(Image is in the Public Domain)

The Hacker's Choice, a non-commercial group of computer security experts, has released a video showing a cloned passport being approved by a security scanner at a Dutch airport. When the reader scans the passport it is revealed to belong to one Elvis Aaron Presley, complete with picture.

RFID is not ready. Every country that has tried to use it for identification has failed and miserable.

Wireless passports. Who could have guessed they'd have security problems.

(Image is used under the Pixabay license)

So much for "Fakeproof". Of course, anyone who knows about RFID and the way they work could see this coming.

(Image is used under the Pixabay license)

Well flipping duh.

Most newly issued passports carry an embedded RFID containing digitally signed biometric information. Access to this chip is wireless, which introduces a security risk, the possibility that an attacker might be able to access data on a person’s passport without the owner knowing.

It's this reason that putting RFID in passports was such a stupid idea to begin with. Put wireless into any system that protects private information and watch the world come crashing down around you.

I'm not saying that it's impossible to secure a system using wireless, but it takes a whole hell of a lot more effort that was put into the passports system.

Anyway, now that someone has proven this is viable, those fears that someone can just scan a crowd and find the Americans to target have been entirely validated.

(Image used under: Creative Commons 2.0 [SRC])

In what was a colossally stupid decision, the US put RFID chips in passports. Oh wait, this article is about the outsourcing! Right.

In what was another colossally stupid decision, the US is now outsourcing the production of RFID passports.

(Image used under: Creative Commons 2.0 [SRC])

Using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package.

Is there anything that doesn't have RFID anymore?

(Image used under: Creative Commons 2.0 [SRC])

EPIC reports that the Department of Homeland Security is creating a passport-like system that will be required for travelers between the US, Canada, Mexico, the Caribbean, and Bermuda. This "passport" will contain RFID and very little security. From the article:

The federal government has been increasingly using RFID technology in its identification documents. The Department of Homeland security last year began using RFID-enabled I-94 forms in its United States Visitor and Immigrant Status Indicator Technology ("US-VISIT ") program to track the entry and exit of visitors.¹⁹ This year, the State Department began issuing RFID-enabled passports to U.S. citizens.²⁰ Only 23% of U.S. citizens have passports.²¹ Therefore, under the Western Hemisphere Travel Initiative, U.S. citizens would have to carry either a passport, which costs $97 for first-time applicants, or a PASS card. As the proposed Western Hemisphere Travel Initiative PASS card, U.S. passport, and US-VISIT I-94 entry and exit forms all contain RFID chips, if the PASS card proposal is adopted, then all U.S. citizens carrying either a passport or PASS card and visitors entering the country through US-VISIT will be able to be tracked using RFID technology.

Wireless data is easy to steal. Why did we put it on our passports again?

(Image is in the Public Domain)

Schneier links to an article about RFID passports being cloned in under 5 minutes. The authorities have stopped denying it's possible and have shifted to denying that it can be used for any nefarious purposes.

The UK Home Office however dismissed the ability to get hold of the information on the chip. A spokesman said: "It is hard to see why anyone would want to access the information on the chip. " Other than the photograph, which could be obtained easily by other means, they would gain no information that they did not already have - so the whole exercise would be pointless: the only information stored on the ePassport chip is the basic information you can see on the personal details page."

Well, it sure is hard to see why anyone would want to see someone's credit report, criminal history, medical information, social security card, birth certificate… Are these people for real?

If you spend millions to deploy an encryption system, maybe you should make sure it's robust first?

(Image used under: Creative Commons 2.0 [SRC])

New RFID passports are supposed to make identity theft more difficult and to make it easier to spot fake passports like the ones used by the perpetrators of the 9/11 attacks.

First, making the data remotely secretly readable without every possessing or otherwise coming into contact with the passport hardly makes it more secure against identity theft. Second, it's hard to make fake documents, but easy to fake 1's and 0's. Last I checked your electrons look just like mine.

Besides the very obvious flaws in this idea, all it would take for the "secure passports" to turn into a nightmare of unprecedented proportions would be for the encryption to be broken. Oops, it's been done… and in under 48 hours of effort.

In the article, they mostly talk about the dangers of cloning passports, but I submit that the real danger is being easily, quickly, and remotely identified as a foreigner while you travel. Either way, they said it best in their final paragraph:

It may be that at some point in the future the government will accept that putting RFID chips in to passports is ill-conceived and unnecessary. Until then, the only people likely to embrace this kind of technology are those with mischief in mind.