E-passports already failing at security tests

It did not take long: The electronic passport, that several countries actively defend (particularly the United States of America that tell us it will be the ultimate weapon against terrorists and frauders) and are preparing for full distribution, met a string of very significant problems last week in the Black Hat convention of Las Vegas.

First, a GErman hacker, Lukas Grunwald, proved that it is possible to reproduce the individual electronic code of the passeport (this the end of the proven unfalsifiable identification). He only needed the public documentation of ICAO (International Civil Aviation Organisation), a freely available ePassport reader with its freely available software. Then, in a matter of minutes, he merely did a copy of an existing passport (more precisely of the electronic part of the passport: the RFID chip integrated into the passport and that is intended to be read from some distance). The simple copy of the electronic contents of the passport should allow to easily forge a full passport (let’s think of an air ppirate needing a forgery good enough to allow him to pass unrecognized at the check-in controls of a busy international airport). The worst is that all the information is coming from public documentation and the hardware can be bought readily.

Furthermore, we should remember that the electronic data is easily accessible from a distance (reading/data-exchange without contact) thanks to the properties of the RFID chip. Authorities tell us that the bearer of the passport will choose when his/her passport will read.

But, here comes the second problem or the second failure. How does the bearer protect herself against illegal or fraudulent access to her passport data? Remember that just passing in front of a small inconspicuous machine reader is enough to let it being read. Nobody will ask you to draw it from your pocket. So, the second issue (and the most worrysome) becomes that somebody could easily steal your passport data and you wouldn’t know. Or, even worse, a terrorist may decide to build a bomb that could explode if it detects a specific passport. We are not far from the bomb targetting American passports. Wouldn’t it be interesting fro certain types of terrorists?

Sure! You can roll your passport in an aluminium foil (do you remember the “tinfoil hat” of our young years?) but can you see yourself unrolling tinfoil anytime you go through the airport security (and remembering to do the oppiste just afterwards)? Just to protect yourself against fraudulent usage. We are told that passports could come with an integrated tinfoil cover. Then, where is the distance reading of the passport? Where is the advantage compared to the simpler, easier optical reading?

Deployement is already started in some countries. I wouldn’t bet that this is reliably, reassuringly simple technolgoy. Would you?

Sources: