UK RFID Passports Cracked Already
from the feeling-safer? dept
There’s been an odd rush by governments to move to RFID passports, even though there are serious concerns about how secure they really are. Over in the UK, where many RFID passports are already in use, a security researcher and a reporter were able to crack some aspects of the passport. It is, admittedly, a limited crack, but it could potentially be used to make a clone RFID chip for a counterfeit passport. While the UK government claims this crack is no big deal, you’d have to think that it shouldn’t take long for other problems to show up as well. What seems pretty clear from the description is that the implementation was done without all that much thought given to the security side of the equation. We’re not as down on RFIDs as some people are — but with all the questions about security and privacy issues, you would think that officials would have been extra careful before sticking them in something such as a passport. Apparently not.
Comments on “UK RFID Passports Cracked Already”
rfid passports
this rfid passport thing was all about giving the high value contract to friendly concerns anyway – its a money spinner, and thats all it ever was/is. same holds true for id cards. while everyone argues over little issues, a privileged minority gets richer…
sad but true
Why RFID?
Why not smart cards? They’re cheaper, safer, require contact with a reader etc…
Re: Why RFID?
Smart cards are more hackable than RFID is. If you want proof of this you have to look no further than the efforts of the satellite hacking community as they have been hacking smartcard technology for about 10 years now. There are hacks for the Kinkos/Fedex smartcards and I’m quite sure there are hacks for Visa/Mastercard’s with the smartchips in them as well even if I haven’t seen one(thanks to the DMCA, nobody’s gonna admit they know it can be done).
So no, I don’t think we should move to smart cards either.
Re: Re: Why RFID?
Aye, but if you only ever handed it over to (presumably very well vetted) airport security, it’d be pretty much unhackable. Especially if you improved upon the security features already available in the RFID passports (encryption etc.).
No problems, no worries lemmings, just go about your business… LOL
business plan 101
Note to Self… start business to build portable scanners for hackers…. sell on Ebay…. make a mint
Then the govt gives out another multibazillion dollar/euro contract for the vs2 chip etc etc etc
Why just eliminate travel in and out of our country then there is no need for passports. We can easily survive as a self supporting country if only the damn environmental activists would let us drill for oil and build refineries in the US
Re: Re:
First thing Bob, just in case you’re kidding ha, ha, ha
But with the frightening likelihood that you are serious: Yes, lets build ourselves into a frightened isolationist state, afraid to step outside of our door for fear of all the bad people out there. Lets be that crazy lady who never lets anyone into her house and lives in her own filth and waste and paranoia untill three years later her neighbors break down the door because the smell is starting to bother them. Lets stagnate inside of our own borders as the world moves on without us. Think for a moment how well isolating themselves worked for Japan, China, etc. In the unlikely event that we do something so cowardly and foolish I’m the first out of the country Bob. And stop blaming the enviromentalists for everything, it’s thanks to them you don’t need a gas mask to go for a walk and can actually catch fish in the wild anywhere.
Re: Re:
Well, “Bob”…
Theres this thing called “gains from trade..”
Certainly, could be self-sufficient..
But do you want to pay $3000 for a mid-range computer, or $30 for a new cheap t-shirt, or $5 for one new pair of underwear?
Everything that is manufactured overseas is done so because its cheaper, and most things are. The few that are ‘manufactured’ here are really just assembled here; the input components were forged elsewhere in most cases. And the inputs for those inputs? Probably made elsewhere too.
But asking a six-pack Bob to consider meaty issues like international trade, CPI, and inflationary pressures is a lot, I know, especially for a Saturday. Go back to the TV and stop voting.
Re: Re: Re:
And just to follow up to my self.. There’s a huge array of things that admittedly might be designed here but are manufactured elsewhere. Every large-cap company in the United States is a multinational. If the ‘close the borders’ crowd ever got enough idiots in congress, the very next day they’d have to deal with the realization that things like jet engines are suddenly impossible to fix, many computer components are impossible to replace, a lot of scientific equipment can be designed but not acquired repaired or replaced. Most of our retail stores would empty themselves without replacements, and with no inventory to sell, they’d close. Consumer confidence would be destroyed, so those factories you might think, Bob, that would spring up to fill the needs of the US, they’re too busy either trying to adjust to the huge supply shock or closing their doors as the elite businessmen and woman of the country flee to other countries not run by idiots so that they can make money elsewhere. And because there would be no demand for their stuff, since, well, like I said, retail stores would close years before the capital stock of the country could retool for such purposes.
Not to even mention the number of high-paying highly trained professionals that would have to be retasked to menial factory labor to replace the untrained automaton Chinese that were doing our dirty work for next to free beforehand.
all in all, yep, great plan “Bob”.
Re: Re: Re: Re:
AC 11 + 12:
I’m pretty sure Bob was being sarcastic.
Re: Re: Re:
only 5 bucks for underwear wou…. calvin k made in mafeking lol
Re: Re:
I hope deep in my heart that you are kidding, bob. What do we have then? Any isolationist regime is going to quickly turn into communism/fascism/dictationship, since with no way for the UN etc to sanction us or impose human rights thingys on us, the government would go corrupt faster than a hard drive near a magnet. Since no one could leave, everyone would want to, and the only way to stop that would be oppression. What happens to our life, liberty, and pursuit of happiness then? It all goes down the f***ing drain, to crooks like bush and rumsfeld.
Re: Re:
What most poeple dont realize is that the environmentalists dont give a rip about the environment. Its all about punishing success and hurting American business for them. Sad but true.
http://www.thatpoliticalblog.com
Re: Re: Re:
*blink*
It sounds like you’re joking Rico, because that statement doesn’t make any sense, but from your link you seem to be serious…
Why on earth would we (I consider myself an enviromentalist) want to be “punishing success and hurting American business”? Surely preserving our enviroment from turning into one big parking lot/dumping ground/barren wasteland is a worthy goal all by itself. I can understand a lot of argument about enviromentalism, but this one is honestly really dumb…
Unbeatable, please
Any system can be beat. The only way to beat a majority of the people that would do this is to have multiple checks. Biometric, electronic (smart-card, RF-ID), photo recognition and humans. Is the cost really worth the effort?
“Is the cost really worth the effort?”
Huh?
Nothing much to say really
Give it a rest
Nice to see you have it all figured out AC. I will bet that Greenspan wishes he had your expertise during his tenure so he could have managed this $10+ trillion economy with the same certainty in cause effect that you seem to posess. At least Forrest gave us an amusing visual. You merely gave us an insight into how pathetic one sounds when his life his limited to cruising bulletin boards offering posts to compensate for the fact that nobody he knows gives a rats’ a$$ what he has to say.
Thanks for your opinion Bob…
Anonymous Coward
How much easier it is to be critical than to be correct.
– Benjamin Disraeli
Cant you just ask people the 3 most important questions anymore
Did you pack your bnags yourself?
Have your bags been in your posesion the whole time?
Has anyone asked you to take anything on board?
Queestion 1- Unless your a child who else is going to pack your bags?
Question 2- Becasue im sure there are lots of people leaveing their luggage full of all the clothes and personel itmes just sitting around
Question 3- Seriosuly if someone came to you and said please take this on the plane with you are you seriously going to f-ing do it?
Re: Guy Nov 18th
The plane that went down over Lockerby, Scotland was the result of a gulible person accepting a “radio” to carry for a “friend”. Only the radio was a bomb. Hence question number 3. Sadly there are evil people in the world and gulible people travelling for the first time who have not thought about the security implications of their actions. As silly as the questions sound, they served their purpose of raising the awareness of the population.
Electronics always fail
With any security measure there’s always a way around it. Security is not prevention, it’s postponment. In todays world everything is secured by encryption, and it’s just a matter of putting the effort into devising a way to crack that encryption. To get around most encryptions it would take more time and money than it’s worth for the reward you might get if your successful, and that’s the only real deterrant.
Can someone explain any reason why a contactless RFID system would be more secure than a contact-based system? Many existing implementations of contact-based systems are flawed, but a new implementation designed to use RFID would by just as likely to have flaws as a new contact-based system. Since contact-based devices can use more electrical power than RFID systems, they could use more sophisticated encryption schemes. Further, contact-based devices are far more immune to RF snooping.
So what’s the advantage of RFID systems?
Also, I’m a bit confused as to the difficulty of making a secure system. What security weaknesses would exist with the following:
(1) Factory creates RSA chips, each with a unique hard-coded id, private key, and public key. The factory keeps a list of the id’s and public keys; the private keys are destroyed after the chips are manufactured and are handled in such fashion as to ensure their destruction.
(2) When a user goes to perform a transaction, his ID is read out and used to access the key database. The public key, or a cryptographic hash thereof, is retrieved and compared with that in the chip.
(3) Next the reader generates a random string, encrypts it with the public key, and sends it to the chip. The chip decrypts it with its private key and sends it back.
Assuming a decent length of key is used, how could this system be attacked?
oh come on… which is easy to forge: a plain old paper and picture passport or one with an RFID chip in it?
RFID vs SmartCards
For the record… (at least as it applies to satellite tv) the encryption on the smart cards was never defeated. Access to the sensitive parts of the card was achieved by “glitching” the card with commands @ different timing and subjecting the chip to different voltages than the card was originally designed for. After awhile, the card would “puke” and then ATR — once the card ATR’d you were in– and could read / write to the chip with normal commands.
New smartcards have clock timing functions on both the inside and outside of the secure part of the card making glitching pretty-much useless…
RFID technology is neat, and potentially useful for many things, but being RF, it lends itself to too many other useful things that the holder of the device may be unaware of.. like tracking movements, seeing what item on a given store display was picked up / put down, etc.
I’d imagine that it would not belong before people would be able to construct an “American” (or insert the nationality of your choice) detector that could identify the presence of an American in a crowd full of people, and then help to ferret them out. (not to go all “tinfoil hat” on you or anything).
There has to be a better and less-intrusive way…
Why cant these RFID cards just have an ‘on/off’ switch??? Do we _really_ want our passports always on?? Just a little thumb button that turns it on when we are ready to go thru customs and off the rest of the time…
Seems like a simple idea, at least
Re: Re:
really, get rid of the passport , everything should be in ur fingerprint, multypass credit cards banking lets get it over and done with, I would want to pay and travel with my finger, sometimes 10….privacy still exsists? what would that be, that u don’t do anything… tel is big brother! so if u dont call and dont surf on the web, dont spend money with ur credit card and surely dont travel dont work, u will have little data if anyone wants to check on u which isnt likely in a 6bi. world