German Hacker Successfully Clones E-Passports

So the latest news is that the RFID chips in electronically enabled passports are NOT encrypted, which bright spark came up with that idea?

Ok so you implement ‘more secure’ RFID passports, and leave all the data in plain text for anyone to tamper with – nice!

So what do you think they are gonna do about that? Probably nothing right?

A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.

The controversial e-passports contain radio frequency ID, or RFID, chips that the U.S. State Department and others say will help thwart document forgery. But Lukas Grunwald, a security consultant with DN-Systems in Germany and an RFID expert, says the data in the chips is easy to copy.

“The whole passport design is totally brain damaged,” Grunwald says. “From my point of view all of these RFID passports are a huge waste of money. They’re not increasing security at all.”

Complicated infrastructure stops people from doing something properly, that’s a pretty lame excuse.

Apparently these new super-duper RFID enabled passports are going to help cut down on forged documents…yeah when it’s not encrypted?

Although countries have talked about encrypting data that’s stored on passport chips, this would require that a complicated infrastructure be built first, so currently the data is not encrypted.

“And of course if you can read the data, you can clone the data and put it in a new tag,” Grunwald says.

The cloning news is confirmation for many e-passport critics that RFID chips won’t make the documents more secure.

“Either this guy is incredible or this technology is unbelievably stupid,” says Gus Hosein, a visiting fellow in information systems at the London School of Economics and Political Science and senior fellow at Privacy International, a U.K.-based group that opposes the use of RFID chips in passports.

Personally I’m on the side that that the technology is incredibly stupid.

Sometimes people amaze me, not in a good way.

Source: Wired and thanks to Daniel for the heads up on this one.

Posted in: Hardware Hacking, Legal Issues


Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

16 Responses to German Hacker Successfully Clones E-Passports

  1. rfmonkey August 16, 2007 at 7:42 am #

    cool, I have been needing a passport, looks like better days are coming, Its OK with me, I’ll be looking for a real suave name, maybe Rico, or Jean. : )

  2. Ian Kemmish August 16, 2007 at 9:25 am #

    A similar story aired on the TV news here sometime last year, involving UK academics rather than a German hacker.

    Since the data includes a hash code derived of the digital photo printed on the passport, merely cloning the passport, although possible, is not very much use – you can only pretend to be yourself, not someone else. What you need is the ability to create valid-looking RFID data of your own creation. The Home Office claims that this is not possible, the academics merely confirmed that they had not been able to do this yet.

  3. morbid August 16, 2007 at 10:08 am #

    Head to, grab the shematics and the parts list, order the stuff at digikey and show all people you know how badly implemented RFID technology usually is. Sorry but if you can’t
    convince the govs you have to educate the masses. Applyed hacktivism without any DDoS, I’m sure it works at least a bit. On 23C3 there have been some nice lectures on RFID, but that was aimed at “hackers”, so why tell people that already know that this is dumb that it is dumb, tell it the ones that don’t know it and proof it. On my University they have RFID cards for the cafeteria, having your deposit unencrypted on the chip, anyone tell me if this is a good idea with more than 3000 Computer Science and Electrical Engineering students ;). I think someone has to do a big PoC for the masses, so everyone is convinced.
    Passports are another nice thingy, imagine in some years the immigration officers don’t look at the passpors any more, but just grab the data from the RFID chips ’cause it’s faster, anyone can pretend to be someone else then. Imho it’s a horror scenario.
    RFID_passports = Security–;

  4. Sir Henry August 16, 2007 at 12:14 pm #

    I have always thought that the initiative by the US to put RFID in the new passports is intrinsically inane and shows a clear lack of logic and forethought in regard to security. How many people have already illustrated that this is absolutely insecure and a painfully easy way to get passport information? Don’t even get me started on the credit cards that you can simply wave in front of a scanner at the counter for “convenience”. I will never own one of those for I know that they, too, are a single point of failure and a means to giving up your money to anyone clever enough to get it. Great post.

  5. Cyanide August 16, 2007 at 12:38 pm #

    I usually just end up telling people to take a hammer to their passport to destroy the chip so that nobody can read their personal data without actually looking at the passport.

  6. Prelate August 16, 2007 at 5:00 pm #

    Major Malfunction did this at Defcon this year. He also spoofed the “animal” implant asking for human volunteers from the audience. Funny thing is his dog

  7. TheRealDonQuixote August 16, 2007 at 9:12 pm #

    No offense DKNT, but isn’t this old news? Engadget had an article about these guys way back on 03.08.06.

    If anyone’s interested here’s a great video on how to skim data from RFID credit cards.
    RFID-enabled Credit Card Skimming

    And here’s a link on how to write RFID worms!! The Dutch have been on this for quite a while now.
    vrije Universiteit

    I’ve been following RFID hacks for a long time now. I wish I could afford all these toys just so I could bother the cr@p out of my parents!! :D
    Of course I can’t solder for shite…

  8. Sandeep Nain August 17, 2007 at 12:03 am #

    Wow… one more lame step taken by the govt. why govt always need to assume that anthing which looks geeky is more secure..

    i wonder if the officials even wanted to know about the security of these RFIDs. i’m sure they didn’t even think about the data encryption..

    I remember when they interoduced this watermark thingy in passports which can be seen only in ultra violet light (or something like that) and claimed it will be hard to forge the passports now…

  9. Darknet August 17, 2007 at 5:43 am #

    TRDQ: Yeah actually I didnt notice the date on the article, Daniel sent to me as something of interest, so I just read it and posted it. The Wired article is also from 2006 now I checked it. It’s still interesting though I think :)

    The hammer technique is interesting!

    I was following RFID quite closely when it first emerged, but then I lost touch a bit.

  10. Sandeep nain August 17, 2007 at 12:14 pm #

    Although its an old one but was a good one to read for people like who haven’t read it before. so thanx darknet…

  11. Nobody_Holme August 17, 2007 at 1:56 pm #

    RFID is the worst idea since sliced bread? :p

  12. Alfred Farrington August 17, 2007 at 2:21 pm #

    Refreshing never hurt anyone. :P Hmmmm when is the government going to get themselves together. They ought to stop hiring all these guys out there that really don’t know what they are doing. just pitching ideas. Hey let’s try this encryption we don’t need that then “we won’t understand it or better they might break the encryption” . So the governments answer no encryption gee I would love to work in that sector when I grow up.

  13. CK76 August 17, 2007 at 6:50 pm #

    This is why I keep my passport in an antistatic bag. It’s great when your at the airport, and one curious person asks why I’m doing it. Soon enough I’m explaining to a small group of people the principles of RFID and why it’s so insecure.

    Good post DKNT. Spread the word.

  14. TheRealDonQuixote August 17, 2007 at 7:31 pm #

    Sorry for the “this is old” lameness. I realized I sounded like a duma$$ digg user. Now that is the definition of embarrassing!!

    Anyhew, tinfoil is supposed to work too for screwing up RFID readers. I’ve seen a wallet with some sheets of foil built right into the walls of the thing, its supposed to cover your RFID enabled credit cards. But some say that you have to completely wrap the card or passport in foil. I dunno cause I haven’t been able to play around with RFID stuff, no money.

    I really want to go around a Gap and make all their inventory magically disappear from their systems. All I need is a small EMP device ;)

  15. Nobody_Holme August 19, 2007 at 2:06 pm #

    TRDQ, thats a genius idea. I want to help.

  16. Sandeep Nain August 31, 2007 at 2:30 am #

    Nice idea TRDQ…. but the question here is… When will government think about these issues…

    they are introducing the technology but in this lame way… its too bad

    i think im sounding more like philospher here rather than being security professional