According to the U.S. State Department, the United States stopped issuing passports without RFID chips in August 2007. Close to four dozen other countries also issue e-passports, which are designed around an open international standard.
The information on the chips – name, date of birth, passport number, photo, etc. – is designed to be readable by a radio frequency identification (RFID) reader.
But in a demo given to The Times Online, Jeroen van Beek, a security researcher at the University of Amsterdam, showed how his tool could be used to clone and manipulate the data chips so that they could be planted inside a fake or stolen passport to mask the identity of the passport holder.
This week he released the tool that allows anyone to manipulate data on the passport chips, reports the Washington Post.
From that Times story:
Building on research from the UK, Germany and New Zealand, Mr van Beek has developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organisation to test them. It is also the software recommended for use at airports.
A baby boy’s passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either Mr van Beek or The Times was faking viable travel documents.
Conceivably, a terrorist or wanted criminal seeking to travel under another name could use van Beek’s tools and method to forge documents because of a widespread lack of security checks needed to enforce the international e-passport standard.
The data encoded on the e-passport chips is signed with cryptographic keys held by the issuing country – thus allowing the issuing country to tell if a citizen had altered the data on the device. The problem is that only 10 of the 45 countries that issue e-passports have agreed to share the public keys that are needed to test the integrity of the data on one another’s passport chips. Worse still, only five countries are actively sharing the data.
As a result, someone who has changed the name or swapped in a new photo on an e-passport chip can simply sign the information using his own personal cryptographic key, and relatively few countries would be able to detect the manipulation, said Adam Laurie, a freelance security researcher with RFIDiot.org, a site that hosts software and research designed to expose holes in RFID technology.
“This is the big problem with the whole thing: It relies on checking the digital signatures of the content on the passport, but if nobody’s checking those signatures, you can’t tell if the data is legitimate,” Laurie said.
“It’s like my giving you an ID card and saying it’s valid only because I say it’s valid”.
For its part, the State Department says the e-passports will be supplemented by other security technologies. For example, the inclusion of the digital photograph on the e-passport chip enables biometric comparison, through the use of facial recognition technology at international borders, the government says.
But in an op-ed published in The Washington Post, Bruce Schneier, a cryptography expert who serves as chief security technology officer for the British telecommunications, warned that researchers would likely discover even more security weaknesses that could be used to defeat the security of the e-passport system.
Credit card skimming works by retrofitting a perfectly legitimate ATM with a camouflaged counterfeit card reader. The counterfeit reader records all of your card’s information as it passes through. Security expert and Cisco Subnet blogger Jamey Heary shows you what to look for before you swipe your card.
California Governor Arnold Schwarzenegger signed an Anti-Skimming RFID Measure this week, but nixed a bill about RFID cards for school kids, reports RFID Journal. California is considering integrating RFID tags into driver’s licenses.
