Hackers Clone Elvis' Passport

Barence writes "Hackers have released source code that allows the 'backup' of RFID-protected passports, although the tool can potentially be used to create fake or cloned documents. The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport, it is revealed to belong to one Elvis Aaron Presley, complete with picture. Reports of the hackers serenading security staff with 'Are You Clonesome Tonight' are unconfirmed."

hilarious!

[Anonymous Coward]

I wonder if it would be possible to just have a bunch of RFID chips along with your passport so they weren't sure which one they were reading? Although elvis would probably give it away :P

Re:Misconfigured scanner

[prefect42]

Schneier looks to be wrong about multiple CAs. They don't cause the problem he's talking about.

Without having a global CA:

UKCA can make certs
USCA can make certs

I trust certs from both CAs. I only trust UKCA with certs /C=UK and USCA with /C=US. Both CAs can make certificates for the other country, but that doesn't mean the end user trusts it.

jh

Re:Be careful...

[Patrick Georgi]

At least in Germany, ID cards are considered to be federal property, so changing data on it could be considered malicious mischief.

Re:Obligatory

[dkleinsc]

Ever since that cracker got me
I found a new place to dwell.
It's down at the end of cloned street
At pwned hotel.

(chorus)
You make me so cloned baby,
I get so cloned,
I get so cloned I could die (again and again).

And although its always crowded,
You still can find some room.
Where broken hearted users
Do cry away their gloom.

(chorus)

Well, the spammer's mail keeps flowin,
And the desk clerks dressed in black.
Well they been so long on cloned street
They ain't ever gonna look back.

(chorus)

Hey now, if a cracker gets you,
And you got a tale to tell,
just take a walk down cloned street
To pwned hotel.

Sorry, proves nothing

[BLKMGK]

This isn't a security scanner anymore than the previous scanner he checked out at his local Govt building - in fact it's probably nearly the same damned thing! This is simply a device that is showing the data on the chip - I'm not convinced that it is doing ANY security checks that a "real" security scanner would do. How smart would it be to put a machine out with the same checks as a security portal to allow counterfeiters to practice on? Umm, Duh?? Cloning easy, modifying of data NOT!

Yes, the data has been modified and the signature broken, it remains to be seen what the scanner will do when it sees a broken signature or self signed cert on the passport. As was explained in the talk at BH SOME countries HAVE exchanged PKI information so at least some countries ought to be aware of what the signature SHOULD look like and SHOULD be able to spot fakes. It's also not clear that modifying the security file on the passport to change what security protections it reports isn't going to be spotted either since passing THAT information is also possible. Lastly, passing trusted PKI around need not actually take place - if I see 500 German passports who ALL have the same PKI signature and 1 that doesn't it's a pretty good bet that the *1* has an issue! No secret squirrel passing of certificates required in that case.

Bottom line is - no one knows exactly what the various security stations will actually check for and how closely they really follow the lax security of the Gold Disk standard that much of this presenters testing was based off of. The only way to know any of this is to attempt to USE one of these or get the Govt's to talk - what are the chances of THAT?!

So, interesting demo but I'm not convinced it proves that fake passports with *modified* data can be made. At least some better understanding of how the data is being stored and interacted with has occurred I'd say...