Cloning e-passports

By EDRi · August 27, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Jeroen van Beek, a computer researcher at the University of Amsterdam, has
shown in some tests conducted for The Times that the new micro-chipped
passports, introduced in UK to protect against terrorism and organised
crime, can be easily cloned.

The researcher has succeeded in cloning the chips of two British passports
in which he introduced the pictures of Osama bin Laden and a suicide bomber
and in passing the cloned chips as genuine through Golden Reader, which is
the standard passport reader software used by the UN agency setting
standards for e-passports and which is also recommended for use at airports.
The cloning operation took less than an hour. Van Beek developed his cloning
method based on previous researches made in UK, Germany and New Zealand.

The micro-chipped passports contain a small radio frequency chip and an
antenna attached to the back page of the passport. The chip responds to an
encrypted signal sent by an electronic reader, by sending the holder’s ID
and the biometric details back to the reader. Therefore, a copied chip could
be palmed at an unattended reader or a copy of a passport that hasn’t even
been stolen could be used if the bearer resembled the original holder.

To any concerns expressed in relation to the safety of the data on the
e-passports, the Home Office has always argued that faked chips can be
discovered at border checkpoints because, when checked against an
international database, they would not match the key. The e-passports are
protected by a digital signature which, when altered, brings the rejection
of the passport by the reader. The validation of the signatures on
e-passports requires the exchange of PKI certificates between the
authorities of the issuing countries or the use of ICAO’s PKD (Public Key
Directory) system. However, ICAO PKD system is not universally used and many
countries, UK included, use the bilateral exchange of certificates with
other countries.

The Dutch researcher not only changed the data on the e-passports but
succeeded in writing a new signature that will pass through the system,
under certain circumstances. According to the reader performances, to the
exchange of certificates between countries or to the use or not of PKD, the
signature might not even be checked.

“We’re not claiming that terrorists are able to do this to all passports
today or that they will be able to do it tomorrow (…) But it does raise
concerns over security that need to be addressed in a more public and open
way” said Mr van Beek.

The flaws also contradict Home Office’s claims that the 3 000 blank
passports that were stolen last week were worthless and raise questions
about the 4 billion pound ID scheme of the Government which uses the same
biometric technology. Dominic Grieve, the Shadow Home Secretary, has asked
the ministers to take urgent measures to solve the security flaws. “It is of
deep concern that the technology underpinning a key part of the UK’s
security can be compromised so easily” said Grieve.

Researcher gives Elvis and bin Laden fake e-passports (6.08.2008)

‘Fakeproof’ e-passport is cloned in minutes (6.08.2008)

How to clone the copy-friendly biometric passport (4.08.2006)

How to clone a biometric passport while it’s still in the bag (6.03.2007)