Within an hour, Jeron Van Beek was able to create a successful clone of Britain’s new E-Passport. All he needed was a £40 card reader, two £10 RFID chips, and a small, improvised script. Although the exact details were not specified, it looks like he read the ID on the real passport using the RFID reader, then he wrote it to the two blank chips and put them in the fake passports. There is also a flaw which may allow outright forging of the passports. Nearly all of the 45 countries using the system have not yet registered with the Public Key Directory, which was put in place to make forging impossible.
The government is claiming that this hack is a hoax, but recent reports have shown that these RFID systems were never secure. No matter what the actual truth is about these hacks, it can certainly be said that the ability to clone or forge these passports would be a devastating security issue for every country involved.
[Photo: Digital World Tokyo]
[via The Guardian]
It has been a few years since I worked on the passport cards and many of the specifics aren’t fresh in my mind, but it is my recollection that there was very little effort made to protect against cloning. In fact, the Basic Access Control protocol was incredibly weak.
The real trick would be to be able to read the info off, modify it (especially the biometrics) and write yourself a fresh passport. But forging the cryptographic signatures on the files would be a real trick. In other words, this isn’t news. Note that you can also color laser xerox a non-chip passport right now and most places that check it wouldn’t look twice, though that wouldn’t fool an automated passport reader.
Please cut down the hyperbole on the reporting a little bit. Of course you can make a bit for bit copy of electronic passports when neither of the anti-cloning features is enabled. This is nothing new, and was nothing new when Lukas Grunwald was all over the press with it two years ago: http://www.wired.com/science/discoveries/news/2006/08/71521
This in and of itself is *not* a “devastating security issue” since you a) can’t change the data while copying and b) can’t write to the chip that is already included in a real passport. So you still can’t change any bit of the identity (making the copy worthless to anybody but the real owner) and would still need to forge the paper document of the passport. When using the electronics of the chip in this mode it doesn’t add anything to the unforgeability, but also doesn’t take anything away. The electronic passport is still as secure (against cloning) as the underlying paper passport. (It is, however, extremely more secure against modifications, see below.)
Background: There are several security mechanisms specified in the ICAO specification, most of these optional, except for Passive Authentication. Passive Authentication means that all data in the passport is signed by the issuing country, so it can’t be changed (without invalidating the signature) and you can’t make up completely new passports, only copy existing ones. Active Authentication, on the other hand, is an optional security mechanism that is supposed to be the anti-cloning feature: the chip has a private key that can’t be read out, the public key is stored on the readable part of the passport (and therefore signed by the issuing country). A reader can then perform a challenge-response protocol to prove that the chip knows the private key. When this mechanism is used the passport can not normally be cloned. However, very few countries actually enable this feature (partly because, as said above, cloning is not really that big of an issue). There is also another similar mechanism (Extended Access Control – Chip Authentication) which also is an anti-cloning feature and is likely to be present in most next-generation passports.
As I said: You can copy but you can’t change the data. At least not without breaking the digital signature protecting it. Now, this of course only matters if the digital signature is actually checked at read time. If van Beek would have shown this actually not to be the case in real live passport checking environments, that certainly would have been something. (Not a technical issue with the passports, of course, but an operational issue.) Note that “[…]only ten of the forty-five countries with e-passports have signed up to the Public Key Directory[…]” is not enough evidence for this, since the ICAO specs state that the relevant keys are to be exchanged by each pair of countries through bilateral diplomatic channels.
Grunwald, by the way, demonstrated (signature invalidating) passport modifications last year when he claimed that there are a number of reader/software combinations out there that process the passport data first, before checking the signature, thereby opening up themselves to all sorts of fun with malformed data (he attacked the JPEG2000 parser): http://www.wired.com/politics/security/news/2007/08/epassport
This bug is as stupid as it is easily fixed: Check the signature before doing *anything* with the data.
The problem with allowing anyone to read off data from the passport is, it is now easy to target and IED for specific nationality, just like what this demo shows:
http://www.wired.com/science/discoveries/multimedia/2006/08/71521?slide=1&slideView=3
Or a marketing guy can sit in the airport and gather list of person
Even though it might be hard to forge, this is still a real problem in my opinion.
My point is that my normal paper passport hardly contains any information that I consider as being private. The new passports WILL contain privacy sensitive information.
So IF the new passports will contain information that I consider private, I feel that it is my right to demand that this information cannot be retrieved by parties that I don’t want to give this information to (other than physically stealing my one and only passport and using it directly).
The thing is that this data remains valid for the rest of my life (it’s biometric data). So decrypting the data might take months, even years. But once it HAS been decrypted, I cannot change any of my body’s parameters to make that data worthless.
That means that a privacy breach in these biometric passports could potentially haunt me for the rest of my life.
Anyone else get the impression that the second poster works for whatever company was tasked with BSing the governments into believe their junk technology was ‘unhackable?’
Why don’t you stop googling your worthless product, get off the computer, and actually spend that time making your chips secure, instead of berating the press and hackers for blowing the whistle on your insecure junk technology?
How much is it going to cost you in damage control compared to what it would have cost you to do some real R & D into making these secure in the first place? Of course, the government will subsidize your damage control, so what do you care?
But, you’re right, it really isn’t news, because we told you it was going to happen.
all the more reason that my new passport took a quick trip in the microwave for 5 seconds.
Its really easy to get a fake passport anyways, all it takes is a deceased persons birth cert, a trip to the dmv….. I wont get into it but this isnt new or a huge security problem.
Haha. I just have to say that I used that same picture not too long ago, cause it’s the first good thing that comes up when you do a google image search for RFID.
Well, ok: passport data is signed using a digital certificate to prevent forgery, so the guy created ‘fake’ passport data using a self-signed certificate and configured the Golden Reader to skip checking certificate validity… where’s the flaw? Of course if your configure your reading software to skip security checks it will tell you nothing’s wrong!
The real issue is not the passport cloning or fake passports, but the fact that actual validity of the data is not really checked by customs, as the article rightly points out. Everyone who works in the e-passport industry has seen people (or done so themselves) go through customs with specimen passports issued by the “Republic of Utopia”, it’s a running joke in the industry…
@scott mcdonnell,
Clearly #2 is familiar with the specs and therefore probably works in the field. Is his expertise a reason to distrust him?
@peter de vroomen,
What is the private data on these that is so damaging? It doesn’t contain an image of your fingerprints, it contains a template, which is (generally) a set of vectors calculated from your fingerprints. There has been some research into reversing a template into fingerprints. With some formats it is possible to get an image that can match to the template but does not resemble a natural fingerprint in any way. So someone can’t use the template to make a copy of your fingerprint and place it at a crimescene. Besides, you leave your fingerprints all over everyday. It isn’t tough for someone that wants a copy of them to pick up some trash you’ve just discarded. Much easier than hacking your passport.
“Clearly #2 is familiar with the specs and therefore probably works in the field. Is his expertise a reason to distrust him?”
I am sure that he is and I am sure that he does.
That was my point, wasn’t it?
And yes, it is.
“What is the private data on these that is so damaging? It doesn’t contain an image of your fingerprints, it contains a template, which is (generally) a set of vectors calculated from your fingerprints. There has been some research into reversing a template into fingerprints.”
if the ‘template’ is all the government needs to match up with an image, then what does the actual data matter? If a big shiny red dot were all the information that a government used to identify you, wouldn’t someone else wearing a big red shiny dot be a threat to you?
See, that’s the whole PR spin about this: it contains ‘x’ data, therefore, what’s the problem? The problem is that your identity is being reduced to a barcode and technology is being relied on to authenticate your identity with that barcode. person y gets that barcode, person y becomes you.
they swipe their fake passport on a low security scanner at walmart, murder everyone in the store, and guess who they say was there?
i don’t suspect people like you are naive. i suspect that you have a vested interest in people accepting this technology as safe. i don’t mean to sound like a jerk, but i couldn’t care less if you loose your job when it involves misleading people.
@John Harrison(#10): In fact the passport *does* contain an image of the fingerprint. That’s because this is supposed to be internationally interoperable, and they couldn’t standardize a template format that would be useful to everybody. So they simply store a full-fledged digital image of the fingerprint (JPEG2000 18kB per finger, in Germany at least) and let each country use their fingerprint matching vendor of choice. In principle this shouldn’t be too much of a problem since the fingerprint is protected against reading by Extended Access Control – Terminal Authentication (e.g. the terminal must authenticate with a card verifiable certificate that was issued by the state that issued the passport), but … see below.
@Scott McDonnell: No, I don’t work in the field and don’t have any stakes in it, I just have a strong natural aversion against wrongful statements. In fact, I wholeheartedly agree with the first part of Peter de Vroomen’s post and would like to have the whole e-Passport nonsense stopped rather sooner than later.
However, I have looked at the specifications, implemented a reader software as a hobby project and also cloned a passport myself (for demonstration, and yes, even though I was not prepared, it took about 1 hour to whip up the software for this, given my own reader tool). Therefore I do know what I’m talking about: The electronic passport stuff is mostly useless and has lots of problems. Cloning is not one of them.
Let me explain those three points in order:
++ “electronic passports are useless”: This comes by way of our own (I’m German) former minister of the interior, Otto Schily. Apparently he kind of confused his position with that of the minister of economic affairs and more or less singlehandedly got the European Union to demand electronic passports from all member countries (through the council of ministers, without any involvement of any democratically elected body). His cunning plan was to make sure that German firms producing the electronic passport had some head start so that the passport technology then would become an export hit.
Though, of course, the electronic passport thing is also related to what Bruce Schneier calls one of his “favorite logical fallacies”: “We must do something. This is something. Therefore, we must do it.”
That’s the “why” we have this train wreck of a technology imposed on us. Here’s the “how” it is useless: Schily often advertised his electronic passport plan with terrorism prevention, with which it obviously has nothing to do (case in point: all of the attackers of 9/11 had proper passports, even though Schily would have liked you to believe otherwise, but that is a story for a different post). Also there is no “terrorist” flag on the passport that would distinguish the passports of terrorists from the passports of ordinary citizens (RFC 3514, anyone?). Also the passport is still fully valid even when the chip is broken, thereby negating any imaginary security benefit. And of course: Our German passports were already the most secure passports in the world. (A parliamentary inquiry in 2007 revealed that there were exactly 6 cases of forged passports between 2001 and 2006, none involving any terrorists.)
++ “electronic passports are full of problems”: Not enough that states now get away with treating all their citizens like potential criminals (fingerprinting), and prepare them for any and all potential repressive measures there might come in the future. The potential privacy risks are endless, as are the opportunities for major implementation errors. For example: Basic Access Control (which normally prevents anybody who has not seen your machine readable zone from electronically reading your passport over the air) is nice but could have been better (for the new German ID card they have developed a new protocol, PACE, which looks much better in this regard; sadly, the German eID will still support BAC as an alternative), and prone to entropy problems, see U.K. and the Netherlands. Also it doesn’t protect enough against brute-forcing sniffed transactions with a valid reader (approx. 56 bits of entropy won’t be enough for the next 10 years).
Then there are some states who don’t use random UIDs on their passports, thereby making these easy to track *without*any*authentication*whatsoever* and bringing privacy problems to the next level. Active ‘OS fingerprinting’ sadly works always, so even if your state is not homi/suicidal you might still be targeted trough your passport’s country identification.
And even if everything works as designed and planned, it is still undesirable. Anybody who reads your passport gets a full set of interesting information, including a biometrics ready photo (and when the reader has a valid certificate: fingerprints), officially signed by the issuing state. Once this information is read, the reader is free to do whatever it desires. Rogue states (like the U.S.A.) tend to store this information forever and share it with whomever they want to. It doesn’t require a long stretch of imagination to see instances where immigration officials might want to sell this information to identity thieves. And of course: the electronic passport is only a symptom of a much larger privacy/civil rights crisis. E.g. the United States would collect and store all this information anyway (so my advice is: avoid flying to or through the U.S. or Japan at all costs), but this makes it slightly easier to justify.
++ “cloning is not really a problem”: That you can clone passports where the anti-cloning feature is not used has been known forever, was not concealed (except from some politicians who don’t read the issues that they vote on) and is not really a problem. You can’t store the cloned data on the chip that is already included in a passport, so whatever you do, it is equivalent to modifying a passport without upsetting any of the conventional anti-forgery features. This is not different than trying to change the name or picture on a conventional passport. (Granted: There is a certain effect where the immigration officer is less likely to closely inspect the physical passport if his computer tells him that everything is ok. This belongs in the “useless” and “full of problems” categories.)
So my roundabout advice when getting a new passport:
A) don’t use a biometrically useful photograph. Instead try to modify it so that it will become useless for biometric purposes, e.g. by varying the distance between the eyes, moving the mouth a bit, etc. (the IWarp tool in GIMP is great for that!). If you do that careful enough it shouldn’t be visible to a human inspector. (For a funny story about this see http://www.phenoelit.net/lablog/inputValidation.sl ) This is solely a cautionary measure as you will see in point C).
B) Try something to not get your fingerprints recorded. Research into what works best here is still outstanding, but feigning an accident where you got superglue onto all of your fingers seems like a good start.
C) Destroy the chip in your passport to prevent anybody from getting the digitally signed information (and also eliminate all tracking problems). Microwaving is not such a good idea because it does tend to leave very visible marks if you do it wrong: http://www.buzzsurf.com/toastedrfid/images/paypass_microwave4.jpg Physical stress (e.g. take it with you in your back pocket and sit on it whenever you can, a few carefully aimed hits with a hammer might also work) is less likely to arouse suspicion, but also less reliable, so you’d need an RFID reader to confirm whether it worked. The by far best option is to build and use an RFID zapper, which also is in line with the theme of this blog.
I agree with henryk. it’s a stupid idea pushed by politicians for really no good reason other than to look like a solution to no problem at all.
This is just another tool in the overall scheme of things. Oh no, terrorism is a problem, lets upgrade security “oh, we found out that this RFID technology is not as safe as we thought, oh well.. heres another similar technology that will benefit us somehow as a human race.. just slip this chip underneath you skin…ahh thats better”.. lets wait until this is proven insecure as well. In the mean time we can track you where ever you are and see where you go. Worthless shit..
tsss lame.
finally this rfid chip is just kinda… useless.
Sadly, it seems to be just another case of, “…oh, we didn’t think that one through guys ”
E-passports cracked, hacked and ‘jacked’ – so what! Next it will be e-travel cards, contactless credit cards, ‘secure’ door entry passes and then smartphones. My advice…
MAKE YOURSELF INVISIBLE – what they can’t see, they can’t steal!!!
You can try a low-cost DIY RFID shielding option, or pay a few quid for a pack of eBay anti-skim (RFID blocking) sleeves. (Further info at: http://www.trackandshield.wordpress.com)
As I see it, in a not too distant future there’ll be a simple choice to make – either opt out of using ‘contactless’ kit completely, or protect your personal data as best you can. But, is there really any excuse for not knowing how to do this anymore?