Using equipment readily available on the Internet, the Daily Mail was able to construct a device that can read information from an
RFID-equipped passport. Within four hours, the Mail managed to download enough information to create a phony passport without opening the envelope in which the new passport was delivered. The RFID chip holds an electronic copy of the photo page from the passport, an electronic photo and a device that ensures the other two files have not been altered. To access these files, the computer needs the key that is printed in the last line of the passport's machine-readable zone on the photo page. The Mail was able to determine the code relatively easily because it virtually always includes the holder's birth date and the passport's expiration date. Furthermore, attackers are not locked out after any number of incorrect attempts. http://www.thisislondon.co.uk/news/article-23387681-details/'Safest+ever'+passport+is+not+fit+for+purpose/article.do
[Editor's Note (Pescatore): back in the day, when passwords were entered on teletype terminals onto rolls of paper, the teletype would backspace and type Xs over the password to mask it. Clever folks figured out you could read the password anyway if you shone a flashlight on the ink.
Physical protection of sensitive data is important - there was just another article pointing out that folks with digital cameras could photograph Vista activation codes from their boxes in retail outlets -
oopsie.
(Schultz): No matter how many times we say things like this can (AND
WILL) happen, the warnings get ignored and we wind up with trying to secure things after the fact instead of building things right. Maybe we will need to store our passports in the lead boxes with our
Kryptonite from now on.
(Northcutt): Pretty good article, I would take the time to read it. The short version: the passports are delivered in specially marked envelopes, the courier does not ask for ID when delivering it so low tech attack methods work just fine, the key protecting your info is of reasonable size, 192 bits, but is has some relationship to your date of birth and you can try and infinite number of attacks on the RFID chip, it doesn't shut down on the fifth try or whatever. If it wasn't for my frontal lobotomy I might be getting cynical by now, another great write up can be found here:
http://www.guardian.co.uk/idcards/story/0,,1950226,00.html
(Liston): RFID technologies create several new attack vectors, and yet we still attempt to secure them by making the same types of mistakes that we've made for OTHER technologies.]
