During the teleconference, Randy Vanderhoof, executive director of the Smart Card Alliance, noted that the data encoded to the
chip inside an e-passport is digitally signed and locked by the issuing nation, and could not be altered even if it was cloned. According to Vanderhoof, what Grunwald accomplished could not serve to make electronic passports less secure because the passport inspectors will still examine the chip's encoded photo and compare it with the person who presents the passport. Cloning a passport's
inlay, he says "would be no different, in our point of view, than stealing someone else's passport and trying to present that as your own at a border entry point."
"Electronic passports are far more secure than today's printed documents," says Vanderhoof, because the
RFID element is used to authenticate the carrier of the passport through a visual inspection. In the
Wired story, Frank Moss, deputy assistant secretary of state for passport services at the
U.S. State Department, said the e-passport specs were not designed to prevent cloning. "What this person has done is neither unexpected nor really all that remarkable," he told
Wired, adding that the RFID inlay is meant to be an additional authenticator of the passport's carrier.
What if a country decided to remove the manual inspection process entirely, however, relying instead only on the data presented to an
interrogator at a border crossing? In this approach, which the ICAO specifications allow for and which some countries are reportedly considering, someone other than Grunwald could enter a country by presenting a clone of Grunwald's e-passport, as easily as someone could steal an
EZPass and drive through a New York toll booth.
"Obviously it would be better to have anticloning features [on e-passports], but [e-passports] may well be more secure than the [ones without RFID], in which photos can be grafted into real passports or inserted into fake ones," says Ari Juels, principal research scientist for
RSA Laboratories, the research arm of
RSA Security.
Juels says Grunwald's result "is a useful demonstration, but does not really teach anything new. A system with cloneable passports is roughly equivalent in security to a database with integrity protection. Anyone can claim to be another person; the system relies on a physical identity check for its success."
READERS' COMMENTS
Passport
There are two big differences between stolen Passports and cloned Passports. A stolen Passport will be reported by its owner. A cloned Passport will be an unknown copy. A person can probably clone more that 60 Passports per hour. I don't believe anyone can steal 60 Passports per hour.
Posted By: C. Kapsambelis 8/10/2006 at 11:10:49 AM
Patent
The e-passport might be infringing this US patent: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=7&f=G&l=50&co1=AND&d=PTXT&s1=6585154&OS=6585154&RS=6585154
Posted By: Y. Ostrover 8/11/2006 at 7:27:28 PM