Slashdot Mirror

← Back to Stories (view on slashdot.org)

E-Passport Cloned In Five Minutes

Posted by kdawson on from the if-more-proof-were-needed dept.

Last month a panel of EU experts warned that the e-Passport's security is "poorly conceived", and in fact a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying "It is hard to see why anyone would want to access the information on the chip."

2 of 259 comments (clear)

  1. Open Rights Group - Biometric passport by rimberg · · Score: 4, Informative

    The Open Rights Group(Think UK EFF) have a wiki page that provideds more information on this an othere issues with the British Biometric Passport The European version of the biometric passport is planned to have digital imaging and fingerprint scan biometrics placed on the Radio Frequency chip. The government of UK thinks that the public has a negative opinion of RFID chips so instead they call it a contactless chip.

  2. The technology used by Eljas · · Score: 4, Informative

    Many people here seem to make claims on RFID security without knowledge of the technology actually used. I have done some research on the subject so I think I can give some pointers. Details about the technology can be found at ICAO's web page and short presentation on the subject Jacobs/Wichers Schreur.

    The communication between the password and the reader is encrypted using information in the Machine Readable Zone at the bottom of the passport. This is the basic way to authorize passport reading. The MRZ-information is generated from the information of the passport holder and random numbers. If bad numbering scheme is used, breaking the encryption is quite possible. If large enough random numbers are used, breaking the encryption with brute force is currently not practical.

    The authentication is done using public key cryptography. Currently only Passive Authentication is mandatory, but Active Authentiacation is supported and it is mandatory when fingerprint information is contained in the passport. With only Passive Authentication cloning of MRZ-compromized passport is easy, but with Active Authentication it should be unfeasibly difficult.

    Reading and cloning an European RFID passport which is using all available security measures (like the e-passports in Finland) is not as trivia as many people here seem to think. As long as there are no backdoors in the cryptography (e.g. for the intelligence agencies) I think the technology is quite sound. Not using all available cryptography is just bad choise by the goverment issuing the passports.

    The scheme in TFA is nothing new and nothing revolutionary. If you have physical access to a passport with only Passive Authentication cloning is trivial, as pointed in TFA. This is actually how the technology was designed to work. Maybe the design is bad, but that is hardly big suprise, since the technology is compromize between many organizations and goverments. When someone clones a passport which has Active Authentication, then that is real news.