Cloning an electronic passport

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

In a public demonstration at the Black Hat security conference in Las Vegas
on 3 August 2006, Lukas Grunwald’s, CTO of German security consultancy
DN-Systems Enterprise Internet Solutions, made a demonstration on how
electronic passports could be cloned. The industry that produces the
passports has denied the allegations.

The German consultant made a demonstration showing the data on the
e-passport chip can be easily copied. He has shown that the data can be
transferred onto a blank chip that can then be inserted into a blank
document looking like the original passport to the electronic passport
reader.

Thus, a terrorist could use a passport with his/her real name and
picture including a fake chip with different information copied from someone
else’s passport and could pass through an electronic screening system.
Grunwald made the demonstration on a new European Union German passport,
but the method could be used on any type of new electronic passport. He
considered that: “From my point of view all of these (biometric) passports
are a huge waste of money – they’re not increasing security at all.”

However, the Smart Card Alliance states e-passports are secure and almost
impossible to counterfeit as they are based on several security layers.
Although presently the data on the chip is not encrypted, it is digitally
signed by the authority issuing the passport making any changes “visible” at
a passport control.

Grunwald’s counterfeiting technique needs the possession of the original
passport that cannot be cloned from someone’s pocket or bag. The e-passport
has a feature called Basic Access Control that requires the unlocking of the
RFID chip by officials by means of a unique key printed in the passport
page.

Frank Moss, deputy assistant secretary of state for passport services at the
State Department, said the digital photo of the passport holder and the
physical inspection of passports would prevent the use of faked passports.

Referring to Lukas Grunwald Moss said: “What this person has done is neither
unexpected nor really all that remarkable. The chip is not in and of itself
a silver bullet…. It’s an additional means of verifying that the person
who is carrying the passport is the person to whom that passport was issued
by the relevant government.” On the other hand, he stated there were,
however, countries that considered eliminating the human inspection and
using only the electronic automated inspection.

Another concern expressed at the Black Hat Conference was related to the
fact that, although protected by a metal fiber embedded in the front cover,
an e-passport could be spied on by a reader if it is even very slightly
open.

Industry group defends e-passports (11.08.06)
http://www.theregister.co.uk/2006/08/11/e-passports_defended/

Hackers crack new biometric passports (07.08.06)
http://www.guardian.co.uk/frontpage/story/0,,1838753,00.html

e-passport cloning risks exposed (04.08.06)
http://www.theregister.co.uk/2006/08/04/e-passport_hack_attack/

Hackers Clone E-Passports (03.08.06)
http://www.wired.com/news/technology/0,71521-0.html