[Ms.Grat3ful]

Quote:

U.S. to roll out electronic passports
By DAN CATERINICCHIA, AP Business Writer Fri Aug 11, 5:26 PM ET
WASHINGTON - Despite ongoing privacy concerns and legal disputes involving companies bidding on the project, the U.S. State Department plans to begin issuing smart chip-embedded passports to Americans as planned Monday.


Not even the foiled terror plot that heightened security checks at airports nationwide threatens to delay the rollout, the agency said. Any hitches in getting the technology to work properly could add even longer waits to travelers already facing lengthy security lines at airports.

The new U.S. passports will include a chip that contains all the data contained in the paper version — name, birthdate, gender, for example — and can be read by electronic scanners at equipped airports. The State Department says they will speed up going through customs and help enhance border security.

Privacy groups continue to raise concerns about the security of the electronic information and a German computer security expert earlier this month demonstrated in Las Vegas how personal information stored on the documents could be copied and transferred to another device.

But electronic cloning does not constitute a threat because the information on the chips, including the photograph, is encrypted and cannot be changed, according to the Smart Card Alliance, a New Jersey-based not-for-profit made up of government agencies and industry players.

"It's no different than someone stealing your passport and trying to use it," Randy Vanderhoof, executive director of the alliance, said in a statement. "No one else can use it because your photo is on the chip and they're not you."

Yet the ability to clone the information on the chips may not be the sole threat, privacy advocates argue. A major concern is that hackers could pick up the electronic signal when the passport is being scanned, said Sherwin Siy, staff counsel at the Washington-based Electronic Privacy Information Center, a leading privacy group.

"Many of the advantages the industry is touting are eliminated by security concerns," Siy said.

After testing the passports in a pilot project over the past year, the government insists they're safe.

Numerous companies competed the last two years to provide the technology. One winner was San Jose-based Infineon Technologies North America Corp., a subsidiary of Germany's Infineon AG. Another was French firm Gemalto, which earlier this month announced that it had received its first production order from the Government Printing Office. It is producing the passports for the State Department, using the Infineon technology.

Another company, On Track Innovations Ltd., was notified July 31 that it had been eliminated from consideration and is appealing the decision, a spokeswoman for the Fort Lee, N.J. company said this week. On Track previously had been eliminated but appealed that decision in the U.S. Court of Federal Claims in Washington, D.C., which found in favor of the company and ordered it be reinstated.

Infineon has been approved for production-quantity orders but hasn't received any because of the unresolved legal dispute, said Veronica Meter, a spokeswoman for the Government Printing Office. The rollout that begins Monday will use technology built up during the pilot project.

Neville Pattinson, director of technology and government affairs for Gemalto in Austin, Texas, would not discuss financial terms of the contract. He acknowledged the economic potential is massive, noting that the State Department issued 10 million passports in 2005 and expects that to increase to 13 million this year.

Citizens who get new passports can expect to pay a lot more. New ones issued under this program will cost $97, which includes a $12 security surcharge added last year. Not all new passports will contain the technology until it's fully rolled out — a process expected to take a year. Existing passports without the electronic chips will remain valid until their normal expiration date.

haha!! we got a while before we gotta get a chip, .... story
...and I have to wonder if these chips will do more than just hold information... uhmmm, like track people?... gotta' wonder....

[igohydro]

They have em in the U.K,they are using them too!

There's several issues with them from what I've read, and they've been in 'the works' for some time now.

My family acquired all 5 of our renewals this last Winter, specifically to avoid this issue.

They're behind schedule, too, btw, as are most government programs; initiallly they were supposed to have up to 50% of new passports RFID-ready as of this Spring (06), but you can see -that- didn't happen.

I was reading a techie article on them last year, and there were several concerns, ranging from the low-frequency transmitter issue that you've alluded to (tracking), to how much data might be contained in them (bank acct or credit info, for example) to identity theft, and that they can potentially be read from a range of up to 60 ft.

The third issue means that someone with a hand-held, modified, scanner, and a palm-pilot 'married' to it, can potentially sit in a busy airport, train station, etc, and have such things out of view, say behind a book or newspaper, and be scanning the data in the chip.

If you've been into many modern airports lately (as your travel thread indicates that you have), then you know that in many airports, the separation between a secure area and a public area can be as little as a plexiglass (or glass) wall. A barrier that could feasibly be 'scanned' through.

Electronic Frontier Foundation (if I recall correctly) had included an article quite some time back, written by a techie who had devised a method of using a modified cell phone signal to disable these kinds of chips. You might search their site for tips on this issue.

That's what I've read thus far on this stuff.

And remember all of those folks who said that banking on-line was safe and secure too.

How many folks have been compromised now via electronic fraud?? Bunches, if the news is accurate.

Regards,

moose eater

[Verite]

The good old days of security chips.

This is horse shit. They are going to have all our info on that chip. You can beat your ass about that. Glad, I'm getting out while i can. Won't be long before everyone here in the Good old USA will be low-jacked. They are all ready doing it to some kids. They are saying for medical reocords and the ability to find a child if missing. I say BULLSHIT. They won't to know where everyone is and what they are doing. This in my opion is very bad news. There's nothing wrong with the old paper passpost. Thanks for the info.
Take and be safe,
BG

[I.M. Boggled]

May 2006

The RFID Hacking Underground
They can steal your smartcard, lift your passport, jack your car, even clone the chip in your arm.
And you won't feel a thing.
5 tales from the RFID-hacking underground.
https://www.wired.com/wired/archive/14.05/rfid.html

[I.M. Boggled]

04 August 2006

New hi-tech RFID passports hacked and cloned

A number of countries around the world are introducing technology-enhanced passports designed to prevent or greatly inhibit forgery and counterfeiting. One of the key components is the Radio Frequency Identification (RFID) memory chip. Residence visas and national identity cards are also beginning to include the chips.

The reason is that the chips are supposed to be nearly impossible to forge or tamper with. They are intended to store coded data, including biometric data such as fingerprints, face and iris scans, as well as all other necessary details to prove who the holder of the document is.

This week a German computer security consultant has demonstrated how to "clone," or duplicate, a specific RFID chip. Lukas Grunwald, a security consultant with DN-Systems in Germany and an RFID expert, says the data in the chips is easy to copy, and he demonstrated the technique at the Black Hat Security Conference in Las Vegas on 03 August.

The hack was tested on a new European Union German passport, but the method would work on any country's "e-passport," since all of them will be adhering to the same ICAO standard. He obtained an RFID reader by ordering it from the maker - Walluf, Germany-based ACG Identification Technologies - but also explained that someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.

A program that border patrol stations use to read the passports (Golden Reader Tool, made by secunet Security Networks) and, within four seconds, the data from the passport chip was displayed in the Golden Reader template.

He then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader. The reader can also act as a writer, and the information is transferred in the ICAO layout. The basic structure of the chip now matches that of an official passport.

Finally, Grunwald used a program that he and a partner designed two years ago to program the new chip with the copied information.

The result was a blank document that looks, to electronic passport readers, like the original passport.

"The whole passport design is totally brain damaged," Grunwald says. "From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all."

"Of course if you can read the data, you can clone the data and put it in a new tag."

This is an embarrassing development for quite a number of governments who have collectively invested billions of euros over the past several years to develop and implement several different schemes. Worse, the hack has become news just as several nations have begun issuing the new "ePassports" (another common designation) and are generally beginning to roll them out during the next several years.

Even more billions are already committed, not only to the production of these passports and identity documents, but also to the entire infrastructure needed to support the effort. Tens of thousands of man-hours and dozens of lucrative contracts have been and are being committed to huge databases, and the security checkpoints at embarkation and debarkation areas for many countries.

It turns out that while many governments have discussed encrypting the data on these RFID chips, very little effort has yet gone into implementing the encryption. The reason is simple: it will add immense complexity and expense to the entire concept.

Now it seems that there will be little choice.

"Either this guy is incredible, or this technology is unbelievably stupid," says Gus Hosein, a visiting fellow in information systems at the London School of Economics and Political Science.

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on several websites around the Internet. The International Civil Aviation Organization, a United Nations body that developed the standard, is only one of them.

Frank Moss, Deputy Assistant Secretary of State for passport services at the U.S. State Department, says that designers of the e-passport have long known that the chips can be cloned, but that other security safeguards in the passport design still prevent someone from using a forged or modified passport.

While the U.S. does not intend at this time to allow automated reading of passports, other countries are considering taking human inspectors out of the loop. Australia, for one example, has talked about using automated passport inspection for selected groups of travelers.

The reason this is important is that the RFID readers currently read only one chip at a time. It is possible for a person to have a cloned chip placed on top of the actual RFID chip in their document. The reader would read the 'top' or closest chip. However, the data read electronically would not match the printed data on the documents. So long as a human observer is examining the document, such a simple technique would fail.

In addition to the possibility of counterfeiting, Grunwald notes that the ability to tamper with e-passports at all opens up the possibility that data written to RFID tags could be used in other ways. Crashing an unprepared inspection system, or even introducing malicious code into the screening computers, is possible, maybe even probable. This could work if the computer system performing the reading has some form of software vulnerability.
https://www.workpermit.com/news/2006_...ogy_cloned.htm

I have one of those.

The day I got it I hit it with a hammer.

I travelled on it and had no problems.

Did anyone attempt to read your passport's data with a scanner after you'd hit it with the hammer? If so, were they able to read anything on the scanner?

Do you think that as more countries are equipped with scanners that when they encounter a passport that isn't functioning properly, they'll flag that person?

Lastly, how -big- a hammer?? ;^>)

moose eater

Just a normal sized hammer. About a foot long maybe a bit more. Not a sledge hammer. My pasport has a funny dent in the centre page where the chip is stored.

I left Australia (where passpot is issued) no probs, went to Sri Lanka where i am sure they don't have readers and then to Hong Kong which is a pretty tech place and then Home.

I have no idea about flagging and that but I have major problems with people trtying to keep tabs on others.

My girlfriends passport which is Brittish Hong Kong and is not chipped however always causes problems on return into Australia. We need to go to the airport hours in advance and they always need to ring someone in the department of immigration to check that she and the passport is legal. 3 times bar leaving HK we have been the last to board a flight we always get whisked there on a little veichle of sorts.