RFID Passports-hack the passport and other links at RunningWithBulls.com

RFID Passports-hack the passport and other links

Published by bbt August 15th, 2006 in bernard, data protection, privacy, runningwithbulls.com, tech

With my upcoming trip to Guatemala and Belize fast approaching, the thoughts of being an American citizen and thus requiring a RFID “enabled” (or should that be disabled) passport would really scare me.

The idea of “chip enabled” passports is not a bad idea, per se. But the idea of your *essentially private* data being readable, by anyone in the close vicinity is a bad idea due to the technology used.

The basis for RFID passports is, I am assuming, that a person can pass through a security checkpoint, without having to queue for security personnel to check the passport and person visually.

Thats a bad idea in itself. If you do this, you take away things the a human can do that a machine cannot do: recognise a persons current emotional state, and other smart profiling. (Simple but it works)

Now that RFID passports have been cloned, this scares the bejaysus out of me even more. As the hacker at the blackhat conference showed through a proof of concept, nasty people could use RFID readers to profile a passport of a certain nation, and use it to detonate an explosive device.

RFID passport manufacturers defend these devices. Well they would say that.

“Even if someone could copy the information on your e-passport chip, it doesn’t achieve anything, because all of the information is locked together in such a way that it can’t be changed. It’s no different than someone stealing your electronic passport and trying to use it. No one else can use it because your photo is on the chip and they’re not you,” said Randy Vanderhoof, executive director of the Smart Card Alliance.

I am not exactly sure what Mr. Vanderhoof is trying to say here. I understand the words. Someone can copy the information, but the photo isn’t them and therefore its not you. Riiight.

The Smart Card Alliance said the standards adopted by the global electronic passport program makes passports “virtually impossible” to counterfeit.

But there is still that opportunity of it being counterfeited. One security advantage of paper passports over RFID passports, is that someone will have to physically access it, either a) on your body, b) from your house, or of course, c) buy it from someone else.

Theoretically, with RFID passports, the criminal only has to be close proximity to you, while the passport reader <-> passport data conversation is going on, to access the information on it.

Useful links:

How to clone the copy-friendly biometric passport
US gets RFID passports
Kiddiprinters! EU biometric ID plans reach out for the children
UK ID card scheme near collapse, as Blair pushes cut-down ‘variant’
Industry group defends e-passports
Wired-Hackers Clone E-Passports
Schneier on Security-Hackers Clone RFID Passports

US to launch RFID passports on Monday

Technorati Tags: security , rfid , rfid passports , data security , travel, runningwithbulls.com , privacy

3 Responses to “RFID Passports-hack the passport and other links”

Feed for this Entry Trackback Address

1 adam Aug 15th, 2006 at 3:05 pm

No doubt some cluess border operators would like to wave people through “cos de merkins gots de ‘lectric passport”, but that’s not the intention Bernard. The basic premise is that the RFID tag can carry more identifying information, in particular biometric data that can be used as a further level of authentication. But yes, the US implementation - and by extension all the rest, because the US is forcing it on weak countries like… um… Ireland - is incredibly bad. How it’s got this far without any form of encryption at all is bizarre, and very very dangerous.

It’s worth having a look around Bruce Schneier’s Crypto-Gram and blog for more; a search for ‘passports’ would probably turn up plenty of relevant information and commentary. No doubt Bruce would be labelled as a tree-hugging liberal by certain types, but his achievements and simple common sense should put paid to those kind of suggestions.
2 bedlam Aug 16th, 2006 at 8:36 pm

You know my stand on the passports already but a few things need clarification.

“The basis for RFID passports is, I am assuming, that a person can pass through a security checkpoint, without having to queue for security personnel to check the passport and person visually”

No, if you re-read the Wired, article Frank Moss[0] states that they have no plans to automate the passport checking, so in the US at least there will still be the usual manual checks (assuming people don’t get lazy or you live in Australia….).

“As the hacker at the blackhat conference showed through a proof of concept, nasty people could use RFID readers to profile a passport of a certain nation, and use it to detonate an explosive device.”

The demonstration required that the passport be opened partially (due to the fact that the cover has a built in shield) for the ‘explosive’ to work, it also only had a range of 6inches (I’m sure that range can be improved upon though)

“I am not exactly sure what Mr. Vanderhoof is trying to say here. I understand the words. Someone can copy the information, but the photo isn’t them and therefore its not you. Riiight.”

Currently, all that can be done is the cloning of passports, any attempt to modify the data results in hashes failing and the passport coming up as tampered with.

“Theoretically, with RFID passports, the criminal only has to be close proximity to you, while the passport reader passport data conversation is going on, to access the information on it.”

It is still the same with the RFID passports as non RFID, you need physical access to the passport due to the Basic Access Control feature which requires a key derived from printed data on the pages of the passport to unlock the RFID chip before you can clone it.

[0] “deputy assistant secretary of state for passport services at the State Department,”