Cloning e-passports: An old trick that can still work

Posted: August 13, 2008 in 2008, Articles
Tags: , , ,

.Gov Computer News:

AS VEGAS—Dutch security researcher Jeroen van Beek demonstrated once again this year at the Black Hat Briefings how to clone an electronic passport, a trick that many say is old news since it dates back to 2006.

“This is not a new or unknown vulnerability of the first generation e-passport,” said Brook Hamilton, a spokeswoman for Entrust, a company that provides security for electronic documents. “But it is naïve to think a clone passport won’t get caught at the border crossing of a country using e-passport technology,” because digital signatures on the cloned passport would not match the originals.

Maybe not, according to van Beek. All data on an e-passport is hashed and digitally signed. Once cloned and altered, either the hash or the digital signature won’t match the original. But real time validation of digital signatures is not done by most countries, he said. When it is done, an invalid signature is classed as a non-critical error under the reference implementation for the international standard for the documents. The error is ignored if the rest of the information on the passport checks out.

If the original signature is copied and retained on the cloned passport, it will not validate the data that has been altered. But that error is classed only as a warning, and again as long as the passport looks valid, it will be passed.

“If the reference implementation is not that strict, what about real world set-ups?” van Beek asked.

Advanced authentication technology used to protect e-passports can be circumvented by just removing it from the cloned document. Because it is an optional feature, its absence does not create an error when the passport is authenticated.

Optional security features are the problem with the international electronic passport scheme, van Beek said. The standard is good, but the implementation is too weak. Optional security controls lower the security for the entire global system to the lowest common denominator. Cloned e-passports can be detected, but they often are not.

Van Beek’s suggestions for improving the system are:

  • Require security features in the documents by default.
  • Require security features to be implemented in authentication systems.
  • Provide a global Public Key Infrastructure to authenticate digital signatures at all authentication points.
  • Create standards for approved hardware and software, with a specified lifespan.

The Register:

The ICAO documentation Grunwald consulted is publicly available, and explains the detail of the various levels of security of the ePassport system, the baseline level being something not unadjacent to zero. For standard ePassports including chip and facial biometric the ICAO assumption is that an open passport can be taken as the bearer’s acceptance that the passport is willingly being made available for the data to be read, ICAO’s intent here being to duplicate as closely as possible the inherent Ts & Cs of traditional passport inspection systems. But the ePassport is RFID, and therefore vulnerable to skimming and eavesdropping (i.e. being read by a concealed reader and/or having the transaction between passport and ‘official’ reader snooped on.

Two mechanisms will be used in ePassports to impede this; first, there is the ‘tinfoil hat’, a mesh of metal in the cover that blocks access to the chip when the passport is closed, and second the machine-readable zone (MRZ) of the passport. The MRZ is designed to be read visually when the passport is open, and this is then compared to the copy of the MRZ held on the chip. If the two match, then the data on the chip can be read.

There are other, optional levels of security that we’ll go into shortly, but what we’ve covered so far is what most countries will be shipping in this generation, and what Grunwald had to deal with. Here what he did again, in slow motion this time.

Grunwald bought an official inspection reader (N.B. this is legal, and even if it weren’t the volumes of machines the market will need would make it trivial to obtain one) and placed his passport on top of it. Using Golden Reader Tool software from secunet Security Networks he read the chip in the passport. Golden Reader Tool is again freely available, and is widely used in the current round of ePassport interoperability testing. From there, Grunwald was able burn the data onto a chip in a blank sample passport page, giving him a blank document that looks to readers like the original passport.

Note that there’s nothing particularly special about the official reader here, so it would be feasible with this level of security to use a homebrew reader. Note also that this is precisely what ICAO says you can do if this level of security is all that’s used. MRZ comparison: “Adds (minor) complexity. Does not prevent an exact copy of chip AND conventional document.”(PKI for MRTDs offering ICC Read-Only Access V1.1)

So what can you do with this? You’ve got an exact copy of the chip from one person’s passport, but you do not at the moment have a mechanism for changing the data on the chip, and in order to produce an entire copy of the passport you’d need to get over the more conventional speedbumps to forgery in the rest of the document. But you do have something that’s potentially quite useful, and under certain circumstances can brush aside what border security exists.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s