Cloned e-passports: your government doesn't care
How easy is it to digitally clone an electronic passport? Very. Using an RFID reader purchased on eBay, white-hat hackers from DN-Systems consulting recently demonstrated to the BBC how they can download British e-passport data to their computer and then write it to a new, blank RFID chip to create a perfect digital clone. Sure, the hack requires access to the software used by border police, but apparently, this is already out in the wilds. Astounding, huh? Yeah, but it's not new. This is the same hack we've seen repeatedly demonstrated in Germany, the US, The Netherlands, Ireland, etc. What's notable here is the lack of incredulity imparted by the spokesman for the UK Home Office who said, "It is hard to see why anyone would want to access the information on the chip." Identify theft, maybe? True, British e-passports unlike those issued by other countries, do not (currently) store fingerprint scans in the chip and the encryption is just one aspect of the passport's overall security. However, with these mechanisms also circumvented, shouldn't our government officials be just a tad concerned?
Filed under: Misc. Gadgets, Wireless
Reader Comments (Page 1 of 1)
andiwijaya @ Dec 19th 2006 8:37AM
Nice passport, in my country passport still using manual. http://www.andiwijaya.com
Graham @ Dec 19th 2006 9:16AM
One thing articles about passport 'hacking' don't make clear is if reading the data from the chip required the correct key, or if you simply read the encrypted data - and figure out the key later. From what I can tell, this differs from country to country.
The other problem is that to generate this key, you need information written in the passport - it's simply too hard to brute force. If you get a look at this information, you are also getting a look at everything else that is stored in the chip. Since (from what I can tell) it's simply a digital copy of most (but not all) of what is actually written in the passport.
So really I don't see the problem. Even if you can read the encrypted data, you still need the key, and it's not something you can brute force crack - unless you have read the passport that is... And if you read the passport, well, you are simply reading the information that is also located in the chip.
It all goes round in circles, and at some point someone shouts 'identity theft' and everyone panics. Yet the amount of actual useful information on the 'problem' seems lacking.
...
So you can clone a passport chip if you know its key? So... You can photocopy a passport too. Trouble is, both methods don't help much in making a good forgery, and the big difference is you cannot *change* the data on the chip - where you can change the data on the page.
As a holder of a British passport, honestly I just don't see what the fuss is about.
J. Henry @ Dec 19th 2006 9:22AM
So... this is just cloning the chip, yes? You can't actually read the contents of the chip?
Coupled with the short range of these chips, this only really sounds like a problem if someone steals the complete passport.
crackpipe @ Dec 19th 2006 10:54AM
Someone finds your lost passport, gives it back to you after cloning it. Then you go on your merry way never the wiser. They sell the cloned pp to a terrorist cell in Turkistan who then finds someone who looks a lot like you in France to fly into the U.S. and blow up the world's biggest MacDonalds, where you may just so happen to be sitting there all smug having yourself a Big Mac.
MikeN @ Dec 19th 2006 11:44AM
Conveniently forgetting to mention exactly how you forged the rest of the passport convincingly... Clearly from the lack of concern demonstrated by government officials, merely cloning the chip in the passport isn't the huge security breach it's being percieved as. Which would lead one to believe that the other security measures being employed will be enough to deter any would-be forgers. Or at the very least, set off some red flags if they attempted to use a forgery with a cloned chip.
Mike
Chris @ Dec 19th 2006 12:45PM
OMG! Not Vinita Oklahoma!
http://www.roadsideamerica.com/attract/OKVINmcd.html
oh wait, there's a bigger one now in Florida
http://www.vacationsmadeeasy.com/OrlandoFL/pointsOfInterest/WorldsLargestMcDonaldsinOrlandoFL.cfm
:D
tcc3 @ Dec 19th 2006 11:22AM
Careful! Then Tim Robbins will trick you into blowing up an important Federal Building.
Chris @ Dec 19th 2006 12:38PM
"the hack requires access to the software used by border police"
so, this software runs on commodity client PC or handheld devices? who's bright idea was this? the fancy stuff to make this go should run on a server locked in a vault with armed guards nearby. The boarder guards should only have software that can send the raw data over a non-pubic, secure, network and have the server extract the data and validate whatever needs validated. "phone home" style activation systems and key dongles simply won't stop a hacker from tricking the software into thinking it's got a green light, no software vendor has made this hack proof and none will. The ONLY way to keep software under wraps is to not let people touch it unless they have been certified and are paid well enough to not be swayed by a bribe. I hope there's an investigation underway to find out how this software got out and treat the leak as a terrorist. (not that I'm a big "omg a terrorist" person, but I've been the victim of simple identity theft and the terrorist handling proceedures is what I'd like to see done to this type of thief.)
furtim @ Dec 19th 2006 2:43PM
"Conveniently forgetting to mention exactly how you forged the rest of the passport convincingly..."
And you're conveniently forgetting that this is really easy to do, which is why they wanted to include RFID in passports in the first place. You're also conveniently forgetting that, as time goes on and RFID passports get more common, the customs folks who check these things will end up relying almost entirely on the RFID and not checking the paper bits at all. Because, really, why waste the time of opening the thing up when you can wave it at a sensor and get the same info?
It's not doom and gloom, but the ease with which people are cloning RFID passports should be troubling to anybody concerned with privacy and identify theft.
Thomas Trautman @ Dec 19th 2006 3:32PM
Anytime you adopt new technologies it takes baby steps. At no point in the article did it state that the tag was only means of security in the passport. It's just one layer, and really sounds like it only contains a copy of the page used by customs.
You can argue that the ability to clone it, negates the added security, but I didn't see how it offered less.
Perhaps in the future the RFID Tag will only contain a portion of a public key(coupled with pass phrase or biometrics) that will be used in turn by customs to unlock the data contained on a secure server.
Then cloning the tag would be meaningless.
http://www.vequalsir.com
Viran @ Dec 19th 2006 6:44PM
Nice, once the details are readable, go to the airport, find a family of holiday-makers, scan their passports whilst pretending it be in the queue with them, get their address and house-sit for them while they are gone ;)
cacadodo666 @ Dec 21st 2006 3:00AM
this is a crisis made on purpose so the Big Businesses in the disguise of Government laws can offer an even better solution.....a chip in yur ass....go ahead....tell the kids it's the only way and it's so yu don't get raped from here to the mall