The electronic passports (ePassports) that have been issued to U.S. citizens since 2007 are said to be fraud proof, thanks to various security measures, including an RFID chip that stores information. The Hackers Choice (THC) however, claims that the security on these chips is weak, and easily fooled.
The fraud-proof security on ePassports was recently proven pointless.(IMG:J.Anderson)
THC has released a tool called ePassport emulator, which allows one to “create a backup of your own passport chip.” You can also use the tool for modification. For example, if you don't like your picture, you can change it. Or, if you don’t want someone to know your real name, then change that too -- all with this simple-to-use tool and its easy-to-follow instructions.
The information stored on these “secure” chips is the same as on a real passport. The chip holds your name, city of residence, birthday, gender, nationality, and photo. THC reports that the security problem lies with the crypto-key used on the ePassport chip.
Because passport terminals allow self-signed data, the altered chips are still reported as valid. Adding to this is the Golden Reader, something used by the International Civil Aviation Organization to test the ePassports, and the same reader recommended for use at airports.
The fraud detection is supposed to work by checking a crypto-key that the chip is signed with. However, according to research by The Washington Post, only 10 out of the 45 countries who issue ePassports agreed to share their public keys, and only half that number actually have shared them. This leads to the reasoning behind the Golden Reader allowing self-signed keys.
“Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors,” THC said, listing several points as to why trusting a CA to deal with the security is a bad idea.
The potential harm listed by THC is the stuff of movie legend, such as Smart-IED (Improvised Explosive Device).
“Thanks to the ePassports is it now possible to build Smart-IED's. A Smart-IED waits until a specific person passes by before detonating or let’s says until there are more than 10 Americans in the room. Boom.”
Yet, the hack opens up more realistic uses. As mentioned, the tool allows you to modify the chip's content to match what is presented on paper. Since most travelers can tell you passport screeners rarely give a second glance, relying on the chip alone can be dangerous. After all, if the chip says you're okay, then why would a screener doubt the security technology and hold up the line?
The Times Online posted the results of completed testing, which proves that THC’s work is legit.
“Using his own software, a publicly available programming code, a £40 card reader and two £10 RFID chips, Mr van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports,” reports the Times Online article.
“A baby boy’s passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either Mr van Beek or The Times was faking viable travel documents.”
The passports were scanned, and both reported to be legit with no alterations.
“So what's the solution?” THC asks. “We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.”
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Comment on this Story