UK RFID Passports Cracked Already

from the feeling-safer? dept

There's been an odd rush by governments to move to RFID passports, even though there are serious concerns about how secure they really are. Over in the UK, where many RFID passports are already in use, a security researcher and a reporter were able to crack some aspects of the passport. It is, admittedly, a limited crack, but it could potentially be used to make a clone RFID chip for a counterfeit passport. While the UK government claims this crack is no big deal, you'd have to think that it shouldn't take long for other problems to show up as well. What seems pretty clear from the description is that the implementation was done without all that much thought given to the security side of the equation. We're not as down on RFIDs as some people are -- but with all the questions about security and privacy issues, you would think that officials would have been extra careful before sticking them in something such as a passport. Apparently not.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    bigGeorge, Nov 17th, 2006 @ 8:09pm

    rfid passports

    this rfid passport thing was all about giving the high value contract to friendly concerns anyway - its a money spinner, and thats all it ever was/is. same holds true for id cards. while everyone argues over little issues, a privileged minority gets richer...

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Nov 17th, 2006 @ 9:47pm

    sad but true

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    DittoBox, Nov 17th, 2006 @ 9:53pm

    Why RFID?

    Why not smart cards? They're cheaper, safer, require contact with a reader etc...

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Nov 17th, 2006 @ 11:12pm

    No problems, no worries lemmings, just go about your business... LOL

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    ehrichweiss, Nov 18th, 2006 @ 6:05am

    Re: Why RFID?

    Smart cards are more hackable than RFID is. If you want proof of this you have to look no further than the efforts of the satellite hacking community as they have been hacking smartcard technology for about 10 years now. There are hacks for the Kinkos/Fedex smartcards and I'm quite sure there are hacks for Visa/Mastercard's with the smartchips in them as well even if I haven't seen one(thanks to the DMCA, nobody's gonna admit they know it can be done).

    So no, I don't think we should move to smart cards either.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Nov 18th, 2006 @ 7:49am

    business plan 101

    Note to Self... start business to build portable scanners for hackers.... sell on Ebay.... make a mint

    Then the govt gives out another multibazillion dollar/euro contract for the vs2 chip etc etc etc

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Bob, Nov 18th, 2006 @ 8:23am

    Why just eliminate travel in and out of our country then there is no need for passports. We can easily survive as a self supporting country if only the damn environmental activists would let us drill for oil and build refineries in the US

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Forrest, Nov 18th, 2006 @ 8:50am

    Re:

    First thing Bob, just in case you're kidding ha, ha, ha

    But with the frightening likelihood that you are serious: Yes, lets build ourselves into a frightened isolationist state, afraid to step outside of our door for fear of all the bad people out there. Lets be that crazy lady who never lets anyone into her house and lives in her own filth and waste and paranoia untill three years later her neighbors break down the door because the smell is starting to bother them. Lets stagnate inside of our own borders as the world moves on without us. Think for a moment how well isolating themselves worked for Japan, China, etc. In the unlikely event that we do something so cowardly and foolish I'm the first out of the country Bob. And stop blaming the enviromentalists for everything, it's thanks to them you don't need a gas mask to go for a walk and can actually catch fish in the wild anywhere.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Creative thinker, Nov 18th, 2006 @ 9:51am

    Unbeatable, please

    Any system can be beat. The only way to beat a majority of the people that would do this is to have multiple checks. Biometric, electronic (smart-card, RF-ID), photo recognition and humans. Is the cost really worth the effort?

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Nov 18th, 2006 @ 11:50am

    "Is the cost really worth the effort?"

    Huh?

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Nov 18th, 2006 @ 12:14pm

    Re:

    Well, "Bob"...

    Theres this thing called "gains from trade.."

    Certainly, could be self-sufficient..

    But do you want to pay $3000 for a mid-range computer, or $30 for a new cheap t-shirt, or $5 for one new pair of underwear?

    Everything that is manufactured overseas is done so because its cheaper, and most things are. The few that are 'manufactured' here are really just assembled here; the input components were forged elsewhere in most cases. And the inputs for those inputs? Probably made elsewhere too.

    But asking a six-pack Bob to consider meaty issues like international trade, CPI, and inflationary pressures is a lot, I know, especially for a Saturday. Go back to the TV and stop voting.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Nov 18th, 2006 @ 12:21pm

    Re: Re:

    And just to follow up to my self.. There's a huge array of things that admittedly might be designed here but are manufactured elsewhere. Every large-cap company in the United States is a multinational. If the 'close the borders' crowd ever got enough idiots in congress, the very next day they'd have to deal with the realization that things like jet engines are suddenly impossible to fix, many computer components are impossible to replace, a lot of scientific equipment can be designed but not acquired repaired or replaced. Most of our retail stores would empty themselves without replacements, and with no inventory to sell, they'd close. Consumer confidence would be destroyed, so those factories you might think, Bob, that would spring up to fill the needs of the US, they're too busy either trying to adjust to the huge supply shock or closing their doors as the elite businessmen and woman of the country flee to other countries not run by idiots so that they can make money elsewhere. And because there would be no demand for their stuff, since, well, like I said, retail stores would close years before the capital stock of the country could retool for such purposes.

    Not to even mention the number of high-paying highly trained professionals that would have to be retasked to menial factory labor to replace the untrained automaton Chinese that were doing our dirty work for next to free beforehand.

    all in all, yep, great plan "Bob".

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    B_Billy, Nov 18th, 2006 @ 2:24pm

    Re: Re: Re:

    AC 11 + 12:
    I'm pretty sure Bob was being sarcastic.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Nov 18th, 2006 @ 4:25pm

    Nothing much to say really

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Nov 18th, 2006 @ 5:16pm

    Re:

    I hope deep in my heart that you are kidding, bob. What do we have then? Any isolationist regime is going to quickly turn into communism/fascism/dictationship, since with no way for the UN etc to sanction us or impose human rights thingys on us, the government would go corrupt faster than a hard drive near a magnet. Since no one could leave, everyone would want to, and the only way to stop that would be oppression. What happens to our life, liberty, and pursuit of happiness then? It all goes down the f***ing drain, to crooks like bush and rumsfeld.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anti_Anonymous_Coward, Nov 18th, 2006 @ 5:30pm

    Give it a rest

    Nice to see you have it all figured out AC. I will bet that Greenspan wishes he had your expertise during his tenure so he could have managed this $10+ trillion economy with the same certainty in cause effect that you seem to posess. At least Forrest gave us an amusing visual. You merely gave us an insight into how pathetic one sounds when his life his limited to cruising bulletin boards offering posts to compensate for the fact that nobody he knows gives a rats' a$$ what he has to say.

    Thanks for your opinion Bob...

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Quote of the day, Nov 18th, 2006 @ 5:32pm

    Re: Anonymous Coward

    How much easier it is to be critical than to be correct.
    - Benjamin Disraeli

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Alex, Nov 18th, 2006 @ 5:54pm

    Re: Re: Why RFID?

    Aye, but if you only ever handed it over to (presumably very well vetted) airport security, it'd be pretty much unhackable. Especially if you improved upon the security features already available in the RFID passports (encryption etc.).

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Rico J. Halo, Nov 18th, 2006 @ 8:20pm

    Re:

    What most poeple dont realize is that the environmentalists dont give a rip about the environment. Its all about punishing success and hurting American business for them. Sad but true.

    www.thatpoliticalblog.com

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Guy, Nov 18th, 2006 @ 10:10pm

    Cant you just ask people the 3 most important questions anymore

    Did you pack your bnags yourself?
    Have your bags been in your posesion the whole time?
    Has anyone asked you to take anything on board?

    Queestion 1- Unless your a child who else is going to pack your bags?

    Question 2- Becasue im sure there are lots of people leaveing their luggage full of all the clothes and personel itmes just sitting around

    Question 3- Seriosuly if someone came to you and said please take this on the plane with you are you seriously going to f-ing do it?

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    coolhandw, Nov 19th, 2006 @ 4:22am

    Re: Guy Nov 18th

    The plane that went down over Lockerby, Scotland was the result of a gulible person accepting a "radio" to carry for a "friend". Only the radio was a bomb. Hence question number 3. Sadly there are evil people in the world and gulible people travelling for the first time who have not thought about the security implications of their actions. As silly as the questions sound, they served their purpose of raising the awareness of the population.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Chris, Nov 19th, 2006 @ 9:45am

    Electronics always fail

    With any security measure there's always a way around it. Security is not prevention, it's postponment. In todays world everything is secured by encryption, and it's just a matter of putting the effort into devising a way to crack that encryption. To get around most encryptions it would take more time and money than it's worth for the reward you might get if your successful, and that's the only real deterrant.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    supercat, Nov 19th, 2006 @ 12:07pm

    Can someone explain any reason why a contactless RFID system would be more secure than a contact-based system? Many existing implementations of contact-based systems are flawed, but a new implementation designed to use RFID would by just as likely to have flaws as a new contact-based system. Since contact-based devices can use more electrical power than RFID systems, they could use more sophisticated encryption schemes. Further, contact-based devices are far more immune to RF snooping.

    So what's the advantage of RFID systems?

    Also, I'm a bit confused as to the difficulty of making a secure system. What security weaknesses would exist with the following:

    (1) Factory creates RSA chips, each with a unique hard-coded id, private key, and public key. The factory keeps a list of the id's and public keys; the private keys are destroyed after the chips are manufactured and are handled in such fashion as to ensure their destruction.

    (2) When a user goes to perform a transaction, his ID is read out and used to access the key database. The public key, or a cryptographic hash thereof, is retrieved and compared with that in the chip.

    (3) Next the reader generates a random string, encrypts it with the public key, and sends it to the chip. The chip decrypts it with its private key and sends it back.

    Assuming a decent length of key is used, how could this system be attacked?

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    PhysicsGuy, Nov 19th, 2006 @ 1:38pm

    oh come on... which is easy to forge: a plain old paper and picture passport or one with an RFID chip in it?

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Forrest, Nov 19th, 2006 @ 5:54pm

    Re: Re:

    *blink*
    It sounds like you're joking Rico, because that statement doesn't make any sense, but from your link you seem to be serious...

    Why on earth would we (I consider myself an enviromentalist) want to be "punishing success and hurting American business"? Surely preserving our enviroment from turning into one big parking lot/dumping ground/barren wasteland is a worthy goal all by itself. I can understand a lot of argument about enviromentalism, but this one is honestly really dumb...

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    LJSeinfeld, Nov 19th, 2006 @ 10:27pm

    RFID vs SmartCards

    For the record... (at least as it applies to satellite tv) the encryption on the smart cards was never defeated. Access to the sensitive parts of the card was achieved by "glitching" the card with commands @ different timing and subjecting the chip to different voltages than the card was originally designed for. After awhile, the card would "puke" and then ATR -- once the card ATR'd you were in-- and could read / write to the chip with normal commands.

    New smartcards have clock timing functions on both the inside and outside of the secure part of the card making glitching pretty-much useless...

    RFID technology is neat, and potentially useful for many things, but being RF, it lends itself to too many other useful things that the holder of the device may be unaware of.. like tracking movements, seeing what item on a given store display was picked up / put down, etc.

    I'd imagine that it would not belong before people would be able to construct an "American" (or insert the nationality of your choice) detector that could identify the presence of an American in a crowd full of people, and then help to ferret them out. (not to go all "tinfoil hat" on you or anything).

    There has to be a better and less-intrusive way...

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    stephen roberts, Nov 20th, 2006 @ 9:33am

    Why cant these RFID cards just have an 'on/off' switch??? Do we _really_ want our passports always on?? Just a little thumb button that turns it on when we are ready to go thru customs and off the rest of the time...

    Seems like a simple idea, at least

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    toxiccom, Nov 20th, 2006 @ 8:41pm

    Re: Re:

    only 5 bucks for underwear wou.... calvin k made in mafeking lol

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    toxiccom, Nov 20th, 2006 @ 9:18pm

    Re:

    really, get rid of the passport , everything should be in ur fingerprint, multypass credit cards banking lets get it over and done with, I would want to pay and travel with my finger, sometimes 10....privacy still exsists? what would that be, that u don't do anything... tel is big brother! so if u dont call and dont surf on the web, dont spend money with ur credit card and surely dont travel dont work, u will have little data if anyone wants to check on u which isnt likely in a 6bi. world

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This