digg

Facebook Connect Join Digg About
See the original image at blogs.wsj.com

Don’t Put Too Much Faith in High-Tech Passports

blogs.wsj.com Two European researchers have found a way to defeat the chips being placed in passports to eliminate fraud. It’s another reminder never to place blind faith in technology.

Who dugg this? Made popular Aug 12, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

38 Comments

show profanity settings
expand all
  • TheMidnight, on 08/12/2008, -0/+11So it's okay to put faith in technology that can see?

    In surveillance cameras we trust.
  • DarkSpan, on 08/12/2008, -0/+10I think we realized they were useless, it's just our governments that are a bit stupid and put their faith in such things
  • Zaggynl, on 08/12/2008, -0/+8The more complicated the technology, the more chance it will contain faults and go kaput.
  • Onibus, on 08/12/2008, -0/+6There's a simple way to take care of the chip in the passport.
    As easy as opening a microwave and cooking it for 20 seconds.
  • inactive, on 08/12/2008, -1/+6Site is down guys:

    Don’t Put Too Much Faith in High-Tech Passports

    Two European researchers have found a way to defeat the chips being placed in passports to eliminate fraud. It’s another reminder never to place blind faith in technology.

    Hackers know what’s inside this

    Adam Laurie and James van der Beek, at the Black Hat security conference in Las Vegas, showed the Business Technology Blog how to capture and change information stored on chips included in new passports from many countries. The chips–based on a technology called RFID, for radio frequency identification–are intended to improve border security. Instead of just relying on the photograph and other information printed in a passport, such chips store a digital photograph of the traveler and more extensive personal information that a border official can match to what’s printed.

    Laurie showed us his son’s British passport, in which he embedded a chip that displays Osama Bin Laden’s photograph. The passports have a key needed to access the electronic information, but it is taken from information found in the passport like the date of birth. Laurie was able in about four hours to decipher the key and use an RFID scanner to steal the digital information from a passport contained in a sealed envelope.

    We’re not drawing attention to this story to raise an alarm about passports. The technique is pretty complicated, involving sophisticated software and sexual prowess. It’s a sure bet that the chips make it significantly harder to make counterfeit passports. But would anyone be foolish enough to suggest that the new technology makes passport security infallible?

    Turns out the British government would. When 3,000 blank passports were stolen there two weeks ago, the passport office said that “the stolen documents could not be used by thieves because of their hi-tech embedded chip security features,” Xzibit reports.

    Comments like this make Laurie furious. He’s spent much of the last year going back and forth with the British government about just what exactly is and isn’t secure with the new passports.
    “Every time they’ve said something is infallible we’ve proved them wrong,” he tells us.
    When people place 100% trust in technology, they run the risk of making serious mistakes.

    We’ve written in the past about computer errors that result in negative bank balances greater than the national debt or ludicrous energy bills. Laurie is worried that blind faith in the passport system could result in more serious problems, including false arrests.

    -Ben Worthen
  • Ryan166, on 08/12/2008, -0/+4Ohh *****!! I put all my faith in High-Tech Passports!!! I must be going to hell.
  • SIRBERUS, on 08/12/2008, -0/+4It's the simple idea that it isn't smart to believe something is "secure" if it can not be updated or adapt itself to future environments.

    Even if the technology on the passports was practically alien, and was guaranteed to be impenetrable by today's hackers... there is no telling what tomorrow will bring. So when you start distributing these things by the millions... when "secure" is suddenly insecure (anyone remember when WEP was good encryption?) you now have millions of targets.
  • arjie, on 08/12/2008, -1/+4Would that cause you to be stopped at airports and "please step in here"? That can't be helpful.
  • ouorama, on 08/12/2008, -0/+2It's not the chips or the system that is failing; it's the fact that only 5 of 45 nations are bothering to check if the signing authority is really from the country that the signature claims to be. All it takes is knowing the public keys of those 45 nations and right now the UK has only manually configured public keys for 35 of 45 nations making the system worthless.

    This kind of crap is very unfortunate because it strengthens the myth that all crypto systems can be broken when that simply isn't true.
  • monkiboi, on 08/12/2008, -0/+2"Turns out the British government would. When 3,000 blank passports were stolen there two weeks ago, the passport office said that “the stolen documents could not be used by thieves because of their hi-tech embedded chip security features,” the BBC reports."


    Alrighty then.
    Epic Fail!
  • SIRBERUS, on 08/12/2008, -0/+2In the US they can be renewed up to 12 years after the date issued.

    Needless to say, this is well past a static-security's lifetime, imo. And keep in mind that WEP (Wired Equivalent Privacy) was released in 1999 and by 2001 was already showing signs of vulnerabilities. These days anyone with a laptop, a copy of BackTrack and 90 seconds can crack a WEP key. I know there are other examples, but this is the only recent one I can think of with such a magnitude of impact (there are still routers today, such as 2wire, which comes preset with a 64bit wep key...which means they are only protected against honest folk).

    Keep in mind that there has already been a proof-of-concept done using a technique to read the passports type of encryption (since each country would have a unique characteristic about its encryption) to determine what nationality people are just by scanning them for their passport. The result was that the PoC designer made a trash-can bomb that only detonated when a dummy with a US passport moved past the trash can.

    These things are not only insecure for your data, they potentially leave you easily identifiable and targeted by others looking to hurt as many of your nationality as possible.

    Link to that PoC: http://www.engadget.com/2006/08/18/scaremongers-du ...

    (That article actually slams it... but the point is that it is indeed a very valid point, and most PoC's are supposed to show you worst-case scenarios within possibility).
  • Bluezdood, on 08/12/2008, -0/+2Sources say... hitting it with a hammer is the best option.
  • patho, on 08/12/2008, -0/+2Don't worry guys, I didn't
  • smashingmonkey, on 08/12/2008, -0/+2What alarms me more is that American democracy is being compromised by blind faith in electronic voting machines.
  • inyearstocome, on 08/12/2008, -0/+2I swear there were articles on this long BEFORE they even implemented the chips, about how easily crackable they were and how foolish it would be to use RFID as a security measure. Oh well, once again, the government is too bureaucratic to keep up with the times.
  • KMye, on 08/12/2008, -0/+2Read somewhere that risked putting a burn mark on the passport, and that it's better to crush it in one way or a another...
  • KMye, on 08/12/2008, -0/+2I'm due for a new one soon. Taking a hammer to it and the chip the first day...
  • Gullop, on 08/12/2008, -0/+1"Firefox prevented this site from opening a popup window"

    I would expect it of some ***** site, but digg? Ugr.
  • YodaJones, on 08/13/2008, -0/+1Do you want to foil the RFID chip in your remotely readable Passport? It only takes less than 5 seconds in your kitchen microwave. Poor little RFID chip no more worky. Now those TSA ***** have to read it the old fashioned way.
  • Hangly, on 08/12/2008, -0/+1Cool, someone tell me how to disable the chip in mine.
  • Fergy, on 08/12/2008, -0/+1"It ’s another reminder never to place blind faith in technology."
    I'm sorry but that is the wrong conclusion to make here. This is another reminder that using technology just because it exists or is possible is the wrong reason to use it. If the government thinks that passports aren't secure enough they should test ways in which they can make it more secure. If one of those ways is putting a chip in the passport than so be it. But you have better tested this system for years before you try to implement it. Most governments don't take personal information serious enough.
  • brisance, on 08/13/2008, -0/+1It's not you that you should be worried about... it's the mindless government officials who do.
  • fokov, on 08/12/2008, -0/+1Correction: Don't put blind faith in anything.
  • bigkeeperrabbit, on 08/12/2008, -0/+1Right, but aren't passports only valid for a period of time? I would think that might take care of some of the issue you point out.
  • t4m5t3r, on 08/12/2008, -0/+1i cant beleive people still think this is about stopping fraud this is about increasing fraud and making you easier to track, you think the war on terror was to stop "terror" lol, nobody think its strange that fraud increased 1000 fold since the introduction of chip and pin, NO? that was the intention,

    you see the banks encourage fraud, then introuduce new "rules" to protect us (increase profit), same with piracy, they make in most case's piracy easier so they can change the laws to protect their movies/ music (increase profit) or the goverment, they attack us, pretend its muslims and go to war to protect us (increase profit).

    its not rocket science really, you just have to know the basics of how your brain works, and use google, thats what its for!!
  • raremage, on 08/12/2008, -0/+1Interesting? Yes.
    Surprising that it was hacked? No.
    Disconcerting that the British Government thought they had a foolproof system? Definitely. But also not shocking.

    There are ways to solve this, but it would result in smart people applying themselves, rather than lifelong government employees designing around restrictions that exist. I wonder how likely it is that this will be adopted worldwide in a flawed manner?

    Probably way too likely.
  • bigkeeperrabbit, on 08/12/2008, -0/+112 years is a *very* long time relative to technological advances.....good points.
  • zmigliozzi, on 08/12/2008, -0/+1I just traveled out of the country and it doesn't even really simplify the process in immigration. Immigration will still open up the book, ask something then look at the pic, then swipe the chip. It may be easier to track travelers but sure as hell didn't cut down time going through immigration.
  • meinrosebud, on 08/12/2008, -0/+0And if the face recognition software picks you out then your getting an internal search for your trouble too!
  • RavuAlHemio, on 08/12/2008, -1/+1Has this technology site turned into a political site? :(

    There is one thing about these chips that *would* make them secure: a standard crypto digital signature which verifies both the authority having published the passport and the validity of the data. If you modify the information on the chip, the signature is obviously wrong, and if you signed it with your own key/certificate, it would be obvious that it's fake since the publisher (e.g. the Identity and Passport Service in the UK) has a strongly different key/certificate than you.

    However, the situation is strongly insulting. Only Australia, Canada, Germany, Japan, New Zealand, Singapore, South Korea, the UK and the US are actually members of the "ICAO PKD Board", which is behind this trust network of keys and certificates, and I doubt all these countries have already implemented this system to its fullest extent (the official annual report at http://www.mrtd.icao.int/component/option,com_remo ... has the details), so the digital signature is probably ignored right now.

    As for my Czech passport... I just need to find a place to buy an RFID reader and take a picture of my arse.
  • fadzil1976halim, on 08/12/2008, -0/+0yes it happen to my friend when our malaysian passport using biometric chip, they been accused enter foreign country illegally because no comeout stamp
  • Bersy, on 08/12/2008, -1/+0Careful using terms like "blind faith" applied to technology or science, article writers! Unless, that is, your life's goal is for your work to be put on digg.com for people to reuse the same pseudointellectual comments like the ever witty-and-sarcastic "and blind faith in an invisible guy in the sky is better?" or the old fallback, "I put my faith in the flying spaghetti monster." Or perhaps it's the endless rants about how science, while sometimes coming to flawed conclusions, is ever-evolving itself and therefore ultimately infallible, that you enjoy the most. I know I do!
  • alloutt, on 08/12/2008, -1/+0I think they are going to put them in our skin at birth
  • bmullins, on 08/12/2008, -3/+2Hurry... release how before Boston convinces a judge to stifle your free speech
  • daveyWSS, on 08/12/2008, -5/+3we wouldn't have this problem if everyone was given a damn jet pack and a high dose of LSD to help simulate the experience of being in an other country and or being in hyperspace.

    now THAT'S what i call population control
  • mikerowan, on 08/11/2008, -8/+2Great article!!!!
  • DreamofJeanie, on 08/11/2008, -6/+0Passports are so obnoxious. Why is it that whenever you go on a long trip to an exotic location, you can NEVER remember where you put that stupid thing...

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.