back to article Passport RFIDs cloned wholesale by $250 eBay auction spree

Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses. The $250 proof-of-concept device - which researcher Chris Paget built in his spare time - …

COMMENTS

This topic is closed for new posts.
  1. jake Silver badge

    RFID ... good for inventory, bad for security.

    RFID is a non-starter in the security business. Always has been. Always will be.

    No politician anywhere on the planet knows what security is. You might ask "Well, why do they keep layering on so-called "security", adding complexity, thus ensuring that it isn't even close to secure?" Good question ...

    In my opinion, it is because the folks employed by said politicians to come up with "security measures" don't bother to really understand the issues involved ... Why bother, when they can keep themselves employed by baffling their bosses with bullshit ...

    The world is run by a bunch of wealthy idiots with their heads in the sand, advised by people who are in constant fear of losing their jobs.

    Hopefully, me & mine will be gone when the hoi polloi rise up ... at this rate, it's gonna get very ugly, for a long time. Probably sooner, rather than later, alas ...

  2. Anonymous Coward
    Flame

    Was it really necessary

    to include the ebay reference in the title?

    Is it relevant where he bought [easily obtainable elsewhere] bits of kit, or did you not think that the story was sensational enough without it?

    I'm surprised you didn't try to crowbar in Google or Wikipedia, although you did manage to shoehorn Windows in to the story.

  3. Anonymous Coward
    Paris Hilton

    Obvious...

    Sorry, but it's not innovative, it's obvious, plenty of people have done this as a thought exercise if not actually implementing it. You can bet that there are gangs of black hats looking for commercial exploits as well.

    Hell, I've even gone as far as speccing the hardware/software to do it and argued with colleagues that the Government is so keen on RFID because it allows them to track all the sheeple who carry passports/ID cards and even credit cards (I *really* want a go on that water slide in the Visa contactless card ad).

    Just because you're a conspiracy theorist doesn't mean you're wrong!

    Anonymous because it's noisy enough here without black helicopters hovering nearby, and the obligatory tenuous PH;

    Paris, the best argument against contactless technology.

  4. Herby

    Now we need...

    ...a nice parts list and the software to use.

    Of course he really should have driven around Washington DC, then he could have gotten a big bunch of numbers! That would have shown them.

  5. Chris Miller

    "Just like a social security number"

    Isn't that the fundamental problem? As a UK citizen, I'm careful about revealing my NI (Social Security) Number, while reassured that if it falls into the wrong hands the resulting damage is fairly limited. In the US, in contrast, it appears that SSN gets used as an almost universal unique identifier, so bad problems (identity theft) can occur if it falls into the wrong hands.

    I'm not clear what damage is caused by revealing a passport ID. Again, in the UK, I need to reveal my passport number every time I travel abroad - not just to the government, but often to airlines, travel agencies etc. I don't get too worried by this, as I don't think that knowledge of my passport number would result in identity theft and (at present) my physical passport gets checked (usually about 5 times :( ) every time I travel and it's designed to be reasonably difficult to fake (although not, of course, impossible).

    The bottom line is: how concerned should I be that someone else can easily discover my passport identifier? If that's all that's needed for someone to travel around impersonating me (and result in the drugs squad breaking down my door at 3 in the morning), then the answer is clearly "very concerned". But is that actually the case?

  6. Pete

    Would you really

    Take your passport and driving license on a protest though?

    Unless the USA insists you always have your driving license on you, unlike the UK where you can present it later if stopped.

  7. Anonymous Coward
    Black Helicopters

    Computer hobbyist killed in tragic SF Tram accident

    He'll be dead in a week , no one will remember his name, he never lived in San Fransico and the on-line stories / video's will have been erased.

    Or was that an episode of 24 ??

  8. Anonymous Coward
    Coat

    Got in Himmel!

    I really am non-plussed by all this. In the face of the blindingly obvious inability to secure electronic information on a large and, with this demonstration, small scale why do our leaders continue to lavish valuable resources at "solutions". NO MAGIC BULLET EXISTS TO MAKE THINGS SECURE!! All that can ever be done is to diminish the likelihood of insecurity and enhance the detection of attempts and effects.

    With these failed and failing electronic and digital measures and counter measures are our leaders saying to us that they can never make us "safe" but that this is the least costly method of safety management and deterrence they and their consultant/pressure groups can come up with. If so then why don't they admit it, let the citizens and subjects come to terms with it and then see if that is what the public really want their money wasted on.

    All sides, so far, seem to have been captured by the illogical romance of a "Technological solution" and continue to waste money in the IT and consulting sectors.

  9. CABVolunteer
    Unhappy

    Google View?

    So is this the real purpose of those antennae-festooned Google View cars?

  10. Anonymous Coward
    Thumb Up

    Great line

    "track cattle and merchandise as it's shipped"

    what a wonderfully apt phrase to describe the handling of the average Western citizen by airlines.

  11. James Woods
    Pirate

    you siwwy rabbits

    When governments and financial institutions deploy these horrendous ideas of tagging that's not bad. What's bad is when the evil hackers use this technology in an educational manner to help educate and protect people.

    If the us government cared about passport security they wouldn't have them assembled/manufactured outside of the us like they do and we also wouldn't allow security scanning devices to be manufactured by companies outside of the country. Your security is only as good as the bottom line is to these corporations & to the governments we have.

    They won't spend the time/money securing things, they will spend it on harassing those like this nice chap that are trying to help people.

    Not to cross-post here but just look at the recent Monster scandal. If that were a smaller company they'd be out of business, with Monster it's just a mere pimple, on with the show.

  12. alain williams Silver badge

    Release the code now

    rather than wait to release the code - I would not be surprised if the US authorities stamped on him to maintain the illusion that these things are secure.

  13. Anonymous Coward
    Anonymous Coward

    Missed opportunity

    It would have been more interesting/scary to see the results from a scan in an airport drop off area or car park near a walkway exit.

    I would guess placing the RFID device in a metal box of some sort would stop scans?

  14. Wayland Sothcott

    Pinch Points

    Chris Paget suggests that at a pinch point such as a door way the credit cards could be scanned as well. I can see that a security camera could also snap your face there by putting a face to a number.

    I am completely stunned that such insecure technology is used. If the number was written in plain view most people would regaard that as insecure. However having it as a radio signal makes it far easier to read. The amount of info given away at any one reading is tiny, but accurate. If that's multiplied by the thousands of reads a day possible in some locations and the thousands of locations where the reading is done, then it's clearly a very worrying issue.

  15. Richard

    A market for lead/foil lined wallets?

    I can see the new wallets and handbags being sold on eBay and QVC .. thats in addition to the tin foil beanie hats of course (seen the latest beanie hat with built in headphones?).

  16. Anonymous Coward
    Thumb Down

    I see no problem

    The cards come with protective sleeves to render then non-readable. If people are lax with their security, then that is *their* look-out; not the state's.

    This is just typical Register FUD.

  17. lglethal Silver badge
    Thumb Down

    Ive never seen the point of RFID's

    If you absolutely HAVE to go down the technology route (to save you that extra 10 minutes of waiting in line so you can get through security in order to spend the next 2 hours waiting in the airport's overly priced bar for your inevitably delayed flight) What is wrong with swiping a magentic stripe card, like a credit or debit card. Hell even give it a pin number!

    Make it a chip and pin card, and boom we have security. Ok true its only as secure as the encryption on it, but most people would consider your average credit/debit card fairly secure, and considering your only planning to actually swipe these at the airport security point then i'd say your fairly safe...

    Anyway just a thought, but it avoids the whole long distance raiding and i fail to see how this would be that much slower then an RFID scan!

  18. Gerry
    Black Helicopters

    @Pete @AC 11.56 GMT

    In the UK, in what seems to be a softening up for the ID Card it is almost impossible to do anything without showing your passport.

    I carry my new RFID'd passport in a conductive plastic bag (e.g., to the suspicion of the exam invigilator)

    Now here's a thought experiment:

    I get a passport legally

    I spend my $250 or whatever to build a gadget and take whatever time it takes to remotely read and crack the encryption on my own passport (eventually, monkeys shakespeare)

    I take the gadget into any bank, building society, airport, can I now harvest to my heart's delight?

  19. Doug Southworth

    @ Pete

    I'm not sure if it varies from state to state, but where I live you have 24 hours to present your license if you don't have it on you when stopped.

  20. Tom

    @Pete - In the US you pretty much need to keep ID on you all the time

    If you are stopped by the police and you can't produce your license, they can fine you. If you try to go to a bar after the protest, you'll need ID proving you are 21 to get in. They'll accept a license or a passport. If you need to cash a check, you need to present ID. Some folks even mark their credit cards telling the clerk to "See ID" to prevent fraud.

  21. Dave Bell

    RFID not entirely useless

    I wouldn't want RFID to be a primary identifier on a passport, but it might be useful for keeping track of passenger movements around an airport terminal. Not much advantage over CCTV, but it could be a locally valid label. Doesn't need a passport, but that's likely to stay with a passenger through his whole journey. Not every passport will have RFID.

    New passport for me next year... If it wasn't for the whole proof of being able to work in the EU business, and the official paranoia about illegal immigrants, I doubt I'd bother..

  22. Anonymous Coward
    Black Helicopters

    foil lined wallet already available

    http://www.proidee.ch/shop/P=02_CH_HPN592857/K=02_CH_120078/HI=produktuebersicht_bild

  23. Martin Silver badge
    Black Helicopters

    @"Just like a social security number"

    >I don't think that knowledge of my passport number would result in identity theft

    No but it might inconvenience you in future when your number is used to make a fake passport used by a terrorist/illegal immigrant/criminal

    The main concern s probably that 'they' can now track your location at all times without having to put up all those CCTV cameras. The reason for combining it with drivers licences is that you pretty much have to carry them 24/7 in the USA. You must have it on you while driving in most states and generally need to show it when you use a credit card.

  24. Eddy Ito
    Stop

    @Pete

    In my state it runs $35 - $150 if you don't have your DL on you when "The Man" asks. If he smells, or thinks he smells, vodka on the wind, not having the card it is a criminal offense even if you blow 0 on the meter. Should you choose to exercise what many would say to be your 5th Amendment rights and not blow into the meter, that is also a criminal offense with an automatic penalty similar to a drunk driving conviction, unless you're a cop or politician. Some "are more equal than others" after all.

  25. Anonymous Coward
    Anonymous Coward

    @jake

    Well said.

    'No politician anywhere on the planet knows what security is. You might ask "Well, why do they keep layering on so-called "security", adding complexity, thus ensuring that it isn't even close to secure?" Good question ...'

    My guess. They think that computer security is like door locks. A door with two locks is more secure than one, so in the simple world of a politician, the same must apply to computers. And no IT provider staring billions in the eyes is going to dissuade them of that are they?

  26. David Halko
    Thumb Down

    One Mile Passive RFID Read? BOGUS!

    "the technology employs no encryption and can be read from distances of more than a mile"

    Documents leverage passive RFID.

    Better be a Photon Torpedo from the Starship Enterprise in a clear shot with a steel convex parabola on the other side of a passive RFID document to ensure the signal bounces back at the right distance! LOL!

    Having worked in an industry with RFID usage, there are reasons to be concerned (unauthorized reading), but when I read junk science with rhetoric & impossible claims, it makes me want to just ignore the subject.

  27. Anonymous Coward
    Black Helicopters

    Old News

    I seem to remember that the guys from Mythbusters managed to easily crack the RFID used on wavepay cards as well as other RFID devices, but then Discovery were then pressured by the card companies to not release the episode and show us quite how insecure they are.

  28. Gordon Jahn
    Thumb Down

    Re: AC

    In response to:

    "I'm surprised you didn't try to crowbar in Google or Wikipedia, although you did manage to shoehorn Windows in to the story."

    They did, but that probably isn't Windows running on that laptop. The decorations around the GUI window are from GNOME's default Crux theme. It might be Solaris, it might be Linux, but it's almost certainly not Windows on its own and I'd be surprised if it has Windows running there at all.

  29. J
    Black Helicopters

    Great

    For the "bad people", I'm sure.

    I can also see something like the following, in the near future:

    1- You are walking around in some area, with your RFID card(s) properly shielded in your wallet, etc.

    2- Said area is festooned with antennas, and surveillance people (or software) watching as people walk by the antennas.

    3- If you walk by the antenna and it does not detect anything, a copper is immediately sent to question you. In the lines of "Where is your ID?". Oh, it's there; but why are you hiding it in protective material?

    4- That is suspicious behaviour, innit? You must have something to hide. So, automatically, you must be a terrorist or something.

    (Bonus: you also just lost some time and was seen stopped and questioned by the police, which many people might consider embarrassing and/or intimidating; some will seriously consider not hiding their RFID signal anymore in the future to avoid this situation)

    We've got to protect the children from the terrorists, haven't we?

  30. Anonymous Coward
    Thumb Down

    "Protective" lining...

    The protective paper is a joke.

    http://arstechnica.com/security/news/2008/10/rfid-deployment-moving-forward-despite-security-flaws.ars

    Hope you dont have that card/paper in your pocket or wallet.

  31. Henry Wertz Gold badge

    Re: One Mile

    I agree with Dave, one mile is VERY VERY unlikely, or anywhere close to it -- the RFID chip is actually *powered* off the RF signal itself, the signal has to be pretty strong for it to work.

    That said, 30 feet is worrying, and extending it to 100 to (maybe) 1000 feet won't surprise me in the least. And is more worrying.

    ""From our standpoint the privacy issues have been misrepresented and blown out of proportion," she told The Reg. "Anytime that you have a new technology and use it in a new way, there are always going to be far-out ways to use information nefariously. We want travelers to be aware of the technology and to know how it works so that they can be comfortable using it." "

    Fine then, if they've got that attitude that buying $250 in off-the-shelf parts is "far out"... then I'll be "aware of the technology and to know how it works so" I "can be comfortable" knowing in the near future anyone who wants can go to the dodgy part of town and get a cheap, reliable fake passport (with real live RFID so it "must" be real).

  32. Orclev
    Paris Hilton

    Probably a mistake

    I'd bet that's supposed to be one meter, not one mile. In theory, with everything just right, a massive signal, and a big honking antenna (not to mention a really sturdy RFID chip that won't fry when the hyped up signal energizes it) you might just barely be able to read a RFID chip from a mile away. Reading from a distance of 1 meter however is entirely plausible, and in most cases fairly easy to accomplish.

    Paris because she's not so good with those metric units either.

  33. Oldfogey
    Coat

    Distances

    "Commander, we have detected the enemy at a range of one micron".

    Guess the TV show.

    The brown sued bomber jacket please.

  34. Henry Wertz Gold badge

    Not 1 meter...

    "I'd bet that's supposed to be one meter, not one mile."

    Nope! The test rig already did 30 feet -- that's like 10 meters. If I thought an RFID cloner could be improved *to* 1 meter I wouldn't be so concerned, although near a doorway or whatever that could still collect plenty of tags.

  35. Moss Icely Spaceport
    Thumb Down

    Volvo

    He drives a Volvo?

    WTF?

    LOL

  36. Andrew Barratt
    Unhappy

    Far out ways to use it?

    What a shocking response. This is not "far out". It is the method that will be employed by criminals.

    Identity harvesting business franchise starting in your area soon. Start up costs circa £500.

    Lets hope more care is taken with rfid credit cards............................... Or the fastest growing new business will be rfid crime.

  37. Anonymous Coward
    Flame

    Duh.

    "The cards also amount to electronic license plates that could be used to conduct clandestine surveillance. Law enforcement officials could scan them at political rallies and then store them in databases."

    Uh, yeah, that's the point. No matter what the security services tell us, their no.1 priority is the perpetuation of the real power and continuity in the country by internal control and suppression. They do have very assiduous scientists and were never ignorant of these possibilities...

  38. An nonymous Cowerd
    Coat

    RFID distance

    I've recently ordered a cryogenic low noise front end amplifier to go with an array of 900MHz antennas for trying to extend/understand the read distance of this US EDL style rfid. The rfid might get some energy from the cloud of GSM (850MHz in the 'states), it's not power at the resonant frequency, but there should be some field strength there to assist in the long range interrogation. I'm sure I'll not get up to the 70km read range of battlefield active IFF rfid's, but probably 100's of metres! I can easily stuff out many kilowatts erp of read requests and remember folks, Q2 2009 is when the ICAO extended biometrics (fingerprints) mandatedly arrive at euro 13MHz ePass, get your passport renewal in NOW to have a reasonable Jpeg based biometric for the next decade!

  39. Anonymous Coward
    Black Helicopters

    @Pete

    You are correct - at the moment, you can be given a 'Producer' to allow you to show your licence and insurance papers up to 7 days later if stopped by the wonderful police forces in England ( I don't know the proper Form number for it).

    But I suspect that will all change when ZaNew Labour finally force their ID cards on us and we have to carry them around at all times or face arrest on suspicion of... well, anything the "arresting officer" can think of at the time. I mean, if you have an ID card but don't carry it then you must not want to be identified. And the only reason you would not wish to let your caring, sharing political overlords and their enforcement pitbulls know where you are, what you are doing and who you are with at every second of the day is if you are doing something that they would not like.

    Remember - if you have nothing to hide, you have nothing to fear. Papers please, citizen.

  40. Anonymous Coward
    Alert

    @ Chris Miller

    National Insurance (Social Security for non UK residents) numbers are banided about in government buildings all the time. If you go into a JobCentre+ (Welfare aka JC+) office you are asked for it to verify that you exist. However, people in JC+ offices aren't usually very far away and can easily hear you telling the AO (staffer) who then punches it into the (Windows XP Pro) terminal to extract your stuff. Then you have to confirm your address (the 1st line) which makes you fully discoverable just by keying it into Google (or whatever) and seaching for the town you are in, using nothing more tecchy than a pen and paper. Fraudsters then become you. I've raised this with JC+ staff and just get a blank look. Hum. Round my local JC+ the less savvy types throw their letters (with said NI numbers, names and addresses on them) in the street. It would be quite easy for budding ID thieves to amass the necessary data. If I remember rightly some politico said that "there are a lot of Nationai Insurance numbers that haven't been used". Also, if your number starts with the letters TN get a proper one sorted, as this is used for temporary purposes.

    @ Richard: lead lined cases are nothing new, but a foil lined wallet would set off some metal detectors.

  41. Anders Halling
    Boffin

    Umm..

    All this hysteria over a primary key?

    Thats what this number is innit?

    The unique identifier allowing the nice immigration official to query a database and get back a result set of passport holders name, date of birth, place of birth, picture and fingerprint.

    If these results don't match with the person presenting the fake passport with the stolen RFID identifier, well the guy carrying it will be arrested. There will be a mismatch between the passport database and the person presenting the passport, warranting further checks.

    I agree that being able to skim these identifiers while the passport is in the owners pocket is making things unnessecarily easy for the bad guys, but this is just one step on the way to being able to fake a passport, not the whole solution. They also need a way to insert false data into the database, or a way to take the database down. I presume that when the online system is down there will only be a checksum verification of the identifier in the passport.

  42. Anonymous Coward
    Jobs Halo

    The government is not.....

    sticking its head in the sand as you suggest in your article, it knows full well what the problems

    are but it wants to be able to track all citizens and as you also suggest is definately does want to

    be able to scan a crowd and collect all protesters data. They will say that they need it to

    keep track of terrorists etc, but then so they did with RIPA which they then let every Council

    in the land abuse it to catch owners of dogs etc. I think the Government made a grave

    mistake in allowing such Abuse of RIPA because it both shows that they lie every time

    they speak and it will be thrown at them every time they try and bring in legislation.

    If they had acted decently with RIPA and kept it on a tight leash then they would have done

    themselves a favour.They didnt and will pay for that.

  43. Stuart Halliday
    IT Angle

    Having fun

    You could have fun with this at an Airport could you?

    Lots of people opening their passports there....

    Just put the equipment inside a large piece of luggage and drag it around!

  44. Andrew Meredith
    Stop

    Passport triggered car bomb

    Step one

    Borrow a taxi used in the airport run, replace the rear seat stuffing with semtex and fit a passport tuned RFID scanner set to trigger the detonator when a UK or US passport is on the seat. You don't even need to know who, just that the codes are of US or UK origin.

    There is no step two, particularly for the hapless tourist.

  45. Alan Brown Silver badge
    Coat

    IMagine the ramifications of RFID chips in money.

    It's been proposed for a while.

    Various tinfoil wearers are claiming the chips are already in US currency.

    One day not far in the future:

    *scan*

    "I won't mug this guy, he's not carrying anything"

    *scan*

    "Hey you, hand over the 250k you're carrying."

    Brave new world huh?

    Mine's the one with the foil lining, foil lined wallet and the foil-lined passport jacket.

  46. EdwardP
    Flame

    This is excellent!

    Hiw is this a bad thing? It just means next year the big security companies can sell you Next-Big-Thing(tm) all over again!

    Why build a product that's going to last forever? Your customers'll only have to pay once.

This topic is closed for new posts.

Other stories you might like