Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy Government Technology News

Hackers Clone Elvis' Passport 164

Barence writes "Hackers have released source code that allows the 'backup' of RFID-protected passports, although the tool can potentially be used to create fake or cloned documents. The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport, it is revealed to belong to one Elvis Aaron Presley, complete with picture. Reports of the hackers serenading security staff with 'Are You Clonesome Tonight' are unconfirmed."
This discussion has been archived. No new comments can be posted.

Hackers Clone Elvis' Passport

Comments Filter:
  • Obligatory (Score:5, Funny)

    by Gandalf_Greyhame ( 44144 ) on Thursday October 02, 2008 @04:31AM (#25230631) Journal

    Elvis has left the building

  • by codefrog ( 302314 ) on Thursday October 02, 2008 @04:37AM (#25230667)

    That little problem goes right away... just add "Elvis Aaron Presley" to the no-fly list.
    We is all secured again, and permanently this time!

  • Be careful... (Score:3, Insightful)

    by Anton Styles ( 1336251 ) <antonstyles@nOSpam.gmail.com> on Thursday October 02, 2008 @04:46AM (#25230713)
    Personally, I'd be rather careful when it comes to ID fraud... Don't want to end up doing the Jailhouse Rock
    • Re: (Score:2, Funny)

      You have a Suspicious Mind.
    • Re: (Score:3, Insightful)

      by Thiez ( 1281866 )

      Actually, the Dutch don't own a little piece of Cuba, so no need to panic. Also, laws are relatively sane, so I doubt the people who did this are going to get in trouble, especially since the copied passpart is so obviously fake, and merely proof-of-concept instead of something to be used in an evil plot to take over the world.

      • Re:Be careful... (Score:4, Interesting)

        by Patrick Georgi ( 1355115 ) on Thursday October 02, 2008 @06:36AM (#25231167)
        At least in Germany, ID cards are considered to be federal property, so changing data on it could be considered malicious mischief.
        • Re:Be careful... (Score:5, Insightful)

          by Incadenza ( 560402 ) on Thursday October 02, 2008 @06:47AM (#25231221)
          In the Netherlands passports are state property to. If your passport gets lost, you have to pay for a replacement (obviously) *plus* you get fined for losing government property!
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Except in the video, you see they are using a simple blank card. So the ID cards where not from the government in the first place.

          The detection equipment is probably build and bought by private companies, so fooling these also do not involve the government either.

        • Re:Be careful... (Score:4, Insightful)

          by Thiez ( 1281866 ) on Thursday October 02, 2008 @07:06AM (#25231323)

          The card they use in the video doesn't appear to be a real passport, only the chip (that may or may not have been removed from a password). Even if what they did is illegal, I would be extremely suprised if anyone involved were to end up in prison, although they may be fined, especially if they got the chip out of a real passport (like you suggested).

      • Re:Be careful... (Score:4, Insightful)

        by EasyTarget ( 43516 ) on Thursday October 02, 2008 @06:48AM (#25231227) Journal

        Unfortunately the current mob in (sort of ) charge here are right up the illiberal-fuck brigade's arse.

        When it was recently demonstrated that the new national travelcard is broken (Mifare [computerworld.com]) the response was a typical mixture of outrage, damming everybody as criminal, and refusing to accept that people with science degrees are a darn sight smarter than the bunch of PR/MBA wankers who fell for the Mifare sales spin.

      • America also doesn't own a piece of Cuba, it's leased, and the lease is disputed.

        • Possession is 9/10s of the law... and in this case the other tenth doesn't belong to the person who argues it in court with a lawyer, but to the person with the "Peacekeeper*" aimed at anybody who disagrees

          *Yeah, I know, all of the peacekeeper missiles have been decommissioned, but the point still stands

    • "Personally, I'd be rather careful when it comes to ID fraud... Don't want to end up doing the Jailhouse Rock"

      In the US...is it actually against the law to carry fake ID? Is there a law that actually requires you to carry proper ID....?

      I mean...is it against the law, for me to identify myself as Joe Shmoe...all day long...as long as I don't actually try to commit a crime under that name or commit fraud under that name?

      I think the only time you're actually obligated to identify yourself, is to the cops i

  • by Krneki ( 1192201 ) on Thursday October 02, 2008 @04:47AM (#25230721)
    I dare anyone to fake the ID of Osama Bin Laden and try to get to the US.
  • by Anonymous Coward

    This "hack" just worked because scanner they used to validate the passport permitted self signed certificates.

    Of course, it is good to show that scanners must be properly configured to be any good.

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Thursday October 02, 2008 @05:11AM (#25230835)
      Comment removed based on user account deletion
      • Re: (Score:3, Interesting)

        by prefect42 ( 141309 )

        Schneier looks to be wrong about multiple CAs. They don't cause the problem he's talking about.

        Without having a global CA:

        UKCA can make certs
        USCA can make certs

        I trust certs from both CAs. I only trust UKCA with certs /C=UK and USCA with /C=US. Both CAs can make certificates for the other country, but that doesn't mean the end user trusts it.

        jh

  • by BackwardHatClub ( 763903 ) on Thursday October 02, 2008 @04:59AM (#25230787)
    Please remove your blue suede shoes.
  • Bad title (Score:5, Insightful)

    by L4t3r4lu5 ( 1216702 ) on Thursday October 02, 2008 @05:27AM (#25230917)
    You can't clone Elvis' passport; They didn't have access to the original.

    They created a passport with fake details which matched the identity of another person. Nothing was cloned. I bet it wasn't even his passport picture, but a stock photo from the web.
    • by apt142 ( 574425 )
      Ah... but the real question is: Why did they use the young Elvis Picture over the Old Fat Elvis Picture?

      Maybe they didn't clone Elvis' passport but made Clone Elvis' passport.

      Completely brain dead minds want to know...
    • Re:Bad title (Score:5, Insightful)

      by wvmarle ( 1070040 ) on Thursday October 02, 2008 @08:20AM (#25231949)

      Which, from the face of it, makes the feat even more impressive. Cloning means "simply" reading the data from one passport, and copying it onto another. It is not necessary to decrypt this data, as long as the chip is tricked into releasing it.

      Instead, they created a completely new data set, put this on the chip, and programmed the chip so it correctly answers to the challenge posed by the reader.

      Now the idea of having the data encrypted in the passport chip may be wishful thinking of course... I would expect it is encrypted, if not then it's of course one step less for these hackers. At the very least I would expect some cryptographic checksum, based on some secret key or so, to verify that the passport (i.e. the data on the chip) has been government issued.

      No matter what, a neat hack, and scary that it is possible in the first place.

  • I have no idea what kind of console that is, but it doesn't look like much of a "security console" to me.

    This movie only shows that they have succesfully created a cloned passport, and that the scanner does not do any security checks. This was already demonstrated some time ago [os3.nl] at a local town hall.

    Doing this again at an airport adds nothing but hype. It does not prove that security in those things is broken.

    • by Ren Hoak ( 1217024 ) on Thursday October 02, 2008 @06:28AM (#25231143)
      It does not prove that security in those things is broken.
      Ok, so by your words, being able to create a document that contains blatantly false information, and successfully using that document to bypass security doesn't prove that "security in those things is broken". What, pray tell, would be required beyond this to demonstrate that security is broken? Because, you see, in my simple view of things, if you are "Bob" and security is on the lookout for "Bob", and you show them a modified password claiming that you're "Neil", and security lets you through because as far as they can tell you aren't "Bob", security has been compromised. When security is based on human inspection of said passport, clearly it's subject to human error. When security is electronically based, such as the case with RFID, all but the most basic of human interaction should be removed from the "is this a real passport?" equation.
      • by BLKMGK ( 34057 )

        What security portal EXACTLY did he bypass? The device he used to scan this simply read the RFID and barfed the data to the screen. It did ZERO signature checking on the PKI encrypted data else it would have flagged the signature as either being broken or signed by an invalid CA.

        What part of that did you not understand? The post you responded to is 100% correct and accurate.

        • by BLKMGK ( 34057 )

          Actually not 100% correct - this isn't a cloned passport. This is a modified passport else the signature would be correct and it would pass any security check in the world that only looked at the RFID data.

          Cloned passports aren't an issue, modified passports that pass crypto checks would be an issue. This passport is modified but it does NOT pass those checks when done properly - the person doing this work will say as much if you ask him and it's something he makes plain in his talks - or did at BH anyway.

          C

          • Actually, even cloned passports are an issue. They're just one you can't do a lot about very easily.

            They're an issue because if you can find someone who looks vaguely like you and clone their passport with or without their cooperation, you can assume their identify. Just alter your features a bit from what is in the picture. If they have medium-long hair, get a buzz cut. If they have no facial hair, grow a bear, mustache. Or vice versa. This is especially effective if you are in a minority in the coun

            • by BLKMGK ( 34057 )

              Fingerprint information IS being placed in some passports I believe and the accuracy is high enough and the scan speed quick enough that I do not think it will be feasible to use a cloned passport. Modified passports are the danger, right now I do not think there's enough information out there on how the various specific systems act when presented with faulty passports to know just how bad this issue might be. Even this researcher didn't og so far as to try it on a real machine! Really, who wants to be the

      • Except in this case "Bob" is not pretending to be "Neil", he's pretending to be "Jesus H. Christ". You'd figure someone, somewhere would throw up a red flag at that.
  • by HungryHobo ( 1314109 ) on Thursday October 02, 2008 @06:00AM (#25231047)

    "Never let a computer do a job that can be done by a human."
    I just can't agree with this.
    People can be fooled easily enough and the more that's automated properly the better. A human(well thousands of them) *could* do all the interest calculations at your bank but it would be stupid to do it that way.

    There are loads of jobs out there which are better done by machines.

    • He left out a key word: "better", so rewrite it as this:

      Never let a computer do a job that can be done better by a human

      As you said, there are lots of jobs that computers are better at; I imagine the best case scenario (in a dream world?), when it comes to security, would be a combination of computer and human security.

      But that's just my armchair opinion.

    • There are pros and cons of both humans and computers.
      One big drawback with computers is that when you find a way to fool them, you can use that over and over again (until a human intervenes).

      A human can realise that the ruleset is inadequate for the job, and raise questions. Like if a passport image checks out with the facial recognition that matches facial features, but the person on the picture is clearly asian while the person in front of him is caucasian. A fully automated system would let this pass o

  • Hahahahahaha (Score:4, Informative)

    by Jane Q. Public ( 1010737 ) on Thursday October 02, 2008 @07:06AM (#25231327)
    Hahahahahahahahahahahahahahahaha! Hahahahahahahahahahaha!

    Of course we already knew, when U.S. passport encryption was broken in all of 2 hours, that this was inevitable.

    And the government did it all in the name of more "security".

    But as we know, it is actually less freedom, and LESS security. This is just more proof.
    • by BLKMGK ( 34057 )

      Umm, you do not know what you are talking about. By all means provide a link to a credible source on the crypto on the US passports being broken. Note that the same crypto is being used around the world - it's part of a "STANDARD" and is using a lengthy known good crypto algorithms.

      All this demo proves is that there are devices happy to read the RFID and not do any security checks. As this presenter has explained in his talks modifying this data, the way he does it, requires either a self signed cert or a b

      • The fact that the type of cloning mentioned in this article does not necessarily require cracking does not mean that it was not done or not doable. Quite the contrary. These stories have been all over the internet. First, a biometric passport issued by the Dutch government was cracked in under 2 hours (and read from a distance, by the way). An article about that was linked to right here on Slashdot:

        http://yro.slashdot.org/article.pl?sid=08/08/07/0214220 [slashdot.org]

        This type of passport meets international sta
        • by BLKMGK ( 34057 )

          Sorry, NOT cracked! Cloning != cracking. Figuring out the 3DES key to have a conversation with the chip in order to CLONE it is != to "cracking it". Reading a passport simply gives you the data off of it, it does NOT allow you to MODIFY that data. Go ahead and make a COPY of the passport - if you've got a twin and the passport doesn't have biometric data on it.

          What YOU are misunderstanding is that 3DES is NOT the crypto that underlies the PKI signature that protects the data ON the passport from being MODIF

          • Quote: "Figuring out the 3DES key ... is != to 'cracking it'"

            If getting someone's encryption key is not "cracking" their encrypted data, then what is? I would be interested to know your definition. In just about everybody else's opinion, getting someone's encryption key is "cracking" their encryption.

            (We are NOT talking here about "cracking" 3DES... that is another subject entirely. If you thought so, I do not know where you got that idea. I never made that claim. This conversation is about "cracking"
  • by BLKMGK ( 34057 ) <morejunk4me.hotmail@com> on Thursday October 02, 2008 @07:57AM (#25231727) Homepage Journal

    This isn't a security scanner anymore than the previous scanner he checked out at his local Govt building - in fact it's probably nearly the same damned thing! This is simply a device that is showing the data on the chip - I'm not convinced that it is doing ANY security checks that a "real" security scanner would do. How smart would it be to put a machine out with the same checks as a security portal to allow counterfeiters to practice on? Umm, Duh?? Cloning easy, modifying of data NOT!

    Yes, the data has been modified and the signature broken, it remains to be seen what the scanner will do when it sees a broken signature or self signed cert on the passport. As was explained in the talk at BH SOME countries HAVE exchanged PKI information so at least some countries ought to be aware of what the signature SHOULD look like and SHOULD be able to spot fakes. It's also not clear that modifying the security file on the passport to change what security protections it reports isn't going to be spotted either since passing THAT information is also possible. Lastly, passing trusted PKI around need not actually take place - if I see 500 German passports who ALL have the same PKI signature and 1 that doesn't it's a pretty good bet that the *1* has an issue! No secret squirrel passing of certificates required in that case.

    Bottom line is - no one knows exactly what the various security stations will actually check for and how closely they really follow the lax security of the Gold Disk standard that much of this presenters testing was based off of. The only way to know any of this is to attempt to USE one of these or get the Govt's to talk - what are the chances of THAT?!

    So, interesting demo but I'm not convinced it proves that fake passports with *modified* data can be made. At least some better understanding of how the data is being stored and interacted with has occurred I'd say...

  • RFID does not protect technology. Saying something is "RFID-protected" is just like saying "my access point is WiFi -protected". Eh?

    RFID is a carrier technology, with a number of different frequency bands, with each of their own application area: some can be read from afar, some offer high transfer speeds, some work well close to metal, some need large antennas and some need small ones.

    Some RFID tags just contain an ID (and are usually of high range and low speed), and some tags contain loads of data (mea

  • Obvious Fake (Score:4, Informative)

    by jea6 ( 117959 ) on Thursday October 02, 2008 @08:10AM (#25231849)

    For conspiracy theorists: Elvis' middle name was Aron, not Aaron, right?

    Wikipedia says "Presley's genuine birth certificate reads "Elvis Aaron Presley" (as written by a doctor). There is also a souvenir birth certificate that reads "Elvis Aron Presley." When Presley did sign his middle name, he used Aron. It reads 'Aron' on his marriage certificate and on his army duffel bag. Aron was apparently the spelling the Presleys used to make it similar to the middle name of Elvis' stillborn twin, Jesse Garon. Elvis later sought to change the name's spelling to the traditional and biblical Aaron. In the process he learned that "official state records had always listed it as Aaron. Therefore, he always was, officially, Elvis Aaron Presley." Knowing Presley's plans for his middle name, Aaron is the spelling his father chose for Elvis' tombstone, and it is the spelling his estate has designated as the official spelling whenever the middle name is used today. His death certificate says "Elvis Aron Presley." This quirk has helped inflame the "Elvis is not dead" conspiracy theories."

  • For just a minute, I thought hackers had successfully cloned Elvis. Then I saw it was just his passport.

    Oh well, it's a start.

  • I've seen some time ago on BBC Lukas Gruenwald from Germany reading his own passport data.
  • Anyone who knows ANYTHING about Elvis lore, knows that his name was oddly spelled:

    Elvis ARON Presley.

  • Some of you may feel this is not "newsworthy", but this illustrates a very important point. Lets look at the whole voting machine mess. The machines were CERTIFIED by the States they were used in. That means that the certifying body agreed that they met all requirements. Yet, once hackers found all of the security flaws in the system, the voting machine manufacturers were "lynched" in the court of public opinion. Lets look at the whole financial mess we are in. The Federal Government is paid by taxpay
    • by HTH NE1 ( 675604 )

      Aren't RFID passports just DRM for people? DRM is a proven unsolvable problem. Why expect them to get it right?

  • The data, photo and all, are actually stored on the passport? Why doesn't the passport just have an ID that's linked to the TSA's database and the rest of the information pulled from there?

    This seems like really bad architecture if true...

    • Re: (Score:3, Insightful)

      by Sique ( 173459 )

      Because passport data is supposed to be read by foreign authorities. Or would you vote for a big worldwide database containing all humans passport data, and accessible by every gouvernment of the world?

  • Everybody knows Elvis is still alive.

  • ...But an astute security screener would note that Elvis Aron Presley's middle name was misspelled, and have cops swarming all over the passport holder in seconds.

  • I'm too young to get all the jokes in the comments! :(

You know you've landed gear-up when it takes full power to taxi.

Working...