RFID Passports Cloned Without Opening the Package 168
Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."
Re:Ohhh (Score:4, Informative)
That's no "security researcher"... (Score:3, Informative)
Re:Does anyone remember Press Your Luck? (Score:5, Informative)
More can be found at Snopes [snopes.com] and at Wikipedia [wikipedia.org].
RFID passports to be abandonded? (Score:2, Informative)
That said, it looks like some of these passports are out there already. Secondly, I haven't come across a definitive statement or timeline from DHS as to when RFID passpots will be abandonded.
RFID is not going to save the world (Score:5, Informative)
And what I tell everyone is RFID is not the end-all technology to solve every identification need. Also there is no one kind of tag so it is silly to say that RFID in and of itself is insecure.
The truth is that tags can be secure or they can be cheap but very rarely both. It is impossible to be able to have them both with the current economies of scale. The ones used in the passport are most definitely not the high-end tags with memory and cryptographic capabilities. There are some active tags that can do public/private key validation but they also cost a fortune. The governments are going to go with the cheapest version.
They know full well it is going to be cracked. It is not a big deal as it is not that hard to steal or copy the current passport anyways so they have not really digressed. This was meant to be a pilot (that somehow went into production) to check how efficient it could be and also serve as a vehicle for making further enhancements and putting more data.
As other slashdotters have pointed out it is still impossible to actually modify the information on the tags. When this is possible then that is really newsworthy because now people can actually change other people's information and wreak havoc.
But until then there are far easier and cheaper ways to find out someone's Social Security and date of birth on the web.
Re:Does anyone remember Press Your Luck? (Score:2, Informative)
Re:So what? (Score:5, Informative)
A copy of 'biometric' passport information has no value in a security context. If a copy of a passport is created using the biometric information then, obviously, that biometric information will not match the passport holder which will mean he/she will be identified as carrying a forged passport. If the biometrics are changed the digest of the passport information will be invalid and so, again, he/she will be identified as carrying a forged passport.
This is really only an issue because someone can get your personal information (for use in, for example, financial identity fraud) without having to actually open any of your mail.
]{