You are currently browsing EDRi's old website. Our new website is available at https://edri.org

If you wish to help EDRI promote digital rights, please consider making a private donation.


Flattr this

logo

EDRi booklets

Cloning e-passports

27 August, 2008
» 

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Jeroen van Beek, a computer researcher at the University of Amsterdam, has shown in some tests conducted for The Times that the new micro-chipped passports, introduced in UK to protect against terrorism and organised crime, can be easily cloned.

The researcher has succeeded in cloning the chips of two British passports in which he introduced the pictures of Osama bin Laden and a suicide bomber and in passing the cloned chips as genuine through Golden Reader, which is the standard passport reader software used by the UN agency setting standards for e-passports and which is also recommended for use at airports. The cloning operation took less than an hour. Van Beek developed his cloning method based on previous researches made in UK, Germany and New Zealand.

The micro-chipped passports contain a small radio frequency chip and an antenna attached to the back page of the passport. The chip responds to an encrypted signal sent by an electronic reader, by sending the holder's ID and the biometric details back to the reader. Therefore, a copied chip could be palmed at an unattended reader or a copy of a passport that hasn't even been stolen could be used if the bearer resembled the original holder.

To any concerns expressed in relation to the safety of the data on the e-passports, the Home Office has always argued that faked chips can be discovered at border checkpoints because, when checked against an international database, they would not match the key. The e-passports are protected by a digital signature which, when altered, brings the rejection of the passport by the reader. The validation of the signatures on e-passports requires the exchange of PKI certificates between the authorities of the issuing countries or the use of ICAO's PKD (Public Key Directory) system. However, ICAO PKD system is not universally used and many countries, UK included, use the bilateral exchange of certificates with other countries.

The Dutch researcher not only changed the data on the e-passports but succeeded in writing a new signature that will pass through the system, under certain circumstances. According to the reader performances, to the exchange of certificates between countries or to the use or not of PKD, the signature might not even be checked.

"We're not claiming that terrorists are able to do this to all passports today or that they will be able to do it tomorrow (...) But it does raise concerns over security that need to be addressed in a more public and open way" said Mr van Beek.

The flaws also contradict Home Office's claims that the 3 000 blank passports that were stolen last week were worthless and raise questions about the 4 billion pound ID scheme of the Government which uses the same biometric technology. Dominic Grieve, the Shadow Home Secretary, has asked the ministers to take urgent measures to solve the security flaws. "It is of deep concern that the technology underpinning a key part of the UK's security can be compromised so easily" said Grieve.

Researcher gives Elvis and bin Laden fake e-passports (6.08.2008)
http://www.theregister.co.uk/2008/08/06/epassport_alteration_demo/

'Fakeproof' e-passport is cloned in minutes (6.08.2008)
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece

How to clone the copy-friendly biometric passport (4.08.2006)
http://www.theregister.co.uk/2006/08/04/cloning_epassports/

How to clone a biometric passport while it's still in the bag (6.03.2007)
http://www.theregister.co.uk/2007/03/06/daily_mail_passport_clone/

 

Syndicate:

Syndicate contentCreative Commons License

With financial support from the EU's Fundamental Rights and Citizenship Programme.
eu logo