back to article Elvis has left the border: ePassport faking guide unleashed

The Hacker's Choice (THC) has released details of a procedure that allows you to "create a backup of your own passport chip(s)" - or, if you were that way inclined, use a modified chip to build a fake ePassport that will not be detected by at least some passport readers. THC offers a video of "Elvis's" passport being approved by …

COMMENTS

This topic is closed for new posts.
Alien

Mark Joynes says...

""Governments' security experts aren't dummies and they aren't going to make those mistakes.""

I say:

what planet is he living on? it seems it must be a different one to the one I'm on.

0
0

pinheads.

"The signature itself, he points out, is a perfectly valid one backed by a self-signed certificate, and it's the check of whether or not that certificate has been issued by a bona fide authority that is absent. Yes, that music you hear is the sound of angels dancing on a pinhead, but nevertheless what the man says is true."

Angels on a pinhead? The usefulness of any signature-based scheme relies on being to verify who it was that made the signature. Anyone can sign anything: the act of deciding which "bona fide authorities" to trust is the exact analogue of deciding which countries' passports are acceptable: I'd expect the border agency to be quite good at that.

0
0
Joke

Huh?

100s of lost government laptops every year

Confidential data on USB keys

CDs with confidential data lost in the post

Top Secret documents left on trains

Disks stolen from secure areas

"Governments' security experts aren't dummies and they aren't going to make those mistakes."

If it wasn't all quite so sad - that would have to be one of the funniest comments I've seen in ages.

0
0

@AC

Governments not make stupid mistakes? I needed a good laugh to get through the morning. Cheers El Reg :)

0
0
Coat

So what you're saying is

That Elvis has not only left the building but is now a hacker living in Amsterdam. Damn that's quite the career move.

0
0

A title is not required.

"[T]he ability to validate certificates should always be present at border crossings..."

Or better yet, we could toss out the whole passport idea altogether, and just let people get on with their lives. I for one would not at all mind never again having to hear some overblown official demanding to see my travel documents.

-Daniel

0
0
Thumb Up

Bow Down To Elvis

I for one welcome Elivs as our new rocking overlord

0
0
Bronze badge
Pirate

A different angle

One thing which isn't getting much coverage is that there's just as much scope to cause chaos by altering someone else's ePassport with tampered data.

Once someone determines how to get an authoritative certificate verification the whole system becomes ineffective. How 'impossible' that is may just be a matter of time.

0
0
RW
Pirate

Government security experts? Surely you jest.

They aren't experts and they are dummies. The endless losses of govt data are more than ample proof of both propositions.

0
0
Anonymous Coward

May I quote you on that?

"It's exceedingly unlikely." says PKI product manager Mark Joynes.

Watch this space...

0
0

Oxymoron

"Government Security"

0
0
Silver badge

@ AC

Exactly right Mr Ac, If governments' security experts aren't dummies, then who is it ignored warnings leading up to 9/11? Who allowed the situation and protocols that make possible the loss of RAF, prison, NHS and social security documents to name but a few?

The dummies are out of the shop window and running the world and the customers don't seem able to stop them.

0
0

There are some problems with your comment: A title is required

"Governments' security experts aren't dummies and they aren't going to make those mistakes."

Haha! shut up foo'!

0
0
Joke

@So what you're saying is

<choke> you owe me a new keyboard... The screen went when I read:

"Governments' security experts aren't dummies and they aren't going to make those mistakes."

0
0
Bronze badge
Thumb Down

To be fair to the experts

"Governments' security experts aren't dummies and they aren't going to make those mistakes."

Let's not malign the experts. There are probably a few people who do know about security and formulate sensible policies - secure data transfer, encryption, minimal use only, no use of laptops or USB drives, data not to be removed from the office, etc etc - but they're vastly outnumbered by the bozos who lose laptops, post unencrypted CDs and leave Top Secret documents on trains.

You can lead a horse to water...

0
0
Flame

Government Security

""It's exceedingly unlikely," says PKI product manager Mark Joynes, arguing that the equipment used by van Beek for his demo is intended for test and development purposes, not for border deployment. "Governments' security experts aren't dummies and they aren't going to make those mistakes."""

Really? So the massive break ins and hacks, and secret docs left everywhere, are an indication of them doing things RIGHT are they?

Stupid tw*t

0
0

Great...

I was named Elvis because my mother was a fan, so I appreciate the fun I will have next time I travel!

0
0
Flame

re: "Governments' security experts aren't dummies and they aren't going to make those mistakes."

yes - but what are the chances those ones will have any say in the matter?

0
0
Coat

Governments' security experts aren't dummies and they aren't going to make those mistakes."

No, they will just post all the details of everyons passport on a couple of DVD's and then say that no harm could ever have been done.

Is this man totally man?

Mines the one with the Paris Hilton passport in the pocket

0
0
Coat

Don't touch that 007, it's for eBay...

"Governments' security experts aren't dummies and they aren't going to make those mistakes"

That is fantastic. In the UK, Government security experts never make any mistakes... like leaving top secret documents on a train, or flogging a camera with top secret info on it. Add in the subconstractors (who certainly do make mistakes because of the rock-bottom price they quoted for the job) and the bean counters and you have a recipie for disaster.

If these machines are cheaper than the fully-secure real deal I wouldn't be at all surprised to see them used on 'non-critical border crossings' by any European government...

Mine's the one with a selection of Prime Ministerial passports in the pocket...

0
0

Passport reader

I've seen that passport reader in Shcipol and always wondered why it was there, now I know, so you can check how good your fake/amended passport is.

0
0

@Joe Blogs

That's why such a reader should not perform any security checks, and only display the contents. Then anyone with a fake passport will think it's ok, and wont know for sure until they get to the actual border post, where you'd hope the full blown authentication process will take place.

0
0
Coat

Gov't employees

The clerk who handles secure data is the same person who sat beside you at school who didn't have a fecking clue about anything ( i.e. knows fuck all about fuck all ) and he/she has served his/her time in the position and risen to the extreme limit of his/her incompetence. You know the ones, just above the level req'd. to work in the town hall - just a little bit more go in them. These are the bastards we trust with all these details, and they know no more now than they did when they left school, they've tried the civil service exams for years until they got to know the questions and the answers - enabling them to pass - eventually. FFS. These are George Orwell's hot house flowers with a qualification or two. These are the people who meander through life much like the Thaals (sp.?). You know them as well as I do. What do you expect?

Can we have a brain dead gov't clerk logo please?

Mines the one with the guaranteed pension fund in the pocket, ho-ho...

0
0

@ Mike smith

You can lead a horse to water...

Not if your Chuck Norris, he can make it drink.

0
0
Alert

Are digital signatures that good an idea for Passports?

So all this relies on digital signatures from a recognized government CA (would a government really rely on a foreign 3rd party CA?).

I may have misunderstood the way trust chains work, but wouldn't the compromising of any of the certs in the chain compromise any signatures relying on that chain when the compromised certificate is revoked (or is the system not setup to do any certificate revocation checking)?

If this is the case, then compromising any cert in the trust chain would invalidate any Passport relying on the trust chain for it's signature requiring the cancelation and re-issue of the affected passports. If a country relies on a single trust chain to sign all passports, it could potentially mean the cancellation and re-issuing of ALL pasports.

Also the whole idea of having digitally signed passports make getting hold of a certificate in the chain (without alerting authorities) a very high value prize for both foreign intelligence agencies (even allies) and organized crime.

0
0
This topic is closed for new posts.

Forums