more people to get the new passports before they set up the equipment.)

That's no "security researcher"...

[OriginalArlen]

...that's Adam [rfidiot.org] Laurie [google.co.uk]! The godlike genius of Shepherd's Bush! Seriously though... he's something of a geek hero to me. Dunno why (apart from respect for a fellow-survivor of Bush) -- lots of other people write code and do research, but he just seems like such a nice chap with it.

Re:Does anyone remember Press Your Luck?

[rufey]

Yes, this really did happen on Press Your Luck. The contestant was Michael Larson. He had spent quite a bit of time before appearing on the show analyzing how the different squares on the board flashed and in what sequence. He managed to win over $100,000 USD on the show.

More can be found at Snopes [snopes.com] and at Wikipedia [wikipedia.org].

RFID passports to be abandonded?

[mrtexe]

Secretary Chertoff, US Department of Homeland Security: RFID passports to be abandonded [playfuls.com].

That said, it looks like some of these passports are out there already. Secondly, I haven't come across a definitive statement or timeline from DHS as to when RFID passpots will be abandonded.

RFID is not going to save the world

[unPlugged-2.0]

As a software developer in the RFID industry and trying to effectively merge open source and RFID I always hear these kinds of things from our clients, slashdotters, family and random people on the street. RFID is insecure, it's the end of the world, we are all going to be puppets, you wouldn't believe the kind of responses I get during thanksgiving.

And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that RFID in and of itself is insecure.

The truth is that tags can be secure or they can be cheap but very rarely both. It is impossible to be able to have them both with the current economies of scale. The ones used in the passport are most definitely not the high-end tags with memory and cryptographic capabilities. There are some active tags that can do public/private key validation but they also cost a fortune. The governments are going to go with the cheapest version.

They know full well it is going to be cracked. It is not a big deal as it is not that hard to steal or copy the current passport anyways so they have not really digressed. This was meant to be a pilot (that somehow went into production) to check how efficient it could be and also serve as a vehicle for making further enhancements and putting more data.

As other slashdotters have pointed out it is still impossible to actually modify the information on the tags. When this is possible then that is really newsworthy because now people can actually change other people's information and wreak havoc.

But until then there are far easier and cheaper ways to find out someone's Social Security and date of birth on the web.

Re:Does anyone remember Press Your Luck?

[BarryJacobsen]

Off the topic of TFA, more info relating to Michael Larson (the PYL contestant mentioned in the post above) http://en.wikipedia.org/wiki/Press_Your_Luck#Micha el_Larson [wikipedia.org] and http://gscentral.net/larsen.htm [gscentral.net]

Re:So what?

[Kristoph]

I cannot believe this was voted insightful.

A copy of 'biometric' passport information has no value in a security context. If a copy of a passport is created using the biometric information then, obviously, that biometric information will not match the passport holder which will mean he/she will be identified as carrying a forged passport. If the biometrics are changed the digest of the passport information will be invalid and so, again, he/she will be identified as carrying a forged passport.

This is really only an issue because someone can get your personal information (for use in, for example, financial identity fraud) without having to actually open any of your mail.

]{