Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Hackers Clone Passports In Driveby RFID Heist 251

pnorth writes "A hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco. Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration. During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said. Paget is best known for having to abandon presenting a paper at the Black Hat security conference in Washington in 2007 after an RFID company threatened him with legal action." Apparently this is a little unfair — he sniffed the data, he didn't actually make a fake passport.
This discussion has been archived. No new comments can be posted.

Hackers Clone Passports In Driveby RFID Heist

Comments Filter:
  • by uncledrax ( 112438 ) on Wednesday February 04, 2009 @08:52AM (#26723981) Homepage

    Jules Verne called, he wants his time-machine back.

    Dupe story:
    http://it.slashdot.org/article.pl?sid=09/02/02/2224255 [slashdot.org]

  • Why is this unfair? (Score:4, Interesting)

    by jimwelch ( 309748 ) on Wednesday February 04, 2009 @08:54AM (#26723993) Homepage Journal

    The RFID is the most important part. Check the rest of the web for more info.

    • Re: (Score:3, Insightful)

      by von_rick ( 944421 )
      True. Your computer records matching up is becoming increasingly more important than you actually showing up. A matching RFID would make things much easier.
      • With this technology widespread it will be so much easier for a nerd criminal to create an alibi or set somebody else up.
        Hell, if we had RFID's spread a couple of years earlier, we would have a stable in-kernel version of Reiser4 now.

        • Carrying a passport along with you on your way to committing a crime is a pretty dumb thing to do. Reiser is a pretty slick programmer, but he was quite a dumb criminal. Tracing a RFID trail to the crime scene would've alerted the detectives of an obvious set up. But I digress.
      • this kind of technology makes people and their information LESS secure, rather than more. Because it makes it far too easy to read someone else's information and clone it.

        The RFID Nazis will be quick to tell you that there is also a unique encryption key in the passports, but as has been pointed out elsewhere, only 5 of the 45 signatory nations supply their keys to the international database, and as long as any of those 45 nations fail to do so, the keys are meaningless because it is possible to clone pa
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      And who really cares? Are you more worried that someone will dupe your information so that when they do "bad stuff" in the overseas country you are in you get nailed hard? Or because it is trivial for a terrorist to rig a bomb on a vehicle to detonate only when three Americans are within range? If you haven't thought that last one through it is very scary. You could plant bombs thoroughly in buses, private vehicles, trains, etc., then watch the spectacle. Random acts of violence with no bomb expert anywhere

    • That's just not true. Maybe *you* should check the rest of the web for more info. [state.gov] The RFID chip only stores a database key - everything else is grabbed from the database using that key. In other words cloning somebody else's RFID is pointless because then it'll be showing the original owner's photo on the security guy's computer display. If the security guy isn't paying attention, then that's a problem with or without the RFID.

      Also, the passport card isn't even required. With a regular passport you

      • by orclevegam ( 940336 ) on Wednesday February 04, 2009 @11:00AM (#26725843) Journal

        That's just not true. Maybe *you* should check the rest of the web for more info. [state.gov] The RFID chip only stores a database key - everything else is grabbed from the database using that key. In other words cloning somebody else's RFID is pointless because then it'll be showing the original owner's photo on the security guy's computer display. If the security guy isn't paying attention, then that's a problem with or without the RFID.

        Ok, so instead of grabbing the RFID of the first guy that walks past, instead they wait around until they see someone that fairly closely resembles them and take that RFID instead.

        Passports aren't even the biggest concern here though, it's more the move to put RFID into all manner if inappropriate items like credit cards, phones (which are then tied to credit cards), clothing (yes really, and not just for inventory tracking), and probably lots of other things we haven't thought of yet. It's one thing for them to clone your passport, it's another entirely for them to clone your credit card.

        Also, the passport card isn't even required.

        ... yet. Pretty soon it will be mandatory, and destroying the RFID chip in your passport will invalidate the passport and earn you a full body cavity search for your trouble no doubt.

        • by techess ( 1322623 ) on Wednesday February 04, 2009 @03:20PM (#26729163)

          You may not even have to find someone who looks all that similar. My husband and I just got our passports renewed and the new "theft prevention" measures makes id'ing someone by the photo difficult. There are so many wavy multicolored lines over the picture that it is very difficult to make out any distinguishing features. We can barely recognize ourselves.

      • by Znork ( 31774 )

        cloning somebody else's RFID is pointless

        Not at all. Reading and storing peoples RFID keys would be a great way to make targeted IED'd. RFID passports and ID cards have to be the assassins or terrorists wet dream.

    • Re: (Score:3, Funny)

      by crabboy.com ( 771982 )

      Check the rest of the web for more info.

      I've been checking the rest of the web, and so far I've come up with almost nothing but porn. I don't see what that has to do with RIFD's...

    • The RFID is the most important part. Check the rest of the web for more info.

      Particularly since trying to actually clone the card is pointless. The data retrieved from the card is all digitally-signed and includes the legitimate owner's image. So just copying all of that to a fake card won't allow you to cross the border under another's identity, unless you can change your appearance to be a sufficiently-close match.

      The real value in grabbing the data is for non-passport identity theft uses or for people tracking. Well, and RFID-hacker publicity uses. None of those require act

  • by nehumanuscrede ( 624750 ) on Wednesday February 04, 2009 @08:58AM (#26724027)

    Recall the man who made his own airline tickets
    not all that long ago?

    Recall the sh*t storm that brought about ?

    Folks are learning the best way to keep the
    lawyers and police off their back is to prove
    the point, but don't go as far as producing any
    thing illegal.

  • by redelm ( 54142 ) on Wednesday February 04, 2009 @08:59AM (#26724033) Homepage
    Seriously ... not tinfoil hats but around your wallet. These RFIDs seem to have greater range than advertised and that is a huge security risk for sniffing.

    Some sort of Faraday Cage will block RFID, or at least their power supply. I do not know whether ferromatnetics like iron and steel are more effective than non-magnetics like aluminum.

    • by jo_ham ( 604554 ) <joham999@gmail.cTIGERom minus cat> on Wednesday February 04, 2009 @09:01AM (#26724051)

      I was going to post this too. A simple solution would be to make a passport holder that blocked the RFID signals, that you could purchase if you wanted to be sure your details weren't being scanned from afar.

      • A simpler solution would be for the U.S. government to stop paying taxpayer money to embed RFID chips into passports. That saves money and eliminates the risks to everyone, not just the tech-savvy.

        I wonder how much money the government would save if they just stopped doing everything that is stupid. (I realize that in order to do that Congress would have to agree on what constitutes stupidity, and agreeing on things ain't their strong suit. Still, I wonder how much money.)

      • I have such a wallet that I bought from Ebay. To test it I put my cellphone in and called it. The phone rang just like it should. Is there a better way to test the effectiveness of these wallets?

        • Re: (Score:3, Informative)

          by jo_ham ( 604554 )

          A cellphone has a powered transmitter, and a boosted receiver with a specialised antenna. An RFID chip must rely solely on the radio energy it receives to power itself up and transmit back, so I'm not sure that a cellphone is an adequate test.

          The signal power you're talking about for a phone is going to be so much higher, and likely at totally different frequencies.

          I think the only way to test it effectively would be to see if the RFID reader at the airport still works with the wallet, assuming the person w

      • Re: (Score:2, Insightful)

        ...except when you pulled your passport out of the holder to use it, and got it scanned not only by the customs agent, but by the guy sitting on a chair nearby stealing your info, who knows that the airport is a great place to come and do that. Seriously, why would they think it is a good idea to put your data into a form that broadcasts over the air? There are lots of good uses for RFID, and I can't see how this is one of them.
    • Re: (Score:3, Informative)

      by dlaudel ( 1304717 )
      Thinkgeek actually makes a passport holder that blocks RFID signals. http://www.thinkgeek.com/gadgets/security/910f/ [thinkgeek.com]
      • by MollyB ( 162595 ) *

        Yes, but your linked page also states

        Availability: [ info ]
        Out of stock. (Est. 1-3 Weeks)
        [ Email me when available ]
        This product is not available
        for purchase at this time.

      • Re: (Score:3, Informative)

        Just replying to confirm that the ThinkGeek wallets DO, in fact, work as advertised. I realized this after trying to leave my office's parking lot by fruitlessly waiving my newly-acquired RFID-blocking wallet (with parking pass inside) at the entry gate's sensor.

    • Like the one at Thinkgeek? [thinkgeek.com]
    • My province, Manitoba, has just come up with these ID cards that will let you cross US land & sea borders. They're apparently credit card sized, but a bit thicker, and work on RFID. Supposedly the RFID chip only contains a unique identifier. If that's the case, an attacker would have to have physical access to your card to clone it, because the unique identifier would do nothing.

      The province includes a protective sleeve [mpi.mb.ca] which must be removed to be read by RFID readers at the border crossings. Even the e

  • How's it unfair? (Score:4, Informative)

    by jc42 ( 318812 ) on Wednesday February 04, 2009 @08:59AM (#26724035) Homepage Journal

    The summary clearly says:

    During the demonstration he picked up the details of two US passport cards. Using the data gleaned it would be relatively simple to make cloned passport cards he said.

    Anyone with even minimal English fluency would understand this as saying that he collected the data but didn't do anything with it.

    We don't even need an automotive analogy, since the data was collected from one car by reading passport RFIDs in other passing cars.

  • Protective Sleeve (Score:5, Informative)

    by Jamie's Nightmare ( 1410247 ) on Wednesday February 04, 2009 @08:59AM (#26724037)

    The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

    Per usual, security usually fails because of the user.

    • Re: (Score:3, Insightful)

      by clickety6 ( 141178 )

      The protective sleeve only works if you never have to open the passport.

      Of course, you might want to open the passport to, say, actually use it as ID. Or maybe just to let something read the RFID chip...

    • by account_deleted ( 4530225 ) on Wednesday February 04, 2009 @09:36AM (#26724399)
      Comment removed based on user account deletion
    • by qazwart ( 261667 ) on Wednesday February 04, 2009 @09:44AM (#26724495) Homepage

      Making security difficult and then blaming people for its failure is no solution.

      For example, computers could be much more secure if people change their passwords every month and passwords must be a string of at least 120 random letters. Except that everyone will write down their password or never log out or let their computer go to sleep. You now have your nice super-duper security protocol all set, but your computer is less secure than ever because you've made it impossible to use.

      How many people will use that sleeve if you have to struggle with it every time you have to show your passport? How long will that sleeve last? How vulnerable do people understand their passport to be? Do people even understand that their passport could be read while riding in a taxi?

      A better solution would be to put this "sleeve" inside the passport. The pages where the RFID chip is on should be the sleeve. When the passport is closed, the chip is protected. The chip can only be read when the passport is opened.

      Of course, that's even if this type of security even works.

      • For example, computers could be much more secure if people change their passwords every month

        Really? What happens on day 32 that I need to change my password to prevent? What threat cannot be realized in a month, but can be realized in two?

        The idea behind changing passwords is to have a new password before the current one can be broken by a determined attacker. The current reality is that a weak password can be broken in hours, and a strong password can't be broken in anyone's lifetime.

        Changing passwords

        • by Hyppy ( 74366 )
          If you're using a strong password that is compromised by methods other than brute-force discovery, changing it on a regular basis reduces the window in which the attacker can access the system relatively undetected.
          • This opens up a cascade of conditional probabilities.

            What's the appropriate strategy? Should I assume that my password is compromised "by methods other", distinguishable from magic, the day after I change it, and choose my password change interval to match my anxieties about how long someone might have access to whatever the password protects?

            What's the probability that "methods other" will compromise my password within N days? Are we looking at a Poisson distribution or normal? Give n that it's compromised

    • Re:Protective Sleeve (Score:5, Informative)

      by dotancohen ( 1015143 ) on Wednesday February 04, 2009 @09:50AM (#26724601) Homepage

      The Passport Card comes with a protective sleeve lined with foil on the inside designed to prevent such an intrusion.

      Per usual, security usually fails because of the user.

      I don't know about the Passport Card, but the US Passport comes with no such sleeve.

      • Re:Protective Sleeve (Score:4, Informative)

        by NeutronCowboy ( 896098 ) on Wednesday February 04, 2009 @01:07PM (#26727543)

        I believe the foil sleeve is actually built into the binding. My girlfriend got a new passport, and the cover and back are a lot thicker than the old passports. It seems that there is some extra layer in there.

        I haven't tested the efficiency of the new passport design, but I'll be getting a passport carrier that is lined with foil.

    • -1, Wrong (Score:5, Insightful)

      by u38cg ( 607297 ) <calum@callingthetune.co.uk> on Wednesday February 04, 2009 @10:00AM (#26724751) Homepage
      Security doesn't fail because of the user; if the user is getting it wrong then it is bad security. Theoretical security is (in principle) not hard. Practical security is very hard indeed, and easy to get wrong. Is there any reason this card needs RFID as opposed to a standard credit-card style chip which requires physical contact?
      • a well designed security system will take typical users into account, e.g. two-factor authentication, to avoid security breaking by stupidity... but it can only mitigate some of the problems unless the user wants to cooperate with the security.
      • Re: (Score:3, Funny)

        by zippthorne ( 748122 )

        Is there any reason this card needs RFID as opposed to a standard credit-card style chip which requires physical contact?

        You can't expect government workers to have the motivation to slide a card into a reader. Next to the reader is the best you're gonna get. It's in their contract or something.

    • Re:Protective Sleeve (Score:4, Interesting)

      by Shadow-isoHunt ( 1014539 ) on Wednesday February 04, 2009 @10:12AM (#26724989) Homepage
      Actually the sleeve tends to make the passport stay partially open and act as a parabola, amplifying the signal from a distance.
    • 1) FYI, US passports it's not a sleave, it's a metal cup that will enclose the rfid chip when closed tightly.
      2) California has a dual purpose rfid passport/drivers license that doesn't have this protection.

      It was demonstrated that the metal cup in the us passports gives almost no protection if the passport opens even slightly. Which it always does when not held shut (ie placed in a pocket or purse, with out a rubber-band or similar holding it shut.)

    • True, but why the hell is the data not encrypted. I've worked with security RFID cards in the past, and I saw encrypted communications at least a decade ago, that something as important as a passport should be responding to queries in plain text is just insane.

      Moreover, exactly how useful is the RFID tag for a passport? The entire point of a passport is that you have to present it at the borders and have it verified by a, hopefully, well trained person examining it. If you need to have other data in it
  • by Bearhouse ( 1034238 ) on Wednesday February 04, 2009 @09:07AM (#26724115)

    As a very frequent traveller, (including to some fairly scary places), I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport. Works a treat. Why do this, well:

    1. FTA:

    Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a âkill codeâ(TM) (which can wipe the cardâ(TM)s data) and a âlock codeâ(TM) that prevents the tagâ(TM)s data being changed.

    However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

    2. What information can they get? Well, depending on the passport type, at least your picture, and sometimes your fingerprints too.
    See:
    http://en.wikipedia.org/wiki/Biometric_passport [wikipedia.org]

    And all this while you are having a drink at a roadside café with your passport 'safely' in your pocket...

    • How did you test this to make sure?

      • How did you test this to make sure?

        In a link in the old article was the full testing. In a nutshell, they cloned some Washington Drivers licenses into the same chip. Then tested sending the kill command at low power, when there is not enough power to complete the operation, the chip reports a low power comman fail. After the power needed to produce low power fails and kills, it was tested on real licenses to see if the kill was enabled or protected by a PIN. It is unprotected.

        Here is the info;
        PDF alert

      • To test they can't read it? Simple, asked the guy at the airport to try and read my passport while it was still in the wallet.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      And not only passports, I just won a fight with my credit card company (Chase) about their use of RFIDs in their new credit cards. I refused to carry them and came close to canceling the account before they finally sent me a new card without one. By that time I had two useless cards with the RFID chips in them, so I stuck them in the microwave to see what would happen. It was spectacular. A couple of seconds and they burst into flame! And to my surprise, there was an embedded loop antenna in the cards

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday February 04, 2009 @10:22AM (#26725135) Journal

      I always keep my passport on me. I've stuck some plastic tinfoil (use an emergency blanket) inside the wallet pocket where I keep the passport.

      Note that you're talking about something completely different.

      The US passport CARD is different from the passport BOOK which you use in international travel. The passport card only works when traveling between the US and Canada or Mexico; it's not accepted anywhere else.

      If your passport BOOK is a US-issued one, you don't need the tinfoil because it's already built into the cover. Even if it weren't, the BOOK requires a cryptographic authentication using a key derived from data printed on the inside of the book, so someone has to either see the inside of your book or guess the data.

      The CARD does not require cryptographic authentication and has no closeable cover.

      • Re: (Score:3, Insightful)

        by swilver ( 617741 )
        Although the cover may protect it, data encryption by itself won't protect you from malicious people keeping track of your movements. It's an easy thing to keep track of say everyone's movements at some kind of gate, and later adding a photo to whatever unique encrypted data is read from the chip. I could gather a few months worth of data at a public place, then pinpoint someone in a crowd and see exactly how often they were there, how long, and so on. All it takes is one easy unique way to distinguish a
        • Re: (Score:3, Informative)

          by swillden ( 191260 )

          Assuming the document ID (any identifiable string) can be determined at a distance, yes.

          There are two solutions to this. The first is the fact that the RF technology used by these chips does not work well at long ranges. In lab environments it's possible to get distances of up to a meter, but in the real world the limit is around 10 cm, assuming nothing is between card antenna and reader antenna (and assuming reader antenna is a high-gain type). The super long-range stunts you read about use a battery-

    • Re: (Score:2, Insightful)

      by slushdork ( 566514 )
      I believe the article is talking about passport cards [wikipedia.org], and not about passport books [wikipedia.org]. It's quite a bit harder to read RFID data from a passport book since "the passport cover contains a radio-frequency shield, so the cover must be opened for the data to be read."
  • by brufar ( 926802 ) on Wednesday February 04, 2009 @09:30AM (#26724337)

    Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport.

    Of course he only sniffed the data and didn't make a fake passport.. If merely sniffing the data proves your point, why would you subject yourself to penalties for forgery ?

    U.S.C. Â 1543 provides:

    Whoever falsely makes, forges, counterfeits, mutilates, or alters any passport or instrument purporting to be a passport, with intent that the same may be used; or

    Whoever willfully and knowingly uses, or attempts to use, or furnishes to another for use any such false, forged, counterfeited, mutilated, or altered passport or instrument purporting to be a passport, or any passport validly issued which has become void by the occurrence of any condition therein prescribed invalidating the same

    Shall be fined not more than $2,000 or imprisoned not more than five years, or both.

    I certainly would have stopped at successfully sniffing the data. besides all a terrorist has to do is rig the bomb so it will automatically go off when it detects a pre-specified number of US RFID passports in the vicinity.. Now, don't you feel that RFID in your passport has made you more secure ?

    • by Hyppy ( 74366 )
      What about the "with intent that the same may be used" qualifier? Making a forgery doesn't seem to be illegal, as long as it's not used.
  • Security threat (Score:5, Interesting)

    by grolaw ( 670747 ) on Wednesday February 04, 2009 @09:32AM (#26724347) Journal

    Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

    • Re:Security threat (Score:5, Interesting)

      by vlm ( 69642 ) on Wednesday February 04, 2009 @09:50AM (#26724623)

      Imagine how easily US Citizens can be found in a crowd. I wonder if the RFID "lighthouse" in my passport will put me at a higher risk than other nation's citizens?

      RFID passports are the ultimate tool for terrorists. You have to wonder if the government people pushing them are sleeper cell agents or something. Maybe just good ole americans but taking bribes from terrorists.

      In the old days they set off IEDs using switches. Follow the wires back to they hidey hold and shoot them. End of terror threat.

      Then they moved to cell phone (a most impressive "ringtone"). With some cooperation w/ the phone company, you track down the caller and shoot them (only the stupid ones of course, the smart ones smash the caller phone seconds after the callee phone goes boom and both will have clean records)

      Now you just build a mine that waits for a passport RFID. No need to decode fully, just, is there a passport signal, if so kaboom. No way whatsoever to stop them anymore.

      You're doing a heck of a job, american passport design department! Heck of a job stacking up american corpses I mean.

      • The one problem with this type of mine is that RFID requires energy.

        Most RFID tags do not just actively broadcast, they are passive devices that only transmit when you hit them with a signal.

        This means:
        1) Your mine now needs a much bigger power source (depending on how long it needs to broadcast looking for an RFID).

        2) It is BROADCASTING A SIGNAL which might make it very easy to find (once you know to look for it).

      • Sure, the RFID enabled mine could probably be considered a terrorist's wet dream. Think about it for a bit though.

        It's going to need to be inconspicuous and run off of battery power. Because of these requirements the antenna is going to be less than optimal and it won't have much power at its disposal. If you compensate and let it draw lots of power it won't have much run time.

        It's also going to need a logic package to analyze the signal it's getting back from the tags and determine if the situation is expl

        • Re: (Score:3, Insightful)

          by adolf ( 21054 )

          You're missing the point.

          It doesn't need a very large power source. It's still a landmine, and it needs to be very near to its target to have maximum effect. So, use weight or inductance or whatever to trigger the thing, not to explode, but to look for RFID tags. The rest of the time the added parts can be powered completely off.

          The antenna isn't really much of a problem. RFID is generally UHF, which penetrates stuff pretty well, while still high enough in frequency that a surprisingly high amount of an

      • Re: (Score:2, Funny)

        by Perf ( 14203 )

        Except...

        How do you know the person with the RFID passport is an American or a fellow terrorist who replicated a RFID passport?

  • But the fact that you could use this technique to drive around and look for American citizens. Maybe combined with triangulation and there is your kidnap victim...
    • by Builder ( 103701 )

      Why bother with kidnapping ?

      As I said at the time when the UK and the USA introduced these, they've just made their shitizens very attractive bomb targets - just set your bomb to only go off when a UK or USA passport is within reading distance.

  • More details (Score:4, Interesting)

    by Muad'Dave ( 255648 ) on Wednesday February 04, 2009 @09:51AM (#26724629) Homepage

    The information he read was from an EPC Class1 Gen2 [epcglobalinc.org] encoded UHF tag. It was encoded as a Global Document Type Identifier (GDTI-96) [epcglobalinc.org]. The Company Prefix is 0893599002, and the Document Type is 1. The serial numbers of the documents are there, but I'm not going to post them. I don't have access to the GS1 [gs1us.org] Company Prefix database, and it's not searchable here [gs1.org]. - anyone else have those mappings?

    It is trivial to program an arbitrary tag ID into a blank Gen2 tag - I do it all the time wrt DOD-encoded tags.

  • by Logical Zebra ( 1423045 ) on Wednesday February 04, 2009 @09:55AM (#26724677)

    What is the point in putting RFID into passports other than to make them easier targets for cracking?

    Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense [wikipedia.org]? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday February 04, 2009 @10:27AM (#26725253) Journal

      Why not just use a smart card similar to the Common Access Card (CAC) used by the U.S. Department of Defense [wikipedia.org]? Those things can store a lot of data, are very easy to use, and cannot be hacked remotely via RFID equipment.

      The chips in passport books (not cards) ARE the same sort of device that's in the CAC. The old CAC cards are contact-only, which doesn't work well for a passport book because it would be difficult to build a reader. The CACs are being replaced by PIV cards which are dual-interface (contact and contactless).

      Other than the contact vs RF interface, though, these so-called RFIDs in passport books (not cards) are exactly the same sort of technology as CAC cards. The chips have plenty of storage and provide cryptographic authentication capabilities.

      It appears that a different, longer-range technology with no cryptographic authentication requirements was used for the passport cards.

      Don't get one. Get a passport book. It costs a little more, but it can be used for visiting countries other than Canada and Mexico, and it doesn't have these security issues.

  • The sin cards used in cellular phones use an algorithm to confirm identity. The network will transmit a number that is then manipulated to form a new number by the phone. The number is transmitted and compared to what the network was expecting from the individual the phone is claiming to be. If they match then the person is who they say they are. The algorithm is impossible to duplicate without having the sin card and brute forcing to find the algorithm(still next to impossible). The credit card industry is
    • I also heard there are bombs which react to people's brainwaves. Now if one of THOSE is deployed, it will be very scary.

      Probably nothing to worry about if you are of US origin though. And to disarm a high-sensitive version you can always call George W. Bush and tell him tere are salty crackers inside -- chances are, he'll break it in no time.

  • If you want results, try it in Washington DC.
  • I don't think that Mr. Paget was trying to make a point for "hey, look, Passport data!" at all. In fact, he states in his video himself that all he got were the unique IDs for the RFID, which have a prefix which indicates whether it is, say, a passport.

    What I got from his video - and which is a perfectly valid argument against RFID *in general* - is that he now -has- that unique ID. Presumably, you are the only one with your (passport) ID. Next up, link that to an RFID scanned at the very same time.. exc

  • Proof once again that the "editors" don't even read Slashdot any more [slashdot.org]. Dupe from yesterday, Taco. Yesterday.
  • by thethibs ( 882667 ) on Wednesday February 04, 2009 @10:12AM (#26724979) Homepage

    Apparently this is a little unfair- he sniffed the data, he didn't actually make a fake passport

    Perhaps he wanted to avoid going to jail? This is a case where it's sufficient to show that a forgery is possible, without breaking the law and actually doing it.

  • It's absolutely worth noting this is about cloning US Passport Cards, which are completely useless outside the US, not real passports.

    Passport Cards use a simple RFID system (EPC) where the chip simply spits its ID number out.

    Passports, on the other hand, require a reader to authenticate by passing a hash of (passport number, date of birth, date of expiry). I don't think that's nearly enough information to ensure security, but at least it's better than nothing.

  • He is just skimming IDs, not cloning or even collecting any information of worth. Its no different than some retard driving around with a wifi scanner collecting SSIDs and MACs for a bunch of WPA2 networks - its not the same as getting into the systems behind them. I guess I am new here, but I expect this kind of cheap overblown title from trash like Wired, not from /.

Whoever dies with the most toys wins.

Working...