Network News

X My Profile
View More Activity

Software Lets Users Manipulate Passport Data

A security researcher has published a software tool that makes it easy to copy and modify identification data encoded onto the computer chips embedded in passports issued by the United States and dozens of other countries.

Jeroen van Beek, a security researcher at the University of Amsterdam, discussed his work at the Black Hat security conference in Las Vegas last month, but only this week released the tool that allows anyone to manipulate data on the passport chips.


The attack is targeted at electronic passports or "e-passports." According to the U.S. State Department, the United States stopped issuing passports without the chips in August 2007. Close to four dozen other countries also issue e-passports, which are designed around an open international standard.

The information on the chips - name, date of birth, passport number, photo, etc. - is designed to be readable by a wireless interface known as radio frequency identification (RFID) reader.

In a demo given to The Times Online, van Beek showed how his tool could be used to clone and manipulate the data chips so that they could be planted inside a fake or stolen passport to mask the identity of the passport holder. From that Times story:

Building on research from the UK, Germany and New Zealand, Mr van Beek has developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organisation to test them. It is also the software recommended for use at airports.

A baby boy's passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either Mr van Beek or The Times was faking viable travel documents.

Conceivably, a terrorist or wanted criminal seeking to travel under another name could use van Beek's tools and method to forge documents because of a widespread lack of security checks needed to enforce the international e-passport standard.

The data encoded on the e-passport chips is signed with cryptographic keys held by the issuing country - thus allowing the issuing country to tell if a citizen had altered the data on the device. The problem is that only 10 of the 45 countries that issue e-passports have agreed to share the public keys that are needed to test the integrity of the data on one another's passport chips. Worse still, only five countries are actively sharing the data.

As a result, someone who has changed the name or swapped in a new photo on an e-passport chip can simply sign the information using his own personal cryptographic key, and relatively few countries would be able to detect the manipulation, said Adam Laurie, a freelance security researcher with, a site that hosts software and research designed to expose holes in RFID technology.

"This is the big problem with the whole thing: It relies on checking the digital signatures of the content on the passport, but if nobody's checking those signatures, you can't tell if the data is legitimate," Laurie said.

Following the 9/11 attacks, the United States told other countries they would have to adopt the e-passport system if they wanted their citizens to avoid applying for visas every time they wanted to enter the country. But Bruce Schneier, a renowned cryptography expert who serves as chief security technology officer for the British telecommunications giant BT, said the lack of an international system for checking the signatures actually makes the entire system less secure because countries are bound to place a higher degree of trust in the newfangled passports.

"In this case, the authority for the thing is the thing itself: It's like my giving you an ID card and saying it's valid only because I say it's valid," Schneier said.

For its part, the State Department says the e-passports will be supplemented by other security technologies. For example, the inclusion of the digital photograph on the e-passport chip enables biometric comparison, through the use of facial recognition technology at international borders, the government says.

But in an op-ed published in The Washington Post, Schneier warned that researchers would likely discover even more security weaknesses that could be used to defeat the security of the e-passport system.

"The security mechanisms on your passport chip have to last the lifetime of your passport," Schneier wrote. "It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won't see another security update for Microsoft Windows in that time."

Update, Oct. 1, 7:32 a.m.: An earlier version of this story incorrectly stated the date of the Washington Post op-ed article by Bruce Schneier. It was published in 2006.

By Brian Krebs  |  September 30, 2008; 5:39 PM ET
Categories:  From the Bunker , Latest Warnings , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft, Washington State Sue Scareware Purveyors
Next: New Federal Law Targets ID Theft, Cybercrime


Schneier's op-ed is 2 years old

Posted by: NikTesla | September 30, 2008 6:48 PM | Report abuse

If it involves electronics, It WILL be hacked. There is no such thing as e-security. The latest is barcode cloning and hf clones, fooling POS systems. I am amazed that this practice is not more widespread. As far as I am concerned, and I work in High security fields, there are only 3 reliable standards: Finger Prints, Iris Scans and DNA, and even the last is subject to error in the case of multiple births. I personally was able to bypass security measures at Airports and Borders, by just "Jiving the Agents".

Posted by: AF Colonel | September 30, 2008 6:51 PM | Report abuse

I've been saying this for years: RFID is a dumb idea. Even before this, I worried about an open standard that allows anyone near you to look who you are and decide if you are a good kidnapping prospect, etc.

Now this... Can they change the information at a distance? I don't see why not. How long until someone alters these hundreds of these things as a prank? One day, everybody flying out of BWI is now "officially" Bozo The Clown? Paper passports were fine for a century - don't "fix" what ain't broke.

And speaking of which, now "RealID" is coming along and soon we will all have non-secure RFID drivers' licenses, too. Lovely!

Posted by: dj333 | September 30, 2008 7:04 PM | Report abuse

This is even better control of individuals than the Gestapo, KGB, or Stasi were able to manage.

For years, friends of the administration have been making money on bioidentikits without making us safer - the r&d and implementation are making millionaires, but are not making us secure.

In America, unlike medieval Europe, it is legal to be anonymous - outdoors after dark without having to identify yourself UNLESS you are doing something wrong.

Cheney's pals are capturing private information that will be used commercially and in the black security sector - and shame on us all for rolling over for this loss of liberty.

Posted by: Mom | September 30, 2008 7:14 PM | Report abuse

Another LOSS in the war on terror. If this isn't a capital crime it should be.
Just like that Kahn guy that spread nuclear bomb making technology and we did nothing, when we should have killed him as soon as we got wind of what he was doing.
When we find out who these people are, just kill them.
Done. Finito, end of problem.
Just like a f***ing cockroach.

Posted by: Tomhere | September 30, 2008 7:20 PM | Report abuse

This is very scary because if these very secure documents are not tamper proof, what does this say about the integrity of our electronic balloting?

Posted by: rsc phila. | September 30, 2008 7:21 PM | Report abuse

Look, you idiots, you can't throw a perfectly good security system away just because it doesn't work!!

Think of all the investment in it! Think of the job losses!

What's needed is a big project to fix the little glitch there. And then fix that new version. Employment (and profits) forever.

Posted by: Greenpa | September 30, 2008 7:27 PM | Report abuse

So pardon me, but which is better? Or which is less safe? A new, because it has a chip, hackable passort? Or an old, it doesn't have a chip so it doesn't meet at least some standards (and the one I hav now) passport.

I'm confused enough (and I used to be considered a "geek" by a lot of my friends, a sort of friendly "go-to" girl for friend) that I don't even know what question to ask.

Posted by: VA_Lady2008 | September 30, 2008 7:36 PM | Report abuse

Don't go blaming the messenger who showed how easy it is to foil the security of RFID passports and, I imagine, other devices. Those who designed these hackable systems are the real culprits.

I sometimes wonder where their heads were when they created these non-solutions.

Posted by: Stan Brager | September 30, 2008 7:41 PM | Report abuse

Let me guess - The software was written by an INDIAN computer programmer!!!! America corporations have been laying off American engineers, scientists, mathematicians, and computer programmers and replacing them with dirt cheap Indian and Chinese workers who, in turn, program in back doors and otherwise sell the technology to anyone with the money. Especially in the light of our economic meltdown we think it's time to end the H1-B and L-1 visas and add duties and fees and tariffs on goods and services that are outsourced.

Posted by: Anonymous | September 30, 2008 7:41 PM | Report abuse

But all the information is already printed on the passport, would this help if the information is hacked.

Posted by: abl00 | September 30, 2008 8:13 PM | Report abuse

"Cheney's pals are capturing private information that will be used commercially and in the black security sector - and shame on us all for rolling over for this loss of liberty."

Yeah, and monsters are under your bed.

Believe me, your bank, your phone company, and the last store you bought from knows more about you than the government.

Get a grip. No one is interested in you.

Posted by: thuff7 | September 30, 2008 8:25 PM | Report abuse

"America corporations have been laying off American engineers, scientists, mathematicians, and computer programmers and replacing them with dirt cheap Indian and Chinese"

That's because American engineers, scientists, mathematicians, and computer programmers suck

That's if you can find any of them. American parents are too busy getting drunk and watching their plasma screen reality shows to teach their kids how to do math.

Our universities would crumble if we had to depend on America's youth to do the job. If you don't want them to get the jobs, get off your fat butt and go to school.

Posted by: thuff7 | September 30, 2008 8:32 PM | Report abuse

Brian, Good article but you missed the important conclusion that people will also be able to rather easily steal the data from ePassports, and perhaps use that data to enter the U.S. while the unsuspecting tourist visits some foreign nation. I have been asked to present my passport many times overseas but I do not allow it out of my sight. Now the hotel desk clerk just scan the data right off the chip without my knowledge.

Posted by: thw2001 | September 30, 2008 8:50 PM | Report abuse


Posted by: Becky | September 30, 2008 8:59 PM | Report abuse

Let me guess - The software was written by an INDIAN computer programmer!!!!
Ha, ha,I haven't heard such a supid comment for long. Do one thing.Stop issuing H1B and continue work. You guys can't even add 2+2 without a calculator.

Posted by: BDG1 | September 30, 2008 9:15 PM | Report abuse

thuff7 said, "Believe me, your bank, your phone company, and the last store you bought from knows more about you than the government.
Get a grip. No one is interested in you."

Actually, the most recent website you visited knows alot about you. Different details from what the government keeps, but profit-worthy nontheless. Contrary to what you said about the government, it *does* know alot about everybody, catalogued under their SSN. Every single person, and every single dossier is profit worthy, both in dollars and in political points. Yes, Virginia, they are, indeed, interested in you.

Lest anyone deem this declaration paranoid, understand that it's actually just observant and one only need watch the news, pick up the pieces. No eyed-only, top secret clearance necessary at all.

Posted by: Southpaugh | September 30, 2008 9:34 PM | Report abuse

Jeez Becky, I was just waiting for some moronic christian psychobable about the end days and the sign of the beast. Now go to Alaska and join your fellow imbecilles. Please don't wait until 2012. Go Now!
And take all like minded morons along with you. Greeting from the ANTI-Christ.

Posted by: Not becky | September 30, 2008 9:48 PM | Report abuse

Becky, Are there as many spelling errors in the Bable as there are in your short post?

Posted by: Ex Jesus Freak | September 30, 2008 9:50 PM | Report abuse

Paper passport can be copied and so can an electronic one. It's just a little difficult to copy the electronic one, but it is possible. Making it electronic also makes it safer to fix, just as it makes it possible to hack. Plugging the leak is much harder with paper. There are fixes, but it only needed better planning. No Indian software engineer makes decision on these policies. As in everything else, you can't abdicate the responsibility of oversight to the technology.

Posted by: Anonymous | September 30, 2008 10:01 PM | Report abuse








Posted by: BRUCEREALTOR | September 30, 2008 10:40 PM | Report abuse

The chip idea was going to be a failure from the many of us have had our computers hacked into?! Perhaps a combo of the old passports plus the iris scan would be more secure.Talking about science & math skills, let's face it, we Americans are waaaay below the average Korean/Indian/German etc etc. So, unless our high school kids can prove us otherwise,( by pursuing engineering ,etc in college), we should not be throwing stones at the Indians,etc. What's that about"people in glass houses.....".

Posted by: observer28 | September 30, 2008 10:44 PM | Report abuse

Please fix your headline: It's not about the tool "manipulating " passport data, but rather about the faulty construction and deployment of e-passports. May I suggest the headline "Electronic passports discovered to be insecure"?

The researcher should be rewarded for his discovery, not -- by the casual reader -- be thought of as a perpetrator. He didn't "break" the passport system: it was broken before.

Don't kill the messenger, please!

Posted by: unnamed security researcher | September 30, 2008 10:48 PM | Report abuse

Somebody hack this message board and make the newest messages show up at the top where they should be.

Posted by: Byzintine | September 30, 2008 11:01 PM | Report abuse

Hey there, Becky and Brucerealtor -- ever seen a word you could spell properly? And what's with typing everything in ALL CAPS?

Posted by: spellchecker | September 30, 2008 11:07 PM | Report abuse

Spellchecker: They are screaming their nonsense, so that they will eventually believe it themselves. If there really was a god, he would have aborted George Bush in his mothers womb, so as to save a million Iraqis.

Posted by: nuthunter | September 30, 2008 11:19 PM | Report abuse

thuff7 - Ah, another insult from one of our "guest worker" Indian parasites. American engineers and computer programmers are the best in the world. I am 61 and have over 50 patents for companies I worked for. If you want to see what Indian programmers are capable of you only have to look at Vista... and at this hacked passport. 90% of the new engineering hires are H1-B workers while over half of American engineers cannot get a job in high tech. The reason isn't hard to find. The Indian's sell themselves into indentured servitude, working 6 or 7 days a week, 12 hours a day. And they do it for one-half to one-third of what their American counterpart was paid. They do this here for two to four years of free training and, then, head for home, usually carrying every technological secret that isn't nailed down. Indian gangs have stolen the plans for the B1 and B2 bombers, our stealth fighter and countermeasures, our latest shoulder fired missile, lans for cruise missile guidance systems, and on and on. We, as a country, are flat out insane to permit these thieves into this country. Worse, our universities are filled with students from India and China. The schools get three times the tuition and fees, usually in the form of a foreign paid block grant. They deny fully qualified American students those positions, but even more American students are discouraged from entering those fields because they see their fathers and people of my generation being displaced by them. So, as we descend into the worst recession in our lifetimes, we have even lost the ability to create the new technologies to dig ourselves out. What we WILL DO, eventually, is run the Indian's and Chinese out and end the insanity of guest worker visas and allowing foreign students into our schools before American students. Likewise, we will tax the snot out of companies that outsource jobs, add tariff's and duties and fees on goods and services that are produced offshore. The problem isn't just with the Wall Street and corporate traitors, it isn't just with hordes of illegal immigrants, it is with parasites of every stripe!

Posted by: Anonymous | September 30, 2008 11:19 PM | Report abuse

Actually, this isn't so much an issue with RFID as it is with certain governments' seeming inability to comprehend how Public Key Cryptography is supposed to work. The whole system is useless without access to the Public Keys.

The U.S. should only accept electronic passport data from those countries that have provided their public keys. Period.

Posted by: Feedback | September 30, 2008 11:24 PM | Report abuse

The real problem is that before e-passports or ID cards with embedded chips came along, border officials are trained to take their time to check for fake documents. This training is constantly refreshed to keep them apprised of the latest fake document schemes and how to foil them.

Or such simple checks as simply reading the passports to see what stamps, notes, and other information is on there.

e-passports meant officials no longer take much more than a cursory glance at the document itself.

That is the real flaw of the system.

Posted by: a | September 30, 2008 11:28 PM | Report abuse

"The security mechanisms on your passport chip have to last the lifetime of your passport," Schneier wrote. "It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won't see another security update for Microsoft Windows in that time."

Absolutely. Duhh.

Posted by: What you already knew | September 30, 2008 11:30 PM | Report abuse

@ Anonymous with 61 patents: Learn to use the 'apostrophe' properly dimwit. As in plural- Indians, not Indian's. Or whould it be 61 patent's. Anonymou's.

Posted by: sanfranmac | September 30, 2008 11:57 PM | Report abuse


Too bad none of your patents are for things Chinese and Indians want. If they were, you'd be rich instead of an insane bitter old man sitting in your dirty tee shirt watching endless hours of Lou Dobbs until you foam at the mouth.

Oh, by the way, I am 5th generation American born and raised in New Jersey. The only insult is your racist screed that makes us ashamed of some anti-Americans like you.

Posted by: thuff7 | October 1, 2008 12:16 AM | Report abuse

Southpaugh: You worry about the government?

The ACLU, bastion of human rights, advocates for privacy, defenders of the oppressed, battlers against the evil forces of Republicans and Christians sent me a letter asking for a contribution.

That was 4 days after I moved into my new house. They had my new address, phone number and other personal data. They had my "Zip + 4" zip code before I knew what it was.

I was not a member, I never corresponded with them, and I never received any mail from them at my former address.

So how do you think they got that personal information? You think Dick Cheney gave it to them?

Posted by: thuff7 | October 1, 2008 12:29 AM | Report abuse

Not becky,

Your screed against Christians is every bit as racist and bigoted as Anonymous' rant about running the Indians and Chinese out of the country.

I'm glad you have an opportunity to pollute the net with your vicious hatred. That comes with being Americans and having free speech. But don't think for a minute your form of hate speech is morally and intellectually superior to the xenophobia spewed by anonymous.

Posted by: thuff7 | October 1, 2008 12:54 AM | Report abuse

From The Washington Post:
"Government Increasingly Turning to Data Mining
Peek Into Private Lives May Help in Hunt for Terrorists

By Arshad Mohammed and Sara Kehaulani Goo
Washington Post Staff Writers
Thursday, June 15, 2006; D03

The Pentagon pays a private company to compile data on teenagers it can recruit to the military. The Homeland Security Department buys consumer information to help screen people at borders and detect immigration fraud.

As federal agencies delve into the vast commercial market for consumer information, such as buying habits and financial records, they are tapping into data that would be difficult for the government to accumulate but that has become a booming business for private companies.

Industry executives, analysts and watchdog groups say the federal government has significantly increased what it spends to buy personal data from the private sector, along with the software to make sense of it, since the Sept. 11, 2001, attacks. They expect the sums to keep rising far into the future.

Privacy advocates say the practice exposes ordinary people to ever more scrutiny by authorities while skirting legal protections designed to limit the government's collection and use of personal data.

Critics acknowledge that such data can be vital to law enforcement or intelligence investigations of specific targets but question the usefulness of "data-mining" software that combs huge amounts of information in the hopes of finding links and patterns that might pick someone out as suspicious."


Knowledge is power. J. Edgar Hoover was the old expert on using personal information about american citizens, especially powerful ones, against them to further his own agenda. Everyone has skeletons in the closet, and he was very adept at finding them and using them against American citizens. It is a form of extortion, and is made possible by the unchecked collection of data about private citizens without probable cause that they have committed any type of crime.
We all know that the Republicans in power have used, and continue to use, dirty politics to further their agenda
Any time anyone disagrees with those in power, the first thing they do is get their hands on any information they can about those opposing them, and search for something about them to launch a character assasination against their opponents. Even if no skeletons are found in an idividuals collection of information, they will have enough knowledge about them to fabricate negative news, usually thru the media conglomerates that the FCC has allowed to become controllers of most information broacast to the American public.
Everything that is communicated from one American citizen to another, in any electronic form, is being stored on government computers. conversations, financial transactions, personal emails, etc., etc., etc.
All of this is being done in violation of our Constitution, as well as laws written in the post-Watergate era to protect American citizens against being spyed upon by our government.
The republican's have subverted this country, it seems, to the breaking point. They have been stuffing their pockets and enriching their friends thru "outsourcing" almost the entire running of the government to companies that their friends and operatives control, thus spreading our money amongst themselves.
For the last eight years anytime I traveled internationally, I have not been able to sing the praises of the country that I love. I have instead had to spend my time defending the people of this country against allegations that we are a greedy, war loving, pompus bunch of gluttons. We have lost our status as the shining beacon of the free world due to the policies of the Bush administration.
It is difficult for me to believe that recent polls indicate the Presidential race is a close call.
How blind and stupid have we become as a nation? What more do they have to do to us before we throw the bums out?

Posted by: firecat | October 1, 2008 1:31 AM | Report abuse

thuff7 wrote: " American engineers, scientists, mathematicians, and computer programmers suck."

Is that a fact? I am a former member of the Space Shuttle team, and thuff7 is palpably full of shiite in addition to being a quarrelsome fellow, a most winning combination. I have had the privilege of working with eminent American technical and scientific people, and there are none better. Why, the accusation is absurd on its face considering the Mars landers, the orbiting telescopes, the robotic surgical tools, and all the other marvelous products of American technological skill, ingenuity, and know-how. As far as the Orient goes, the reason why programmers from points East work 15 hours 6-7 days a week was aptly described by Simone Weil, the former French Minister of Culture. When a journalist asked her why France, wealthier and more populous than Japan, nevertheless had a smaller industrial output, Mme Weil answered: "Because, monsieur, we are not ants." Outsourcing is an injury that American business inflicts on working Americans and our communities. Outsourcing should be criminalized and punishable by fines high enough to discourage the practice.

Posted by: zorbathegeek | October 1, 2008 3:36 AM | Report abuse

>So pardon me, but which is better? Or which is less safe? A new, because it has a chip, hackable passort? Or an old, it doesn't have a chip so it doesn't meet at least some standards (and the one I hav now) passport.

A good question - the bottom line is that the electronic chip cannot be used as by border control as a substitute for close document inspection. That way, the chip adds to the labor required to forge a passport. There must not be unmanned "electronic passport only" lines.

>The U.S. should only accept electronic passport data from those countries that have provided their public keys. Period.

Exactly - and especially the US must properly validate signatures for US passports to avoid the scenario painted by @thw2001; someone cloning your passport information to fraudulently enter the US.

Posted by: Moike | October 1, 2008 6:21 AM | Report abuse

Oh dear, RFID not safe, cheap and cheerfull ill thought out insecure safety, but so long as the masses think it will work eh?


Posted by: Tommy | October 1, 2008 6:23 AM | Report abuse

Never mind dissing Indians. I'm wondering if the contractor was Neil Bush or KBR, etc.

Posted by: Bartolo | October 1, 2008 8:19 AM | Report abuse

dj333 - the RFID information can't be changed remotely, the chip is designed to send a signal back to a reader containing the relevant information, it's not a "two way" conversation. Unfettered access to this information is another problem - I look forward to the day when we all have RFID chips in our drivers' licenses, and someone decides to set up a reader near an "adult entertainment" venue to grab the personal information of everyone who entered the venue.

Posted by: Scott | October 1, 2008 10:47 AM | Report abuse

"Let me guess - The software was written by an INDIAN computer programmer!!!! "

The real problem is: without an Indian programmer, Americans can't add, nor can they count beyond 9.

Posted by: Indian Programmer | October 1, 2008 11:02 AM | Report abuse

Indian Programmer - Indian's are thieves, racist trash, and subhuman filth. Go post your garbage somewhere else, maybe in that dung heap you call your country.

Posted by: Anonymous | October 1, 2008 12:32 PM | Report abuse

"...we are a greedy, war loving, pompus bunch of gluttons."

Not all of us, just the provincials in the "heartland" who confuse overheated talk radio with reality.

Posted by: Fluxgirl | October 1, 2008 12:35 PM | Report abuse

thuff7 - You're a liar. No actual American even thinks of themselves as 5th generation. Maybe first generation, but 5th? American's who marry and have children have such a hodge-podge of ancestory that it is impossible to trace anything more than one brach of a family back five generations. Nope. Your an Indian H1-B worker, pretending, on this forum.

Posted by: Anonymous | October 1, 2008 12:43 PM | Report abuse

Regarding the random comments here and there about Republicans and George Bush (in a tech story, no less): Techies are so often portrayed as cynical and socially non-compliant personalities, and yet as evidenced by some of the postings here, they still manage to hold key positions of authority in the Tin Foil Hat Brigade.

Posted by: CPS | October 1, 2008 1:02 PM | Report abuse

Doesn't matter anyway. All of this travel "security" is just a feeble facade anyway. A life-sized cardboard cut-out of intimidating security measures, nothing at all like the real thing, and for scant benefit. But at least you can take your passport to Canada now knowing that you're actually required to have it instead of being a dork and asking for a stamp at the border.

Posted by: Pete | October 1, 2008 1:15 PM | Report abuse

I've been lurking here and am struck by two things. First, the degree of "superiority", racism, outright hatred felt by Indian (and, one supposes, Chinese) technology sector guest workers is simply amazing. I am not, nor ever will be, a fan of the H1-B and similar visas. They quite literally trade this countries future for short term corporate profits. And, second, I am struck by the backlash of outright hatred American's are starting to feel for the "guest workers" and for India and Indian's, in general. Given the current anger and backlash against any sort of corporate bailout, the millions of telephone calls and emails that actually call upon representives to end guest worker visas as a condition for bailout, I'd have to say that the days are numbered for the H1-B program. And, I might add, I am delighted. The sooner the better. Oh, and after some checking, to return to the original topic, the hack, the code, for the encoed data **WAS** all Indian. We have long known that these guest workers are a security nightmare, a lot worse than any previous nest of spies from the old Soviet Union or Germany. No Congressman or President or other political leader can put up with this any longer. End these programs immediately.

Posted by: mibrooks27 | October 1, 2008 1:25 PM | Report abuse

Lawd y'all be some racists up in here!

Posted by: Happy Negro | October 1, 2008 1:41 PM | Report abuse

Wow, the comments section here has completely degenerated. Clearly most of the comments have been made by technologically ignorant people who, unable to comprehend even the basics of public key cryptography, have resorted to making snide remarks based on the only words that rang a bell: terrorist, international, forgery, and Osama bin Laden. This somehow led several of them to conclude that the fault lay with some nefarious yet inept Indian programmer who they presume created the faulty passport chips.

Seriously folks, take a logic refresher: the real problem is not with the chips themselves (though the fact that the chips are hackable in the first place is problematic), but with the lack of cooperation between countries which is keeping the piece of the puzzle needed to check passport validity out of the hands of those who need to do the validity checks!

The solution is simple: stop hogging the public keys! (Hint: the word 'public' isn't there just for decoration.) This guy isn't forging the real signatures, he's replacing them with other signatures, knowing full well that no one is verifying these signatures to see if they were really created by the government.

It's like someone swiping one of your checks, making it out to 'cash', and signing your name in their own handwriting, knowing full well that the Bank of Idiots at which they intend to cash the check won't make any attempt to see if the handwriting is valid.

Posted by: Jen | October 1, 2008 2:03 PM | Report abuse

“Investors Pulling Billions Out of U.S. Stock Markets” -

This is the first step. Not in the headline is a panicky flight of foreign capital from Treasury notes and government bonds. Early next week the dollar begins it's death spiral. OPEC will be meeting and will switch to the Euro from the dollar. That is going to make this weeks crash look like a minor correction. And, I might note, if Congress votes a bailout package now, it will exacerbate the crash. The mathematical model is quite clear, all of this, every bit of it, is due to "free trade": outsourcing jobs and guest workers, especially all of those Indian and Chinese technology sector jobs and knowledge gone. We are in SO MUCH trouble, so deeply in the ditch, that I have very little hope that we can survive this. India and Indian's, "free trade", outsourcing are our worst enemy, worse than Al Qaeda, worse than the old Soviet Union, worse than any enemy we have ever faced.

Posted by: MikeB | October 1, 2008 6:01 PM | Report abuse

Ah, don't worry about it.

My husband and I road-tripped this summer and took a shortcut through Ontario.

When we crossed the border in and out of the country, our chips worked neither time, and the Customs agent for each agency ended up having to type in our Passport numbers anyway. ;)

Seriously - as someone noted early on: if it has to do with electronics, it will be hacked. Someone will find a way to do it. Besides, it's not like the border systems work well enough that someone like Andrew Speaker (aka - the TB guy) didn't jump through multiple gaping holes anyway. This is just one hole among a fishnet.

Posted by: Chasmosaur | October 1, 2008 6:29 PM | Report abuse

Is anyone here a PC?

Posted by: PC | October 1, 2008 8:22 PM | Report abuse

Cannot have your cake and eat it too. You want cheap hardware, get it from China; you want cheap software, get it from India.

I am all for buy America, but I am not going to complain about outsourcing when I see something that is Made in India with a price tag of $100 versus one with Made in America and a price tag of $500.

So y'all shut-up with the racism. It is capitalism at work.

Posted by: dick | October 1, 2008 11:33 PM | Report abuse

The e-passport chip is the same as any other computer. In order to do its job properly, it must have software updates to prevent fraudulent replication and the use of fraudulent replicas. If the data entered is just a table, with a picture, name, DOB, and other identification information, of course it's going to be open to fraud.

But the real problem here is that these passports (especially those to nations with active terrorist enemies) have to be checked for authenticity. The only way to do that is if everyone is on the same page. So far, only 5 countries are on that page, while 5 more are saying they'll check. Instead they're leaning back in their recliners and taking security for granted.

My question is: what are the other 35 countries doing? Kids, this is why your teacher told you not to sleep in class.

Posted by: Mike F | October 6, 2008 5:01 PM | Report abuse

>Please fix your headline: It's not about the tool "manipulating " passport
>data, but rather about the faulty construction and deployment of e-passports.
>May I suggest the headline "Electronic passports discovered to
>be insecure"?

In fact it's not even that, they were known to be insecure long before they were ever deployed. Even the ICAOs own documents admit that they're not secure. The real headline would be more like "Software tool proves what security researchers have been saying for years".

>The researcher should be rewarded for his discovery, not -- by the casual
>reader -- be thought of as a perpetrator. He didn't "break" the passport
>system: it was broken before.

It was broken as designed, broken before it was even released, it's amazing that it took this long for the first public evidence of this to turn up. Of course that doesn't mean that various hostile governments haven't been walking all over e-passport security for years, remember that this is just the first publicly acknowledged break that we know of. So these guys have actually done us a service by pointing out that if they can do it any hostile foreign government can do it too, and most likely some have.

The 'security' of RFID passports is totally illusory, and the endless series of attacks on them (remote reading, eavesdropping, cloning, manipulation) only go to prove this. Far from the UK Home Office's claim of "The most secure passport ever" this could well be "The least secure passport ever". We've been sold a lemon by our governments.

Posted by: Dave | October 7, 2008 4:59 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company