Monday, October 6, 2008

Hackable ePassports?

ePassport logo
Brian Krebs on Computer Security for the Washington Post recently wrote about a security researcher who has published a software tool that makes it easy to copy and modify identification data encoded onto the computer chips embedded in passports issued by the United States and dozens of other countries.

Jeroen van Beek, a security researcher at the University of Amsterdam, discussed his work at the Black Hat security conference in Las Vegas last month, but only released the tool that allows anyone to manipulate data on the passport chips in late September. You can read Mr. van Beek’s presentation, “ePassports Reloaded” here (32-slides in PDF).

Earlier, in August, Steve Boggan reporting for The Times writes about the same security flaw: “new microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports. Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.”

The same Mr. van Beek conducted the tests for The Times. Mr. Boggan further reports that, “Building on research from the UK, Germany and New Zealand, Mr. van Beek has developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organisation to test them. It is also the software recommended for use at airports.”

And here is the stunning part:

“Using his own software, a publicly available programming code, a £40 card reader and two £10 RFID chips, Mr. van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports.”

“A baby boy’s passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either Mr. van Beek or The Times was faking viable travel documents.”

“We’re not claiming that terrorists are able to do this to all passports today or that they will be able to do it tomorrow,” Mr van Beek said. “But it does raise concerns over security that need to be addressed in a more public and open way.”

In 2006, prior to switching all U.S. passports into electronic passports with RFID chips, Bruce Schneier writing for TWP warned:

“The shielding does no good when the passport is open. […] And although the State Department insists that the chip can be read only by a reader that is inches away, the chips have been read from many feet away. […] The other security mechanisms are also vulnerable, and several security researchers have already discovered flaws. One found that he could identify individual chips via unique characteristics of the radio transmissions. Another successfully cloned a chip. The State Department called this a "meaningless stunt," pointing out that the researcher could not read or change the data. But the researcher spent only two weeks trying; the security of your passport has to be strong enough to last 10 years.”

On “cloning,” here is what the State Department says:

“It is possible to substitute the chip of an e-passport with a fake chip storing the data copied from the chip of another e-passport. However, the simplest way to mitigate this treat is to verify that the chip data belongs to the presented e-passport. This can be done by comparing the data stored on the chip to data on the e-passports data-page. If the photos and biographical data matches and the passport does not appear to have been tampered with (is not counterfeited), then the e-passport and the data stored on the chip can be considered to be belonging together. Additionally, the introduction of Public Key Infrastructure (PKI) into travel documents provides, for the first time, the means of automatically (without human intervention) confirming that the person presenting the travel document, is the same person shown on the data page, and on the chip, with the assurance that the data was put there by the issuing authority and that the data has not been changed.”

I see two main problems here:

1) The information on the chips - name, date of birth, passport number, photo, etc. - is designed to be readable by a wireless interface known as radio frequency identification (RFID) reader. But with the technology cycle refreshing at even shorter bursts, we are bound to see improvements in the RFID readers, remote or otherwise. I'm not a tech person, but I see the point why the security of this document must be strong enough to last more than 10 years.

2) Only 10 of the 45 countries that issue e-passports have agreed to share the public keys (PKI) that are needed to test the integrity of the data on one another's passport chips. Worse still, only five countries are reportedly actively sharing data. So automatically confirming data is a useless function if there is no data sharing or limited data sharing to begin with.

Since August 2007, the State Department has issued epassports only. The chip is embedded in the back cover of the passport book (can't even feel it with my hand) and the front cover should contain the epassport logo - right under the words "United States of America."

I’m hoping I won’t hear State call this development a “meaningless stunt.” I think it would be worth USG’s time to get Mr. van Beek or a qualified somebody to do an official test. Surely there is money for a security test like this? Technology is moving by leaps and bounds. If U.S. passports are indeed hackable, remedial actions are needed sooner rather than later. Steal this post, forward this to contacts at "Consular Affairs" or "M."

If you want to read about RFID blocking and see a collection of news story on RFID, visit Adam Laurie’s website here.

To read more about the RFID technology from Scientific American, click here.

No comments: