The feds are done debating and are all prepped to introduce RFID e-passports readable up to 20 feet away to US citizens who frequently travel to Canada, Mexico or the Caribbean in either April or May of 2008. The new passports should allow traveler info to be read as they're shuffling up to the border agent, who can verify their info and wave them along with little delay. Privacy advocates are obviously concerned about people capturing data or cloning the passports, but you can always "accidentally" destroy your RFID chip if that's enough of an issue for you -- the rest of us welcome our benevolent Big Brother with bellyfeel!

[Via Slashdot]

Lukas Grunwald -- last seen cloning Germany's RFID passports -- is back with more "white hat" hackery on the world's new e-passport systems. This time, however, he's crashing RFID readers to demonstrate how a hacked passport could conceivably force approval of expired or forged passports. After all, "If you're able to crash something you are most likely able to exploit it," says Grunwald. Lukas was able to crash two passport readers made by different vendors by first cloning a passport's chip and then modding the JPEG2000 image file stored within the chip to create a buffer overflow condition -- the same vulnerabilities which make so many devices (the original Xbox, anyone?) so easily exploitable. Lukas contends that all airport readers are likely vulnerable to such an exploit as they would be using off-the-shelf libraries for decoding JPEG images. Lukas will be demonstrating his latest hack this weekend at DefCon in Vegas. Hmmm, with CES moving to RFID badges this year, we have a funny feeling that attendance is going to be way up.

[Via BoingBoing]

How easy is it to digitally clone an electronic passport? Very. Using an RFID reader purchased on eBay, white-hat hackers from DN-Systems consulting recently demonstrated to the BBC how they can download British e-passport data to their computer and then write it to a new, blank RFID chip to create a perfect digital clone. Sure, the hack requires access to the software used by border police, but apparently, this is already out in the wilds. Astounding, huh? Yeah, but it's not new. This is the same hack we've seen repeatedly demonstrated in Germany, the US, The Netherlands, Ireland, etc. What's notable here is the lack of incredulity imparted by the spokesman for the UK Home Office who said, "It is hard to see why anyone would want to access the information on the chip." Identify theft, maybe? True, British e-passports unlike those issued by other countries, do not (currently) store fingerprint scans in the chip and the encryption is just one aspect of the passport's overall security. However, with these mechanisms also circumvented, shouldn't our government officials be just a tad concerned?

Sure, we have just as many concerns over RFID-related security technology as anybody, but a new report by mobile security experts Flexilis seems to take things a bit too far. In their report on the lacking shielding of the new e-passports, allowing the passport to be read by a high-powered reader if the book is slightly open, they go on to illustrate the "dangers" of such a security lapse by calling it a potential bomb trigger. Their demonstration involves a passport-toting dummy brushing by a trash can, which explodes once the dummy gets too close. The Flexilis guys even conjecture that a country ID code could eventually be identified in passports, allowing for targeted bombing of citizens from specific countries. The problem with all this, is that any radio-transmitting device could potentially trigger a bomb (phone, Bluetooth device, etc.), nobody has hacked an RFID country code yet, and the situations that would call for this sort of bomb are even more far-fetched than the concept. There's nothing much special about RFID in this regard, other than some security "experts" trying to cash in on the hysteria. Check the video after the break, and judge for yourself whether or not RFID is going to be the hip-cool new detonation system of the decade. We're thinking no.

[Via textually.org]

Despite the various privacy concerns that have been repeatedly raised in regards to e-passports, the US is going ahead with their plans to launch the system this Monday. Not all newly-issued passports will be RFID-enabled, since mass production has been held up by the ongoing legal dispute over the technology. The first passports to be issued will be those produced during the pilot run of the project, but the full roll-out should be completed in about a year. Including the extra $12 security surcharge slapped onto passports last year, the new and "improved" models will cost $97, the same as they do currently. If you're overly concerned about the security implications or potential apocalypse causation, you might want to nab a passport now, since traditional passports will be valid until their listed expiration date. We'll manage like usual: hills, tin-foil, condensed milk, etc.

Oh snap. First the Dutch get their RFID e-passport system cracked, then VeriChip gets its "counterfeit proof" RFID implant copied by a pair of hackers in front of a live audience, and now some hackers in Germany have undermined some of the security behind the electronic passports that the United States and other countries are planning to implement this month. Lukas Grunwald did the honors this time, and says it took him about two weeks to figure out the hack, with most of his time spent reading the publicly available e-passport standards on the International Civil Aviation Organization's official website. Since all countries will be adhering to the ICAO's standard, his hack should work on other passports as well. Grunwald demonstrated for Wired the whole process of cloning a passport, and even proceeded to copy the data to a corporate smartcard, which when slipped between the normal RFID chip and the reader allows him to have a physical passport that differs from his RFID passport. All is not lost however, since most countries plan to have physical inspections to make sure everything matches up, and information cannot currently be modified on the passport -- but the security failures so far sure don't inspire a lot of confidence.