More e-passports hacked within minutes, security questions abound
by Darren Murph 
posted Aug 7th 2008 at 6:03AM
It's downright frightening that we've become numb to this news, but here again we're faced with another report of e-passports being hacked within minutes. The University of Amsterdam's Jeroen van Beek was reportedly able to clone and manipulate a pair of British passports in about the time it takes you to sip down your first cup of joe in the morning, and worse still, they were accepted as genuine by the software "recommended for use at international airports." The tests point out a number of vulnerabilities, including the fact that the microchips could be susceptible to having falsified biometrics inserted for use. As expected, talking heads at the Home Office still insist that any chip manipulation would be immediately recognized by the electronic readers, so we'll leave it up to you to decide who's telling the truth here.
Filed under: Misc. Gadgets
Reader Comments (Page 1 of 1)
Technex @ Aug 7th 2008 6:12AM
Osama bin Laden, lol...
Homeboy @ Aug 7th 2008 6:34AM
We all know he desperately want to visit Orange County to eat a burger from In-n-Out while driving along the Pacific coast highway down towards Laguna.
OneLove @ Aug 7th 2008 4:36PM
bert is a taliban.
rony @ Aug 7th 2008 6:17AM
wow...think of the consequences if someone manages to manipulate Bill Gates or Warren Buffet's passport......
Telanis @ Aug 7th 2008 10:18AM
A passport isn't a bank card ^_o
Chrisboff @ Aug 7th 2008 6:18AM
Makers of RFID proof passport sleeves are going to do pretty well.
meist3r @ Aug 7th 2008 6:22AM
They probably won't because no matter what happens most of the people are sheeps and don't give a fuck about things like that. Electronic data retention and all that surveillance bullshit doesn't keep anyone from plotting a terrorist attack and it makes life horrible for the rest of us. In a way, thanks to the paranoia and hysteria that was forced on the world by the US, the terrorists have achieved the ultimate victory. They don't even have to do something anymore, the government terrorizes it's people all by itself. Congratulations. I feel very safe now.
Matthew @ Aug 7th 2008 9:30AM
Just wanted to point out that sheep is the plural or sheep.
Chris @ Aug 7th 2008 9:32AM
@ meist3r : "thanks to the paranoia and hysteria that was forced on the world by the US"
What the hell are you even talking about? You think electronic surveillance was "forced on the world by the US"? The UK has been using CCTV since the 70's, and there is a long list of countries that have had RFID passports before the US, Malaysia, New Zealand, Belgium, The Netherlands, Norway, Ireland, Japan, Pakistan, Germany, Portugal, and Poland.
Take your contempt for America somewhere else.
Matthew @ Aug 7th 2008 9:36AM
Oh wow. Time to quit the internet. I made a spelling/grammar error while publicly correcting one.
meist3r @ Aug 7th 2008 10:25AM
Some kind of freudian slip up ... somewhere between wimps and sheep was what I had in mind when I typed this. That puny s snuck in again. Thanks for the correction, though. Or to quote Homer Simpson: "People always are reaaally glad when they're corrected".
meist3r @ Aug 7th 2008 10:33AM
@Chris: True, the Brits used useless video surveillance for quite some time to maintain their illusion of security. But Let's not argue about the fact that after 9/11 everything changed in the perception of security. If the mightiest nation on the world starts controlling their borders like crazy and every little shit is made into a terrorist threat you can't expect those that are in alliance with the USA in a military and economical sense won't adapt to those changes. It's hysteria and you know it.
Most of the security related inconveniences are cuts on human rights originate in the US or would you like to deny that the "War on Terror" is a common idea that all of Europe had way before September 11th? It's the same excuse every time there is a new fingerprint scanner installed or phone line tapped. We are all looking for terrorists that might be a threat to the US and their allies. And the allies are only subject to terrorist threat because they are allied with the US in the first place, most of Europe held great business relationships with the Middle East and the so called "Axis of Evil" before they became a Fox News scare.
meist3r @ Aug 7th 2008 10:39AM
@Chris: An afterthought just occured to me. Because I actually do live in Germany I can say that Germany only got an RFID passport (despite protests from the public and several organizations) because our government used the terrorist threat excuse to push it through. It's a clear consequence of 9/11 and what happened to international security after that. So basically I can't give you that argument for my country at least. It's not like we would have gotten that if the US hadn't insisted on it. We even give these people intimate citizen data and bank records for no apparent reason. Nobody would do that if it wasn't for the US.
meist3r @ Aug 7th 2008 10:41AM
Gosh darnit, well don't try to type really fast kids. Your mind will spell things that it shouldn't.
The first sentence in the second paragraph of my original answer makes no sense that way. I changed it half-way through it was supposed to read:
...or would you like to claim that the "War on Terror" is a common idea that all of Europe had way before September 11th?
Sorry for the spamming guys.
Jack C @ Aug 7th 2008 1:45PM
And they had to find out now? after they are up-and-running?
E-fraud and cyber-terrorism (and every other cyber-(scary word)) is becoming one of the most relevant topics that no one seems to address. Lawrence Lessig, who mentioned in a recent interview that the government was working on a Patriot Act for the internet (iPatriot?) but according to this article http://www.internetevolution.com/author.asp?section_id=556&doc_id=160628&f_src=flffour , it's all Lessig trying to push his own, personal agenda.
d i s @ Aug 7th 2008 6:27AM
so were the 'diebod voting machines' too - fullproof , so if they go ahead things are normal as usual
Jack @ Aug 7th 2008 6:35AM
Say someone cloned my password, what can they do with the information?
They don't have my physical passport...
I don't see the problem, can someone enlighten me?
deyanimay @ Aug 7th 2008 6:45AM
They could go through an airport with your identity so they can't be traced, instead everyone will think it was you.
dave @ Aug 7th 2008 12:55PM
This might be a problem then?
http://news.bbc.co.uk/1/hi/uk/7530180.stm
ipubs bastard child @ Aug 7th 2008 8:28AM
Passports are merely documents and documents can be forged. Coincided with the recent theft of several thousand blank passports in oldham, a technology to forge digital data will lead to criminals/ terrorists and illegal immigrants being able to enter and leave the country freely. It's not necessarily just about cloning but the cloning itself is dangerous as a passport will give access to many services. Namely banking, information held on files and access to many other services.
It is an incredibly dangerous prospect, its only saving grace is that it's only going to be done by a minority. It is another major reason why ID cards are a bad idea.
GhostDoggy @ Aug 7th 2008 6:43AM
I would say, "barcode everyone" but even that can be readily compromised. So, how about RFID? Instant DNA checking?
Mustaine @ Aug 7th 2008 9:10AM
I hope to god you're being sarcastic and not genuinely wanting a '1984' world.
meist3r @ Aug 7th 2008 10:45AM
I suggest tattooing the code right onto the forearm. There was a little Reich called Germany a couple of decades ago that where pretty successful with that kind of stuff. I wonder what happened to them.
Eggmunkee @ Aug 7th 2008 11:24AM
As long as we give up a little more freedom, we'll all be safe.
... That's a sickening mindset you got there, unless sarcastic. You are being trained to submit like a head of livestock. And that feeling isn't security, it's the warm loving embrace of slavery.
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." --Ben Franklin
vypergts @ Aug 7th 2008 12:34PM
Some things are better left in the analog age. Like passports and voting machines...
iEye @ Aug 7th 2008 6:47AM
Simple solution...
Abolish all iDols & Religions!,
(low rank in 4,3,2,1... and here we.... go)
deyanimay @ Aug 7th 2008 6:52AM
What would that achieve?
zomg0t @ Aug 7th 2008 7:07AM
It would remove some irrational terrorism, but there are plenty of other terrorists with secular motives; however, their reasons for committing terrorism may seem slightly more reasonable than killing people because they call Allah God or Adonai (They're basically the same religion anyway). Abolishing religions still leaves this security hole open. The true solution is to abolish all humans so that the security hole cannot be exploited (though it still leaves the hole open, which isn't a very good solution, just an effective one).
(Unknown rank in GO!)
j_g_puff @ Aug 7th 2008 7:26AM
As long as we could abolish all greed bastards as well, it's a fairly sound solution.
Oh, apart from the disregard for human rights issue.
ed. @ Aug 7th 2008 7:10AM
OH NO I have an e-passport.
ronzo @ Aug 7th 2008 7:13AM
Don't worry. You'll have company.
Pretty soon, someone else will have your e-passport too.
Onouris @ Aug 7th 2008 7:12AM
These the same minutes as they were in the last post?
Also good? Rather they're hacked and fixed now before they're out, rather than after. Not like this doesn't already happen with normal passports anyway.
coolblue @ Aug 7th 2008 8:41AM
apart from the fact that they are already out in the uk!
neofolklore @ Aug 7th 2008 7:26AM
yeh yeh blah blah old news.
I wound up in the file directory of some unknown server (legitamtely *cough*cough*) located in the Netherlands. There were all sorts of papers and abstracts about how to do this stuff. So naturally I installed "DOWN 'EM ALL" for Firefox and saved all the PDF's in one fell swoop.
BigBloke @ Aug 7th 2008 8:23AM
...and the point being?
xenon87 @ Aug 7th 2008 9:13AM
I think his point is that he is ten years old.. can't be sure
ShadowKain @ Aug 7th 2008 8:21AM
Scary stuff, makes me afraid to fly. But you can't let fear control you, thats how they win against you (terrorizies). The company is no doubt denying the claims while feversly trying to reconcile its flaws...
hfm @ Aug 7th 2008 10:31AM
So the dude from Dawson's Creek is now hacking passports?
stompy @ Aug 7th 2008 11:09AM
Whey doesn't each issuing agency sign the data stored on the passports? Maybe I'm missing something, but wouldn't that put a stop to tampering?
stompy @ Aug 7th 2008 11:14AM
Whey? Whey??? Why can't I spell why?
stompy @ Aug 7th 2008 11:18AM
Uh nevermind, I missed the operative word "Cloned"
Nelson @ Aug 9th 2008 11:08PM
I knew it! Burt is involved with Osama bin laden, once again your plan has been foiled puppet!
Ants @ Aug 8th 2008 6:04AM
The purpose of the chip is to have a digitally signed copy of the passports data. The chip in the British e-passport (along with German and others that have gotten "hacked") isn't supposed to be a token so cloning it is as much of an attack as copying a public key certificate.
On the other hand, the ICAO machine readable travel document specification has an optional active authentication scheme that makes the chip a token. Some countries have implemented active-auth in their e-passports. (incidentally, I specified the AA requirement in my countrys e-passport project) Now hacking that would be noteworthy as the chips used are specifically designed and common-criteria EAL verified to be tamper proof crypto-chips.
Also, I don't see how they could insert falsified biometrics - the biometrics are digitally signed. Unless the british document manufacturers really royally botched up and leaked their private key. Or the SHA-1 RSA-1024 signature scheme is broken, which would have much graver consequences than forged passports.
This current hack is as much newsworthy as someone photocopying a passport.