[ISN] ePassports 'at risk' from cloning

From: InfoSec News (alerts@private)
Date: Mon Dec 18 2006 - 02:04:45 PST


http://news.bbc.co.uk/1/hi/programmes/click_online/6182207.stm

By David Reid
Reporter, BBC Click
15 December 2006

The ePassport is one of the many measures pursued by the United States 
and governments internationally after the horror of 11 September.

It will, we are promised, keep the unwanted and dangerous outside our 
borders, while streamlining entry for those welcome to come and visit.

But as the implementation of the scheme gets underway it is becoming 
clear that there could be serious problems with it.

With the old passport, we knew where we stood. If you lost it you knew 
you had lost it, but with the new, machine readable passports the story 
is very different.

When you take a digital photo the image is, in effect, a code, which 
means that however many prints you make they are all exactly the same.


Five-minute replica

So when Lukas Grunwald and Christian Bottger realised they could clone 
the new ePassport they were pretty sure it would be identical to the 
original, and undetectable. So how did they do it?

The chip inside the ePassport is a Radio Frequency Identification (RFID) 
chip of the type poised to replace the barcode in supermarkets.

The good thing about RFID chips is that they emit radio signals that can 
be read at a short distance by an electronic reader.

But this is also the bad thing about them because, as Lukas demonstrated 
to me, he can easily download the data from his passport using an RFID 
reader he got for 200 Euros on eBay.

Lukas is less forthcoming about where he got what is called the Golden 
Reader Tool, it is the software used by border police and it allows him 
to read the chip on his ePassport, including the photo.

Now for the clever bit. Thanks to a software he himself has developed, 
called RFdump, he downloads the passport's data onto his computer and 
then onto a blank chip.

Using a standard off-the-shelf component you can just buy at a component 
store you can have a cloned ePassport in less than five minutes.


Security risks

When the cloned ePassport is read and compared to the original one it 
behaves exactly the same.

The UK Home Office however dismissed the ability to get hold of the 
information on the chip.

A spokesman said: "It is hard to see why anyone would want to access the 
information on the chip.

"Other than the photograph, which could be obtained easily by other 
means, they would gain no information that they did not already have - 
so the whole exercise would be pointless: the only information stored on 
the ePassport chip is the basic information you can see on the personal 
details page."

The spokesman said the chip was one part of the security features of the 
ePassport.

He said: "Being able to copy this does not mean that the passport can be 
forged or imitated for illegal or unauthorised use.

"British ePassports are designed in such a way as to make chip 
substitution virtually impossible and the security features of the 
passport render the forgery of the complete document impractical."

According to Lukas Grunwald of the consulting company DN-Systems an 
ePassport holder is more at risk from someone trying to steal their 
data.

"Nearly every country issuing this passport has a few security experts 
who are yelling at the top of their lungs and trying to shout out: 'This 
is not secure. This is not a good idea to use this technology'".

DN-Systems' Christian Bttger also believes the system was set up in a 
hurry.

"It is much too complicated. It is in places done the wrong way round - 
reading data first, parsing data, interpreting data, then verifying 
whether it is right.

"There are lots of technical flaws in it and there are things that have 
just been forgotten, so it is basically not doing what it is supposed to 
do. It is supposed to get a higher security level. It is not," he said.


Danger

A European Union funded network of IT security experts has also come out 
against the ePassport scheme.

Researchers working within the Future of Identity in the Information 
Society (FIDIS) network say European governments have forced a document 
on its citizens that dramatically decreases security and increases the 
risk of identity theft.

RFID chips can be read at a short distance and tracked without their 
owner's knowledge, while the key to unlocking the passport's chip 
consists of details actually printed on the passport itself.

It is almost like writing your pin number on the back of your cashpoint 
card.

"The basic access control mechanism works based on information like the 
number of the passport, the name of the passport holder, the date of 
birth and then other data which are simply readable by anyone who looks 
on the passport," said Professor Kai Rannenberg of Frankfurt University.

"If you have that information and put the respective software into the 
reader, the reader can overcome the basic access control of the 
passport."

The experts say it is not too late to roll back and rethink the 
ePassport.

If not, the danger is obvious - that a scheme, the declared aim of which 
is to increase our security, could well do the exact opposite.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Mon Dec 18 2006 - 02:23:23 PST