Industry Group Says E-Passport Clone Poses Little Risk

During the teleconference, Randy Vanderhoof, executive director of the Smart Card Alliance, noted that the data encoded to the chip inside an e-passport is digitally signed and locked by the issuing nation, and could not be altered even if it was cloned. According to Vanderhoof, what Grunwald accomplished could not serve to make electronic passports less secure because the passport inspectors will still examine the chip's encoded photo and compare it with the person who presents the passport. Cloning a passport's inlay, he says "would be no different, in our point of view, than stealing someone else's passport and trying to present that as your own at a border entry point."

"Electronic passports are far more secure than today's printed documents," says Vanderhoof, because the RFID element is used to authenticate the carrier of the passport through a visual inspection. In the Wired story, Frank Moss, deputy assistant secretary of state for passport services at the U.S. State Department, said the e-passport specs were not designed to prevent cloning. "What this person has done is neither unexpected nor really all that remarkable," he told Wired, adding that the RFID inlay is meant to be an additional authenticator of the passport's carrier.

What if a country decided to remove the manual inspection process entirely, however, relying instead only on the data presented to an interrogator at a border crossing? In this approach, which the ICAO specifications allow for and which some countries are reportedly considering, someone other than Grunwald could enter a country by presenting a clone of Grunwald's e-passport, as easily as someone could steal an EZPass and drive through a New York toll booth.

"Obviously it would be better to have anticloning features [on e-passports], but [e-passports] may well be more secure than the [ones without RFID], in which photos can be grafted into real passports or inserted into fake ones," says Ari Juels, principal research scientist for RSA Laboratories, the research arm of RSA Security.

Juels says Grunwald's result "is a useful demonstration, but does not really teach anything new. A system with cloneable passports is roughly equivalent in security to a database with integrity protection. Anyone can claim to be another person; the system relies on a physical identity check for its success."