Now that’s an interesting idea I had not much considered. Thank you.
As to USAians this is a particular issue since only a small percentage of Americans ever travel internationally or even have passports. Most people I know have one, but that’s driven by my SES & even more by my occupation.
Vast swathes of ordinary Joe & Jane American have no passport and would never know if someone else had taken one out using their “borrowed” identity. At present it seems the 50 states do NOT share driver’s license info, at least not for untroublesome drivers. So one’s identity could be “borrowed” to create multiple drivers’ licenses in multiple jurisdictions, all without much chance of detection by the authorities or by the victim.
As long as our bad guy identity borrower didn’t do anything that intersected with the tax or financial well-being of the identity borrowee, this could be played along for the rest of someone’s life.
In theory, gaining access to the electronics inside the device and dumping the code from the embedded microcontroller could enable someone to break the security on those things, but I think they are usually constructed with tamper resistance so that any such attempt would destroy them before anything useful can be obtained.
The trouble with the authentication keyfobs is that it is the active data in them matters. A core tenet of any encryption is that you assume the attackers know your encryption algorithm. Same with these devices - assume that the attacker has reverse engineered the device. It is the volatile state of the device that will be set after the device is powered up that contains the individual key. Getting that out is going to require serious technology. Not impossible, but very difficult. And of course, the design can include anti-tamper features.
Just the act of allowing light onto the chip can destroy the operating state. And the device must remain operating the entire time. One slip disconnecting power and the device forgets.
This is underlined by the availability of software authentication key generators that duplicate the functionality of the hardware ones. Reverse engineering the code is trivial. They depend upon technological devices to protect the keys allocated to the instance. As we saw with the Apple versus FBI standoff, technology companies can outrun government agencies when it comes to protecting data in devices. The protected enclave inside Apple’s processors is fiendish.
So, given a simple key device, a state level actor could maybe muster the technology to duplicate a given individual device. Stealing a key device, duplicating it, and returning the still operating original to the owner undetected, whilst just on the edge of possible, is a limited use case. One could imagine scenarios when it might be worth considering the investment needed. But one would want to be sure that you could pull it off. One slip in the process and you alert the owner, and all is lost.
The reason I thought of keyfobs was that I just saw an article that a researcher had discovered a side-channel attack for one type, so, in theory, you could duplicate it without completely disassembling it. Still a near nation-state type attack, since it required having the keyfob in your possession for something like 8 hours minimum, wasn’t guaranteed to work, etc. And that side-channel vulnerability will of course be fixed in the next version. So, maybe a touch more possible, than ‘on the edge’ but still not easy.
Yeah. Side channel vulnerabilities remain a problem. We get better at fixing them, but then along comes another left field oddity.
The big change in false identity and counterfeiting identity does come back to that pointed out by @LSLGuy. Documents no longer prove the existence of the holder. They provide a reference to a centralised record of the holder. It isn’t possible to counterfeit an identity anymore, as you need to place the identity into the system, and that is not just a matter of forging a document. The whole movie trope of a forged identity (you are an international salesman, here is your backstory, etc etc) doesn’t wash, unless there really is that person and you assume their identity. So even breaking a key generator authenticator only gets you a small way.
True, but cross-referencing in a timely manner remains a challenge. Your driverID example is awesome, but to get the said ID what does an applicant need to show? How secure is that?
I don’t think there’s any point in focusing on the physical ID. If you want a fake American passport, you bribe people or insert people in the passport office to create one, inserting info into the database as if the fake ID were legitimate.
The US might have people in Russia’s passport office doing this, just as Russia might have people in the American passport office doing this, and so forth. (No proof, just speculating.)
Yep, side channel attacks can be very hard to anticipate. An example I was involved with: a company I worked for was using a “secure” chip. In order to perform certain sensitive operations, the chip required that you supply a fixed 16-byte password. The chip had the password embedded in its microcode, and before performing the operation, it would compare the user-supplied password with its internal password, byte by byte, and return an error if they failed to match. Various hardware features were designed to make it extremely difficult to extract the embedded password from the chip. Assuming the password really can’t be extracted, it seems secure, doesn’t it?
A hacker discovered that the password comparison would exit as soon as it found a mismatched byte. So if the first byte was wrong, the error would be returned in, say, N nanoseconds. If the second byte was wrong, the error would be returned in 2N nanoseconds. If the third byte was wrong, the error would be returned in 3N nanoseconds, etc. So by trying all 256 combinations of the first byte and finding when the error lag suddenly increased, he could discover the first byte of the password, and similarly for each subsequent byte. So he could get the whole password in, at worst, 256x16 attempts, rather than the 2^(8x16) attempts intended by the chip designer. It was a major and unpatchable embarrassment for the chip vendor.
And this is where quantum encryption comes in, if we ever manage to get it to work at a practical level. If you can make a system where the private key is a quantum state, instead of being a classical number, then duplication of the key becomes impossible.
Indeed. This is the problem with much of identity theft. The chain needed to build up an identity is not very secure, and being able to bootstrap up is still far too easy. In principle background checking of the application should occur to sheet home the provenance of the applicant. Perhaps with the ever increasing threats coming from identity theft this might eventually occur. Drivers licences have become the de facto ID in most countries, although they were never intended to be used that way. So there is catchup being played. Passports have always had a higher level of importance and value. But the level of background checking that occurs was clearly pretty minimal when I got my first passport. I needed it for business travel and with nothing more than a letter from my employer was issued almost immediately. I assume nowadays that a lot more happens in the background.
I guess that was sort of my point. It has ceased to be about counterfeiting the document, but about the actions needed to counterfeit the identity that the document purports to identify.
Does the no-cloning theorem allow multiple computations with that state to occur? One can hold a one time pad delivered by a quantum encryption and be sure it has not been duplicated, but can you hold a private key in a useful state? I had always assumed you could not.
Hm, good point. I think you might be able to construct a system where the evolved private quantum state remains unknown, and the public key can be evolved to match it… but I’m way out of my depth, here.
I’m not sure fooling JFK customs is child’s play. If I cross into the USA, even in a remote point in northern NY state, they scan the passport and it tells them everything they know about that passport, which I presume is validated against a database.
i think the point is good that finding some poor schlub who never travels internationally is the best trick. Day of the Jackal used the old “died in infancy” trick in 1965. However, it was one of the first loopholes plugged after 9/11. I would be surprised if perusing the birth certificate is the only validation the passport office does. I would assume they at least check your Social Security records, which should verify age and income and address. Then check the driver’s license database, which I assume the feds have access to in any state. Asking to send the finished passport to a different address from these might set off some alarm. Since not long after 9/11 you’ve needed a passport to cross the Canada-USA border, and I’m guessing the same applies to Mexico? There’s always the risk that your mark may suddenly decide to go to Cancun or Montego Bay.
My understanding of the car key fobs is that the car needs to be completely reprogrammed to accept a new key; so the tough part will be ensuring that not only the key duplicates the exting fob, but that the car recognizes that key.
The early keys would send a rolling code, there’s the joke that Beckham’s BMW X5 was stolen with a laptop trying a range of codes. (Just like old garage door openers could be fooled by sending every code from 0000 to 9999, which was easy to do with a electronics broadcasting the entire sequence nonstop)
There’s the warning that thieves can steal a Tesla by having a WiFi repeater within range of the owner’s phone and the car, if they are close (i.e. in the restaurant parking lot.)
Muammar Gaddafi’s passport supposedly has the “correct” spelling of his name, and that name had to be used no matter where he travelled. If he decided to travel to a country with no connection to Libya, they could still accommodate him (if they didn’t reject him for political reasons, of course). This causes me to think there’s either some sort of database, or every country can connect to every other country’s passport database.
That’s not because the country that accommodated him had access to a global database of all passports or a Libyan database of Libyan passports; rather, it’s because the country that accommodated him was satisfied that the document he presented was a valid Libyan passport from the looks of that document.
As @AK84 said, there is no globally unified database of issued passports, nor is there a network via which all countries can access all other countries’ national databases of issued passports. At least there’s nothing of that sort whose existence is confirmed; we don’t know what kind of databases or data exchange exist confidentially.
What does exist, however, are databases that tell immigration officers what a genuine passport from any given country is supposed to look like. That makes it easier for the officers to make a call whether a document presented to them is genuine or not. See here for such a database maintained by the EU.
By the way, there are some cool features about this database. For instance, you can see samples of the passports issued by the Holy See (basically, the Vatican), which are trilingual: Latin, French and English. So if you want to know how to say “date of expiry” in Latin, there you go (it’s die quo expletur).
My passport has some electronic bar codes that are scanned anytime I leave the country or return. Of course, maybe they’re just copying the data down for later perusal.
A physical passport is a very difficult but not impossible document to forge. It would be harder to forge one (as in render doing so pointless) if there was some way to check the validity of the document electronically. They’d have to do the “guy in that passport office” scenario that I mentioned earlier.
I suppose you’re referring to the machine-readable lines at the bottom of the passport page? That contains only data that can also be found elsewhere in the passport: Document type (passport), country of issuance, name, passport number, date of birth, date of expiry, and check digits. It simply presents this data in a format that can more easily be scanned, and with a lower error rate.
Most countries have now started issuing biometric passports, which contain, in addition to the machine-readable part, an RFID chip that can be read with contactless electronic readers. That chip contains biometric data, namely fingerprints and a picture of the holder’s face. At immigration inspections, self-service kiosks can take the biometric data of the person who’s using a passport and match it against the data on the chip, to see if that person is identical to the legitimate holder of the passport. To my knowledge the data on the chip is encrypted, but that’s still not the same thing as having a global database of all valid passports.
Countries do exchange, however, data on people who are subject to an arrest warrant. When a country’s judicial system issues a warrant for somebody’s arrest, it can request Interpol to issue a red notice, which is essentially a warning that they’re looking for this person. That notice is circulated electronically to other Interpol members, which can update the databases used by their law enforcement agencies so that an alert is triggered when this person’s passport is scanned.
The passport provides a name, and that name is used wherever you use that passport. In the modern world, your ID has to match your flight tickets.
The ‘correct’ spelling is a bit of an issue, since the barcode does not encode all scripts. I don’t think it correctly encodes arabic script ??? If not, someone with a name like “Muammar Gaddafi” might have to use the same “incorrect” spelling in other travel documents, particularly when in countries that don’t use arabic script.
