Cloning passport card RFIDs
February 3, 2009 2:32 PM   Subscribe

Passport RFIDs cloned wholesale by $250 eBay auction spree. "Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses. The $250 proof-of-concept device - which researcher Chris Paget built in his spare time - operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners." [Via]
posted by homunculus (24 comments total) 13 users marked this as a favorite
"The cards make use of the RFID equivalent of optical barcodes known as electronic product code tags, which are widely used to track cattle and merchandise as it's shipped and then stored in warehouses."

Cattle, or merchandise?

posted by Kirth Gerson at 2:36 PM on February 3, 2009

Time for that tinfoil wallet, I guess.
posted by rtha at 2:37 PM on February 3, 2009 [2 favorites]

Revelations says nothing about the mark of the Beast containing security vulnerabilities. This must be a hoax.
posted by cimbrog at 2:47 PM on February 3, 2009 [5 favorites]

We will soon see bombs programed to detonate when Americans walk by.
posted by jeffburdges at 2:48 PM on February 3, 2009 [10 favorites]

You know what would be fantastic? The government puts out a call for for a new device etc, like these RFID passports and gets samples and specs from a bunch of companies. Then they open the specs to the public with a significant bounty on bugs and security flaws. When these are discovered the companies get a chance to fix the problem and the cost of the bounties is subtracted from the final price the government is willing to pay.

I know it's not a new idea, and certainly has it's own flaws but damn.

Oh, and these passports are manufactured overseas which opens up a whole other security risk on top of transporting them around the US.
posted by Science! at 2:49 PM on February 3, 2009 [1 favorite]

widely used to track cattle

Hey! That's no way to talk about shoppers!

My local library uses RFID to do the checkout. Nineteen Eighty-Four has an RFID sticker identifying it as such. Fun, fun, fun.
posted by Sys Rq at 2:52 PM on February 3, 2009 [1 favorite]

Oh, and the new passports look like shit. I spent some time taking my own poloroids of my wife and I for our new passports. Sent them in clipped to the paperwork and got my passport back only to see that they scan in the print and print it directly onto the bluish paper of the passport. It looks like crap. Like you used a crappy inkjet to print a photo onto crappy paper.

Plus, now, when I go to foreign countries, bombs detonate when I walk by.
posted by JBennett at 2:56 PM on February 3, 2009 [2 favorites]

RFID blocking wallet and passport.

Seems less paranoid to do so now, but when I bought these last year it was strictly for the geek-factor of having a Faraday cage in my pants. Oh, the women I have failed to pick up with that line...
posted by Enema Bag Jones at 2:58 PM on February 3, 2009 [2 favorites]

rtha, if you want to sound less paranoid, call it a "RFID secure wallet" (via).

Or as another Slashdot poster noted: just use an Altoids-type tin.

Or else you could alter your e-passport to crash passport readers, or just give yourself a pompadour.
posted by filthy light thief at 2:59 PM on February 3, 2009 [1 favorite]

This problem has been obvious -- and widely discussed -- since the pols first floated RFID passports. And yet it hasn't made a dent in their enthusiasm. It's almost as though they're a bunch of assholes.
posted by grobstein at 3:03 PM on February 3, 2009 [8 favorites]

It's almost certainly illegal but a well-placed hammer strike will likely take the RFID chip out of commission without leaving a mark on the paper itself.

Or so I'm told.
posted by Skorgu at 3:03 PM on February 3, 2009 [1 favorite]

Microwave your passport. In a few years, Homeland Security will have made it illegal to travel, anyway.
posted by Blazecock Pileon at 3:07 PM on February 3, 2009

I'm all good with sounding paranoid, filthy light thief, especially since They are out to get me. But googling "RFID secure wallet" makes it easier to find what I want!

NB: first Google hit for "tinfoil wallet" is previously, on metafilter!
posted by rtha at 3:12 PM on February 3, 2009

One thing to note is that this is the passport card, not the traditional passport, which is ostensibly safe from an attack like this:

Before such a passport can be read, it has to be physically opened. It is a simple and effective method for reducing the opportunity for unauthorized reading of the passport at times when the holder does not expect it. ~Electronic Passport FAQ

But yeah.
posted by niles at 3:16 PM on February 3, 2009

I'll tell you the exact moment a story like this gets traction: when it's done to a politician or when it's done by someone who actually pulls off a terrorist attack.

At that moment the full weight of security theater will come crashing down on this. Because that tends to be the way this sort of things works.

But until then, we can be safe because the only people that are capable of doing something like this are techie weirdos and hackers. Right?
posted by quin at 3:27 PM on February 3, 2009

Just wait till this technology gets in the hands of the tourists.
posted by grounded at 3:34 PM on February 3, 2009 [4 favorites]

Perhaps the only way to draw interesting attention to this is to have some kind of "art installation" at airports and other places with a reasonable percentage of international traffic. Whenever the installation (perhaps a 4-faced Big Ben with monitors instead of clockfaces) detects a password, it grabs the JPEG2000 image of the person who owns the passport, puts it on all four "faces," then bellows out a reasonable approximation of their name.

The remaining message could be something as innocuous as "Welcome to Our Country!" (or, alternately, if the installation detects that you're a local) "Bon Voyage!" And for every one in roughly 365 travelers, it says "Happy Birthday!" in their language of choice.

Throw some of these puppies up at museums with a little placard explaining that the information was pulled from their passports; it should take no more than fifty of them to cause a prompt freakout.
posted by adipocere at 4:41 PM on February 3, 2009 [5 favorites]

grounded wins the thread, with extra points for subtlety AND eponysterical-ness.
posted by sfts2 at 5:48 PM on February 3, 2009

New passport with RFIDs US$ 50
Passport RFIDs cloning device $250
Aluminum foil around your passport to protect your privacy....priceless
posted by yoyo_nyc at 6:45 PM on February 3, 2009

JBennett: GOD YES, the new passports are fugly. The old one felt like an actual government document. The new one is filled with tacky Thomas Kinkade-esque paintings which completely ruin the legibility of the stamps because the color of the background pictures (on every single page, mind you) is too strong, and filled with too many smarmy pat-self-on-the-back American platitudes about freedom.
posted by amuseDetachment at 8:08 PM on February 3, 2009

This sort of thing has been discussed by hacker types (as in "cleverly subverting technology", not "executing prefab scripts") for a while now. This guy may be the first to actually implement the theory, but it's more likely that he's just the first to go public with it. You can build a device like his out of parts from SparkFun. In fact, it sounds like a fun project, I might give it a try.
posted by DecemberBoy at 9:20 PM on February 3, 2009

The distopian future I was promiced is not dissapointing. How long until I can break the ICE on other people's credit chips with my wifi deck?
posted by fuq at 8:49 AM on February 4, 2009

« Older Ladyless porn for Ladies   |   Wishful Blogging Newer »

This thread has been archived and is closed to new comments