August 07, 2008
Osama bin Laden gets a cosmetic makevover in his British Vanity Passport
cwe points to this new way to improve your passport profile:
Using his own software, a publicly available programming code, a £40 card reader and two £10 RFID chips, Mr van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports.
A baby boy’s passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either Mr van Beek or The Times was faking viable travel documents.
OK, so costs is what we track here at FC-central: we need 60 quid of parts, and let's call it 40 quid for the work. Add to that, a fake or stolen passport, which seems to run to around 100 depending. Call it 200, all-up, for the basic package. The fake may possibly be preferred because you can make it with the right photo inside the jacket, without having to do the professional dicey slicey work. Now that the border people are convinced that the RFID chip is perfectly secure, they won't be looking for that definitively British feel.
Folks, if you are going to try this at home, use your own passport, because using fake passports is a bit naughty! There are all sorts of reasons to improve ones image, and cosmetics is a booming industry these days. Let's say, we change the awful compulsory taliban image to a studio photo by a professional photographer. Easy relaxed pose, nice smile, and with your favourite Italian holiday scenes in the background. Add some photoshop work to smooth out the excess lines, lighten up those hungover dark eyes, and shrink those tubby parts off. We'll be a hit with the senior citizens.
We can also improve your hard details: For the 40-somethings, we'll take 10 years taken off your age, and for the teenager, we'll boost you up to 18 or 21. For the junior industry leader, we can add a title or two, and some grey at the side. Would you prefer Sir or Lord?
Your premium vanity upgrade, with all the trimmings, is likely to set you back around 500, and less if you bring your own base. Think of the savings on gym fees, and all the burgers you can eat!
One small wrinkle: there is a hint in the article that the British Government is offering these special personality units only until next year. Rush now...
Posted by iang at August 7, 2008 06:38 AM
Hmm, the article states that they were able to fool the Golden-Reader-Tool. I am not sure, but the Golden-Reader-Tool might not be interested in the validity as much as a border-control machine would be. (But on the other hand, perhaps some border-control machines are running Golden-Reader-Tools ;-)
Various of the comments from articles are about anything can be forged. Presumably the point of the chip was to significantly increase the cost of making forgeries (compared to non-chip passports).
This was somewhat our periodic semi-facetious comments in the mid-90s about taking a $500 milspec chip, aggressive cost reduction by 2-3 orders of magnitude ... while at the same time, actually increasing the security and integrity.
One of the problems we got into was that we got on the (EPC) RFID chip curve ... i.e. manufacturing costs are basically per wafer, cost per chip then has been improved by making smaller chips and/or larger wafers (i.e. more chips per wafer).
At the start of this decade, one of the problems was the saw cuts to split wafers into individual (small) chips were taking more surface area than the actual chips (limiting increases in the number of chips/wafer and further chip cost reductions). New technology was eventually developed that made the cut surface area significantly smaller ... allowing significant increases in the chips/wafer (both for the ultra-small EPC RFID chips as well as our super-secure, super cheap chip).
This included ISO14443 (RFID) proximity ... "inches" ... not the "meters" that EPC RFID are spec'ed for.
Opposition MPs accused the Government last night of being naive in believing that new microchipped passports would be foolproof against criminals involved in identity theft.
After The Times disclosed that new passports could be cloned and manipulated in minutes and would then be accepted as genuine, MPs also gave warning of serious implications for the security of the Government's £4.7 billion identity card scheme.
The identity card project, which starts this year when cards are issued to foreign nationals from outside Europe, relies on microchips similar to those cloned in minutes by a computer researcher as part of tests conducted for The Times.
Chris Huhne, the Liberal Democrat home affairs spokesman, joined calls for the whole project to be scrapped. “The Government is clearly incapable of creating a criminal-proof gold standard for identity,” he said. ...
A Kiwi computer whiz is among a small group of international scientists to prove electronic passports can be easily copied, changed and passed off as genuine. Auckland University researcher Peter Gutmann found a way to program a new signature into an altered passport microchip allowing it to be recognised as authentic by the reading technology.
Gutmann, British computer expert Adam Laurie and Amsterdam academic Jeroen van Beek successfully copied the contents of a British boy's electronic passport to another chip and replaced his digital photograph with one of Osama bin Laden. The altered chip was reprogrammed with a signature key and recognised as genuine by the International Civil Aviation Organisation's passport reading software, UK's The Times newspaper reported.
Gutmann told the Sunday Star-Times his role in the experiment was "embarrassingly simple". His colleagues were credited with the more complex tasks of cloning and altering the chip's data which is meant to be secure. "It was a three-person effort."
The original story was actually the coverage in the UK Times last week, http://www.timesonline.co.uk/tol/news/uk/crime/article4467098.ece. It was a three-person effort, Adam Laurie did the RFID part (via RFIDIOt), Jeroen van
Beek did the passport software implementation and tying the whole thing together, all I did was the signing. We never touched the passport chip, what we showed was that it's possible to create your own fictitious e-passport that's accepted as valid by the reference Golden Reader Tool. In other words we showed that what security researchers had been warning about ever since e-passports were first proposed was actually possible, following the l0pht's motto "Making the theoretical practical".
Jeroen presented the work at Black Hat'08, http://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html#vanBeek.
.... Now, a member of the group The Hacker's Choice (THC) has built on that knowledge to describe how anyone can use some free software and cheap hardware to manipulate the personal data on a passport RFID tag. The hack comes accompanied by a video showing a machine in Amsterdam's airport reading Elvis Presley's personal information off a hacked chip.
The process, as described by someone going with the handle VonJeek, is pretty straightforward. Software that emulates passport RFID behavior, apparently written by van Beek, is uploaded onto a blank card. Using a free Python application, an existing passport's chip is read and the data transferred to the emulator. In the process, the bits that call for active verification of the encoded information can be shut off, limiting the verification process when the card is read in the future. Instructions for modifying the information prior to uploading it are also provided.
The instructions come with a video of the hacked card in action at the Amsterdam airport. At a self-service boarding pass machine, the hacker slipped the modified RFID card into his passport, and placed it in a scanning device. Up popped Elvis on the screen. ....
.... Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:
1. The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.
Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.
2. The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.
3. Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.
This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak. Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected. ....
We knew it was coming, right?
-------- Original Message --------
Subject: [announce] THC releases video and tool to backup/modify ePassports
Date: Mon, 29 Sep 2008 10:00:26 +0000
29th September 2008
THC/vonJeek proudly presents an ePassport emulator. This emulator applet allows you to create a backup of your own passport chip(s).
A video demonstrating the weakness is available at
The government plans to use ePassports at Immigration and Border Control. The information is electronically read from the Passport and displayed to a Border Control Officer or used by an automated setup. THC has discovered weaknesses in the system to (by)pass the security checks. The detection of fake passport chips is no longer working. Test setups do not raise alerts when a modified chip is used. This enables an attacker to create a Passport with an altered Picture, Name, DoB, Nationality and other credentials.
This manipulated information is displayed without any alarms going off. The exploitation of this loophole is trivial and can be verified using thc-epassport.
Regardless how good the intention of the government might have been, the facts are that tested implementations of the ePassports Inspection System are not secure.
ePassports give us a false sense of security: We are made to believe that they make use more secure. I'm afraid that's not true: current ePassport implementations don't add security at all.
vonjeek [at] thc dot org
The Hackers Choice