UK RFID Passports Cracked Already

from the feeling-safer? dept

There's been an odd rush by governments to move to RFID passports, even though there are serious concerns about how secure they really are. Over in the UK, where many RFID passports are already in use, a security researcher and a reporter were able to crack some aspects of the passport. It is, admittedly, a limited crack, but it could potentially be used to make a clone RFID chip for a counterfeit passport. While the UK government claims this crack is no big deal, you'd have to think that it shouldn't take long for other problems to show up as well. What seems pretty clear from the description is that the implementation was done without all that much thought given to the security side of the equation. We're not as down on RFIDs as some people are -- but with all the questions about security and privacy issues, you would think that officials would have been extra careful before sticking them in something such as a passport. Apparently not.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    bigGeorge, 17 Nov 2006 @ 8:09pm

    rfid passports

    this rfid passport thing was all about giving the high value contract to friendly concerns anyway - its a money spinner, and thats all it ever was/is. same holds true for id cards. while everyone argues over little issues, a privileged minority gets richer...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Nov 2006 @ 9:47pm

    sad but true

    link to this | view in chronology ]

  • identicon
    DittoBox, 17 Nov 2006 @ 9:53pm

    Why RFID?

    Why not smart cards? They're cheaper, safer, require contact with a reader etc...

    link to this | view in chronology ]

    • identicon
      ehrichweiss, 18 Nov 2006 @ 6:05am

      Re: Why RFID?

      Smart cards are more hackable than RFID is. If you want proof of this you have to look no further than the efforts of the satellite hacking community as they have been hacking smartcard technology for about 10 years now. There are hacks for the Kinkos/Fedex smartcards and I'm quite sure there are hacks for Visa/Mastercard's with the smartchips in them as well even if I haven't seen one(thanks to the DMCA, nobody's gonna admit they know it can be done).

      So no, I don't think we should move to smart cards either.

      link to this | view in chronology ]

      • identicon
        Alex, 18 Nov 2006 @ 5:54pm

        Re: Re: Why RFID?

        Aye, but if you only ever handed it over to (presumably very well vetted) airport security, it'd be pretty much unhackable. Especially if you improved upon the security features already available in the RFID passports (encryption etc.).

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Nov 2006 @ 11:12pm

    No problems, no worries lemmings, just go about your business... LOL

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Nov 2006 @ 7:49am

    business plan 101

    Note to Self... start business to build portable scanners for hackers.... sell on Ebay.... make a mint

    Then the govt gives out another multibazillion dollar/euro contract for the vs2 chip etc etc etc

    link to this | view in chronology ]

  • identicon
    Bob, 18 Nov 2006 @ 8:23am

    Why just eliminate travel in and out of our country then there is no need for passports. We can easily survive as a self supporting country if only the damn environmental activists would let us drill for oil and build refineries in the US

    link to this | view in chronology ]

    • identicon
      Forrest, 18 Nov 2006 @ 8:50am

      Re:

      First thing Bob, just in case you're kidding ha, ha, ha

      But with the frightening likelihood that you are serious: Yes, lets build ourselves into a frightened isolationist state, afraid to step outside of our door for fear of all the bad people out there. Lets be that crazy lady who never lets anyone into her house and lives in her own filth and waste and paranoia untill three years later her neighbors break down the door because the smell is starting to bother them. Lets stagnate inside of our own borders as the world moves on without us. Think for a moment how well isolating themselves worked for Japan, China, etc. In the unlikely event that we do something so cowardly and foolish I'm the first out of the country Bob. And stop blaming the enviromentalists for everything, it's thanks to them you don't need a gas mask to go for a walk and can actually catch fish in the wild anywhere.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Nov 2006 @ 12:14pm

      Re:

      Well, "Bob"...

      Theres this thing called "gains from trade.."

      Certainly, could be self-sufficient..

      But do you want to pay $3000 for a mid-range computer, or $30 for a new cheap t-shirt, or $5 for one new pair of underwear?

      Everything that is manufactured overseas is done so because its cheaper, and most things are. The few that are 'manufactured' here are really just assembled here; the input components were forged elsewhere in most cases. And the inputs for those inputs? Probably made elsewhere too.

      But asking a six-pack Bob to consider meaty issues like international trade, CPI, and inflationary pressures is a lot, I know, especially for a Saturday. Go back to the TV and stop voting.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Nov 2006 @ 12:21pm

        Re: Re:

        And just to follow up to my self.. There's a huge array of things that admittedly might be designed here but are manufactured elsewhere. Every large-cap company in the United States is a multinational. If the 'close the borders' crowd ever got enough idiots in congress, the very next day they'd have to deal with the realization that things like jet engines are suddenly impossible to fix, many computer components are impossible to replace, a lot of scientific equipment can be designed but not acquired repaired or replaced. Most of our retail stores would empty themselves without replacements, and with no inventory to sell, they'd close. Consumer confidence would be destroyed, so those factories you might think, Bob, that would spring up to fill the needs of the US, they're too busy either trying to adjust to the huge supply shock or closing their doors as the elite businessmen and woman of the country flee to other countries not run by idiots so that they can make money elsewhere. And because there would be no demand for their stuff, since, well, like I said, retail stores would close years before the capital stock of the country could retool for such purposes.

        Not to even mention the number of high-paying highly trained professionals that would have to be retasked to menial factory labor to replace the untrained automaton Chinese that were doing our dirty work for next to free beforehand.

        all in all, yep, great plan "Bob".

        link to this | view in chronology ]

      • identicon
        toxiccom, 20 Nov 2006 @ 8:41pm

        Re: Re:

        only 5 bucks for underwear wou.... calvin k made in mafeking lol

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Nov 2006 @ 5:16pm

      Re:

      I hope deep in my heart that you are kidding, bob. What do we have then? Any isolationist regime is going to quickly turn into communism/fascism/dictationship, since with no way for the UN etc to sanction us or impose human rights thingys on us, the government would go corrupt faster than a hard drive near a magnet. Since no one could leave, everyone would want to, and the only way to stop that would be oppression. What happens to our life, liberty, and pursuit of happiness then? It all goes down the f***ing drain, to crooks like bush and rumsfeld.

      link to this | view in chronology ]

    • identicon
      Rico J. Halo, 18 Nov 2006 @ 8:20pm

      Re:

      What most poeple dont realize is that the environmentalists dont give a rip about the environment. Its all about punishing success and hurting American business for them. Sad but true.

      www.thatpoliticalblog.com

      link to this | view in chronology ]

      • identicon
        Forrest, 19 Nov 2006 @ 5:54pm

        Re: Re:

        *blink*
        It sounds like you're joking Rico, because that statement doesn't make any sense, but from your link you seem to be serious...

        Why on earth would we (I consider myself an enviromentalist) want to be "punishing success and hurting American business"? Surely preserving our enviroment from turning into one big parking lot/dumping ground/barren wasteland is a worthy goal all by itself. I can understand a lot of argument about enviromentalism, but this one is honestly really dumb...

        link to this | view in chronology ]

  • identicon
    Creative thinker, 18 Nov 2006 @ 9:51am

    Unbeatable, please

    Any system can be beat. The only way to beat a majority of the people that would do this is to have multiple checks. Biometric, electronic (smart-card, RF-ID), photo recognition and humans. Is the cost really worth the effort?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Nov 2006 @ 11:50am

    "Is the cost really worth the effort?"

    Huh?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Nov 2006 @ 4:25pm

    Nothing much to say really

    link to this | view in chronology ]

  • identicon
    Anti_Anonymous_Coward, 18 Nov 2006 @ 5:30pm

    Give it a rest

    Nice to see you have it all figured out AC. I will bet that Greenspan wishes he had your expertise during his tenure so he could have managed this $10+ trillion economy with the same certainty in cause effect that you seem to posess. At least Forrest gave us an amusing visual. You merely gave us an insight into how pathetic one sounds when his life his limited to cruising bulletin boards offering posts to compensate for the fact that nobody he knows gives a rats' a$$ what he has to say.

    Thanks for your opinion Bob...

    link to this | view in chronology ]

  • identicon
    Quote of the day, 18 Nov 2006 @ 5:32pm

    Re: Anonymous Coward

    How much easier it is to be critical than to be correct.
    - Benjamin Disraeli

    link to this | view in chronology ]

  • identicon
    Guy, 18 Nov 2006 @ 10:10pm

    Cant you just ask people the 3 most important questions anymore

    Did you pack your bnags yourself?
    Have your bags been in your posesion the whole time?
    Has anyone asked you to take anything on board?

    Queestion 1- Unless your a child who else is going to pack your bags?

    Question 2- Becasue im sure there are lots of people leaveing their luggage full of all the clothes and personel itmes just sitting around

    Question 3- Seriosuly if someone came to you and said please take this on the plane with you are you seriously going to f-ing do it?

    link to this | view in chronology ]

    • identicon
      coolhandw, 19 Nov 2006 @ 4:22am

      Re: Guy Nov 18th

      The plane that went down over Lockerby, Scotland was the result of a gulible person accepting a "radio" to carry for a "friend". Only the radio was a bomb. Hence question number 3. Sadly there are evil people in the world and gulible people travelling for the first time who have not thought about the security implications of their actions. As silly as the questions sound, they served their purpose of raising the awareness of the population.

      link to this | view in chronology ]

  • identicon
    Chris, 19 Nov 2006 @ 9:45am

    Electronics always fail

    With any security measure there's always a way around it. Security is not prevention, it's postponment. In todays world everything is secured by encryption, and it's just a matter of putting the effort into devising a way to crack that encryption. To get around most encryptions it would take more time and money than it's worth for the reward you might get if your successful, and that's the only real deterrant.

    link to this | view in chronology ]

  • identicon
    supercat, 19 Nov 2006 @ 12:07pm

    Can someone explain any reason why a contactless RFID system would be more secure than a contact-based system? Many existing implementations of contact-based systems are flawed, but a new implementation designed to use RFID would by just as likely to have flaws as a new contact-based system. Since contact-based devices can use more electrical power than RFID systems, they could use more sophisticated encryption schemes. Further, contact-based devices are far more immune to RF snooping.

    So what's the advantage of RFID systems?

    Also, I'm a bit confused as to the difficulty of making a secure system. What security weaknesses would exist with the following:

    (1) Factory creates RSA chips, each with a unique hard-coded id, private key, and public key. The factory keeps a list of the id's and public keys; the private keys are destroyed after the chips are manufactured and are handled in such fashion as to ensure their destruction.

    (2) When a user goes to perform a transaction, his ID is read out and used to access the key database. The public key, or a cryptographic hash thereof, is retrieved and compared with that in the chip.

    (3) Next the reader generates a random string, encrypts it with the public key, and sends it to the chip. The chip decrypts it with its private key and sends it back.

    Assuming a decent length of key is used, how could this system be attacked?

    link to this | view in chronology ]

  • identicon
    PhysicsGuy, 19 Nov 2006 @ 1:38pm

    oh come on... which is easy to forge: a plain old paper and picture passport or one with an RFID chip in it?

    link to this | view in chronology ]

  • identicon
    LJSeinfeld, 19 Nov 2006 @ 10:27pm

    RFID vs SmartCards

    For the record... (at least as it applies to satellite tv) the encryption on the smart cards was never defeated. Access to the sensitive parts of the card was achieved by "glitching" the card with commands @ different timing and subjecting the chip to different voltages than the card was originally designed for. After awhile, the card would "puke" and then ATR -- once the card ATR'd you were in-- and could read / write to the chip with normal commands.

    New smartcards have clock timing functions on both the inside and outside of the secure part of the card making glitching pretty-much useless...

    RFID technology is neat, and potentially useful for many things, but being RF, it lends itself to too many other useful things that the holder of the device may be unaware of.. like tracking movements, seeing what item on a given store display was picked up / put down, etc.

    I'd imagine that it would not belong before people would be able to construct an "American" (or insert the nationality of your choice) detector that could identify the presence of an American in a crowd full of people, and then help to ferret them out. (not to go all "tinfoil hat" on you or anything).

    There has to be a better and less-intrusive way...

    link to this | view in chronology ]

  • identicon
    stephen roberts, 20 Nov 2006 @ 9:33am

    Why cant these RFID cards just have an 'on/off' switch??? Do we _really_ want our passports always on?? Just a little thumb button that turns it on when we are ready to go thru customs and off the rest of the time...

    Seems like a simple idea, at least

    link to this | view in chronology ]

    • identicon
      toxiccom, 20 Nov 2006 @ 9:18pm

      Re:

      really, get rid of the passport , everything should be in ur fingerprint, multypass credit cards banking lets get it over and done with, I would want to pay and travel with my finger, sometimes 10....privacy still exsists? what would that be, that u don't do anything... tel is big brother! so if u dont call and dont surf on the web, dont spend money with ur credit card and surely dont travel dont work, u will have little data if anyone wants to check on u which isnt likely in a 6bi. world

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.