RFID Passports Cloned Without Opening the Package 168
Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."
I get it... (Score:1, Insightful)
That way, we can insist there are no terrorists, only home grown bad guys, and we can spend a few billion more dollars on less lethal weapons, killing our own citizens in the name of the greater good!
????
Profit!
Packaging (Score:3, Insightful)
One of the problems with RFID (Score:5, Insightful)
While it is a great technology for information such as Barcode scanning and inventory tracking, its use in biometrics, identification and access controls is less secure. Transmitting significant and irrevocable information in an RFID pulse is irresponsible.
Where a barcode is ubiquitous and the concept of "stealing" it is silly, and even where the ID number of a "proxmity card" employee ID badge is easily revocable, information stored on a passport, such as biometrics, permanent identification numbers and the like are not revocable.
If you have such a passport, it is advisable that you either fry the RFID chip (i am not responsible for the legal issues surrounding it) or you store your passport in a metal safe, where RF cannot pass. There are already bags on the market with an integrated faraday cage, it is not entirely practical to keep your RFID identity perpetually in this bag while traveling (not to mention the headache at the airport screening area with a metal-laced bag). [tgdaily.com]
In short, this new RFID identity system is one of the most ill-advised and potentially dangerous (vulnerable to easy identity theft) systems in recent history, and is simply ASKING for people to duplicate it, while providing no benefit other than the government control ("papers please") that it demands.
Stewed
Because It's a Dumb Chip! (Score:5, Insightful)
The primary goal is to have a document that's harder (it's never impossible) to forge and easier to collect and process entry/exits. That's it. End of story.
It's not a silver bullet. Treating it as such is demanding something you won't ever get.
Re:Packaging (Score:2, Insightful)
This implies, at least to me, that there is no security whatsoever protecting it from being read, closed or open. Are we to believe that this is seriously the best that they could come up with?
Re:Because It's a Dumb Chip! (Score:3, Insightful)
Re:Because It's a Dumb Chip! (Score:3, Insightful)
Re:So what? (Score:5, Insightful)
Yes.
A distinction without a difference. An organisation (and it doesn't matter if this is a terrorist group or a run-of-the-mill little mafia type operation) coöpts a few postal employees. Not particularly hard to do. Those employees use a relatively inexpensive piece of equipment to scan the passports that pass through their hands. This is nearly instantaneous, and non-invasive, so good luck noticing that. The passports go right along to their intended recipients with no delay, and no one's the wiser. Yet the organisation now has all the information needed to create forged passports with valid data, which will raise no flags when used and allow their operatives to assume the identity of the citizen. All the supposed security benefits of the plan are gone, in fact, it's worse than old-style passports from a standpoint of security.
Depends on how good your receiver is. Just because customs will be using an el cheapo setup that needs to be within ten inches to read the signal doesn't mean that no one will be able to construct a better reader. You think that's a *minor* issue? That someone could steal your identity, or detonate a bomb, based on that information without even having to set hands on your passport? Sounds pretty major to me.
Re:Same old Daily Mail (Score:5, Insightful)
You know, it's not just governments concerned about illegal immigration. It's residents, too. Illegal immigration does help keep prices low, but it also helps drive down wages by reducing the value of laborers.
As such, they would be remiss in not mentioning it, as it is of interest to their readership.
Re:No No! No! (Score:5, Insightful)
1. Create a falsified passport jacket capable of holding a chip and antenna.
2. You embed the _right_ chip with the _right_ number encoded (oh yeah, you need to encode the chip) AND the _right_ antenna required for the chip in your garage into the faked passport jacket.
3. Create secure paper used in passport.
4. You'll need to work up all of the print security features.
It's not trivial, it's not a silver bullet it's not a fake ID you used to buy beer in college. Stop expecting more from the new passport than the design requirements fulfill.
Re:Because It's a Dumb Chip! (Score:3, Insightful)
So if you "need" a chip to handle the data, what's wrong with using a CONTACT-read chip like those on credit cards?
Sticking the passport in a slot is THAT much more inconvenient than waving it over a reader that you have to make the passport subject to drive-by scanning?
(Just imagine the next generation of "wardrivers". The term might end up being literal.)
Re:If you want something done right... (Score:5, Insightful)
Most agencies are more fiscally responsible then most corporations.
Go the the ligrary and look at all the projects that get done.
remember, with a company all you here is the success, with the government all you hear about is the problems.
90% of all government projects are done on time, 90% of all corporate projects fail.
*and they should
Re:Ohhh (Score:5, Insightful)
If you read the article, the cloning took place while it was IN TRANSIT TO the intended receipient - which means that ANYONE getting a Passport through the mail could have their Passport cloned BEFORE they ever GET it.
Without the package that the Passport is shipped in EVER BEING OPENED!
Try reading for content next time.
So, even if you disable the RFID after you GET it, the thing has been compromised BEFORE you ever get your hands ON it!
RFID = Real Fast Identity Destruction... courtesy of Homeland Security and the rest of the paranoids who don't understand technology up on the Hill who probably think that RFID is "totally tubular, man! Like the internets!"
And I will bet long odds that this post gets me audited - again - too.
Re:So what? (Score:3, Insightful)
Not true.
There's a lot to be said for not bothering to forge passports anyway - sooner or later customs at most first-world countries will probably link up, so the passport number can be checked instantly against a database to make sure the details match up. The only way a "forged" passport will work then is if it's not forged at all, but rather made with the collusion of someone at the passport office.
However, if you can duplicate a passport, you can pretend to be someone else. Someone who (you hope) has no criminal record and is not even vaguely interesting to the authorities. With access to a crooked person in authority, you can confirm this. Without such access, you simply make a few flights and see if you get stopped. The only way I can see around this is if government starts tracking where everyone is, and if the passport handed over at customs belongs to someone you know for a fact was a thousand miles away only ten minutes ago, you know something fishy's going on. But we're a long way from having that level of technology - and while I absolutely hate the sound of it, I wouldn't be even remotely surprised if someone in government is mulling it over right now.
Re:The terrorists have won. (Score:3, Insightful)
You call yourself a libertarian and you can't see the internal inconsistency in that position?
Sigh, what happened to the good old days when libertarians were people who had read and understood Ayn Rand? Our borders are our gated community, how else keep out people who are opposed to the libertarian ethic? (I.e., who want to take things from us by force or fraud.)
Re:Same old Daily Mail (Score:2, Insightful)
Re:No No! No! (Score:2, Insightful)
1. Read and crack data without being detected(this is perhaps easier than stealing a traditional passport).
2. Forge now even more legitimate passport using cracked data.
Re:One of the problems with RFID (Score:3, Insightful)
The question is not just, "Is an RFID passport secure authentication?"
The question is, in the big picture when all costs and all benefits are accounted for, are RFID passports a good value compared to the previous system?
The ability to clone a passport that is in a sealed envelope is a significant cost compared to the previous system because it opens up a whole class of attacks that did not exist previously. Factor in other costs, like the direct cost of the equipment upgrades and the inevitable over-reliance on the system by the people who check passports, the risk to American Freedom from ever expanding government and corporate databases with semi-public access, and even the ability to remotely detect a passport's presence without decrypting the contents (the RFID equivalent of walking around with a sign on your back that says "I'm an American, kick my ass") and the cost-benefit ratio of RFID passports starts to look really, really poor.
Re:Same old Daily Mail (Score:5, Insightful)
Having grown up in Santa Cruz, which is in a highly agricultural area, and now living in Kelseyville, which is/was the Pear capital of the world (lots of pears coming out and grapes going in these days though) I'm pretty highly aware of the jobs they do.
What? That sentence doesn't really say anything. There are no farms, for example, that could not get American laborers at 30 bucks an hour. That's over 10 bucks an hour. Maybe we could revisit this point?
I'm not sure what that has to do with anything. Lots of people in the US need a new life, too.
Well, that's precisely my point. The farmer needs to charge more in order to pay more. As long as some employers are happy to hire illegals, they can charge less, and that makes them more competitive. So their competitors are forced to do the same thing.
Consequently we have cheap produce... but it's only cheap at the store. The simple fact is that every taxpayer in America is subsidizing that "cheap" food. We're paying for medical care for these immigrants, for example. Their employers work them part-time or they otherwise do not receive benefits. They do not pay taxes, or if they do pay taxes, their income is underreported and they're using someone else's SSN (in fact one used mine one year, but they reported only a few dollars of income so it didn't actually harm me.) There is also a very real issue with Mexican (in particular) gangs, especially in California. This is not a joke, this is not a made-up problem designed to scare people. It's real, and it's here. And it is largely a result of illegal immigration.
Now, look at the alternative to illegal immigration. If people are here legally then they can afford to report labor code abuses, because they don't just get kicked out of the country when they interface with the law. So this tends to have the result that people who are worked full-time actually get their benefits, and they have health insurance. So now they no longer need to depend on the taxpayer for medical care.
Of course, it also has the effect that food appears more expensive on the store shelf, or in the produce aisle, et cetera. But in fact the ACTUAL costs may go down overall! I say "may" because let's face it, I am not an economist, and I have not run the numbers. But I'm also not a complete idiot and I'm capable of understanding simple cause and effect.
What we have created is a system that encourages unemployment. It reduces not only the total number of jobs, but also the number of jobs capable of supporting a family. Wouldn't it be better if food cost a little more, or in some cases even a lot more, and the actual cost were reflected directly at the store shelf?
That's not really true. We only see different problems now. One issue is that we the US have constantly sought to degrade the quality of life south of the border in order to protect our pool of ready and willing labor. NAFTA, for example, was simply another way to fuck over the Mexicans. And now that manufacturing is cheaper in other countries, we just take whatever is valuable (even for scrap) and abandon the factories to sit and rust on the polluted ground we left them on, and move our manufacturing, so that Mexico really gets nothing out of it. But long be
Re:I get it... (Score:1, Insightful)
Uh, don't look now, but all of the 9/11 hijackers *weren't* terrorists until the morning of 9/11.
This won't change, either. If you're trying to deal a terrorist attack against a target, you're going to use people who have demonstrated their ability to get past security [mit.edu], not known terrorists.