http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/ Engadget Comments for Dutch RFID e-passport cracked -- US next? http://www.engadget.com/media/feedlogo.gif http://www.engadget.com en-us Copyright 2012 Weblogs, Inc. The contents of this feed are available for non-commercial use only. Blogsmith http://www.blogsmith.com/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/ tags (see comment #6). The working link is:
http://www.riscure.com/news/passport.html]]>Feb 6th 2006 6:38PMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/These guyes presented this thing first at The What The Hack conference back them. This is not new.

Check those slides from What The Hack:

http://wiki.whatthehack.org/images/2/28/WTH-slides-Attacks-on-Digital-Passports-Marc-Witteman.pdf

]]>Feb 3rd 2006 9:32AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/Feb 3rd 2006 9:33AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/Feb 3rd 2006 9:39AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://cgi.omroep.nl/cgi-bin/streams?/tv/vara/nieuwslicht/bb.20060127.asf

if you skip to 6:20 you can see how it's done.

The hacker and female voice explains they can hack it beacause the passport numbers are sequential and are linked to the expire date. That way the can narrow the range and brute force it. That way it will take 3 hours to decypher a rfid passport chip.

The Dutch goverment also noticed this and they are willing to change the numbering of the passport, but since such a decision will take some time and new RFID passports are ariving in august 2006, it will not come in time. So the new dutch passoport will be weakly encrypted/protected.]]>Feb 3rd 2006 9:43AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
There needs to be some sort of "off" switch so that the RFID isn't broadcasting 24/7 to anybody listening. (A la one of those fancy Hallmark Cards that plays music when you open the card, the RFID "enables" itself when you open the passport book)

Again, the simple rule of encryption is that every code/password/algorythm can be hacked with enough time, software and network passwords will disable after so many failed attempts, thus restricting the access to the possible hack.

RFID is intrisically unsafe because there is no mechanism to disable itself, it just sits there like Forrest Gump at the bus stop talking to anybody who will listen.

Wonderful security there Mr. President.]]>Feb 3rd 2006 9:47AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/July 28, 2005:
http://www.riscure.com/news/passport.html

]]>Feb 3rd 2006 9:48AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
It was presented at the What The Hack conference. People have no memory.

You can download the presentation of this hack here:

http://wiki.whatthehack.org/images/2/28/WTH-slides-Attacks-on-Digital-Passports-Marc-Witteman.pdf]]>Feb 3rd 2006 9:50AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/ They will continue to go forward with the idea. ]]>Feb 3rd 2006 10:21AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/rfid part is damaged, this may be the same with other countries as well
due to personel shortages at passport offices. paranoid? stick your
passport in the microwave for a few seconds or simply bend it gently in
your hand a few dozen times to break the rfid antenna. alternatively, wrap your rfid based passport in foil, tin foil hat style.

side
note: if you are a french citizen and were lucky enough to think of
renewing your passport before october of 2005 and you have the machine
readable two lines on the bottom edge of your passport required by the
united states, you are good to travel without a rfid passport for ten
years.

also see harald welte's research pertinent to most rfid passports:

http://openmrtd.org/about.html
https://events.ccc.de/congress/2005/fahrplan/events/769.en.html
http://gnumonks.org/~laforge/weblog/linux/mrtd/

cheers,
fbz]]>Feb 3rd 2006 10:35AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/-BlueLightBandit

This is not possible, since RFIDs do not 'broadcast'anything. That's the whole point behind them, and hence why they don't require a power supply. They simply bounce signals in a sophisticated way.

That being said, your idea has merit, and could work if there is a way to make passport books fitted with sheilding to keep the RFIDs from being detected until they are opened. Albeit, it would be expensive.]]>Feb 3rd 2006 10:36AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
I'm waiting for someone to rig up a backpack with a directional antenna that can read RFID passports and IDs across the room. Or airport.]]>Feb 3rd 2006 10:38AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
This is a Bad, Bad, Bad idea promoted by the governments paranoid about their citizens in such a way to make the paranoia of citizens against government and other citizens a valid fear. Neo-Orwellian.]]>Feb 3rd 2006 10:51AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/Feb 3rd 2006 11:58AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/

Just checked travel.state.gov and it indicates there will be shielding on all U.S. passports that will protect data from "skimming" as long as the passport remains closed. As well, all new U.S. passports (beginning 30 December 2005 in most areas!) will be "e-passports"

]]>Feb 3rd 2006 12:01PMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
I'm sure RFID is being used instead of a SmartChip because of marketing and reduced costs due to mass production - they probably forgot to add in the cost of shielding though. A SmartChip wouldn't help much anyway, as anyone who has had their CC data dup'ed by restaurant waitstaff can attest.

I agree with the idea behind all this, that analog passports don't really offer much in the way of a guaranteed ID, but an easily duplicated digital system sure isn't going to help.]]>Feb 3rd 2006 1:15PMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
Otherwise I will seriously be wrapping my next passport in tinfoil. Look for an explosion in the aftermarket "protective passport case" market, with all sorts of new materials designed to thwart identity thieves.
]]>Feb 3rd 2006 3:30PMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
Otherwise I will seriously be wrapping my next passport in tinfoil. Look for an explosion in
the aftermarket "protective passport case" market, with all sorts of new materials designed to thwart identity thieves.]]>Feb 3rd 2006 3:32PMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
Are you sure? What makes you think that the gov't will not just decide in 2 years that RFID-less passports are no longer accepted? You know, in the name of fighting terrrrrists.]]>Feb 3rd 2006 5:48PMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
Are you sure? What makes you think that the gov't will not just decide in 2 years that RFID-less passports are no longer accepted? You know, in the name of fighting terrrrrists.]]>Feb 3rd 2006 5:52PMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/
(from dailykos; http://www.dailykos.com/story/2006/2/3/162911/3140)

To his credit, UnderSecretary of state Frank Moss came to the International Conference on Computers, Freedom, and Privacy last sporing to face the critics of the US RFID passport scheme. During his panel, the ACLU's Barry Steinhart demonstrated a reader effective at 10 inches.

Afterwards, in the hallway, photo (That's me in the background.) EFF's John Gilmore explained how the range could be extended to 10 feet. Travel writer Ed Hasbrouck then laid out a scenario in which terrorists used an off the shelf RFID reader to detect the presence of a US Passport holder on a bus in Beirut, triggering a pre-installed bomb.

This apparently impressed Moss, who delayed introduction of the chipped passports originally scheduled for last June, so that they could be made with wire mesh shielding to prevent them from being read when closed. He also directed the data be encrypted, bringing us to the flaw identified in the diary.

A Senator YOU can afford
$1 contributions only.
Masel for Senate
1214 E. Mifflin St.
Madison, WI 53703]]>Feb 4th 2006 10:15AMhttp://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/http://www.engadget.com/2006/02/03/dutch-rfid-e-passport-cracked-us-next/Feb 4th 2006 1:37PM