Industry Group Says E-Passport Clone Poses Little Risk
Cloning a passport's inlay, according to the Smart Card Alliance, would be no different than stealing someone else's passport and trying to present that as your own at a border entry point.
Aug 09, 2006—At last week's Black Hat computer security conference in Las Vegas, Lukas Grunwald, a consultant with computer security firm DN-Systems, demonstrated that using an open source software package called RFDump and an RFID interrogator (reader), he could duplicate the data from his RFID-enabled German passport onto an RFID access card. With the United States soon to join the handful of nations already issuing passports with embedded RFID tags (the U.S. State Department plans to begin issuing e-passports on Monday), the demo struck a nerve. At last count, a search on Google showed a few hundred news stories about the event.
One of these stories, published in Wired News, said that to read the tag in his passport, Grunwald used the same interrogator that border agents use to read e-passports and e-passport software made by Secunet Security Networks. He then used RFDump to make the clone.
Smart Card Alliance is a not-for-profit association representing more than 185 companies in the banking, financial services, computer and retail markets, including Gemalto, which supplies the RFID inlays that will be used in the US e-passports. The alliance held a news teleconference Tuesday to discuss the demo and address related questions.
In order to ensure interoperability and a base level of security, the nearly 30 countries issuing or planning to issue e-passports have agreed to follow specifications developed by the International Civil Aviation Organization (ICAO) to establish required and optional types of data that can be encoded to the inlay inside each passport. The ICAO specifications support different levels of protection to reduce the chances of electronic data on one's passport being pulled, or skimmed, surreptitiously, or eavesdropped while the data is being read at a border entry point. A mesh metallic lining on the passport booklets prevents the inlay from being read until the booklet is opened. To protect the info from being pulled by an unauthorized party, the reader's operator must enter a password, written on the passport, to unlock and read the tag, through a process called Basic Access Control. This tool can also be used to encrypt the data on the tag. To access the encrypted tag data, a reader would also need access to the appropriate data keys. Grunwald reportedly pulled all the information he needed to clone his passport tag by reading through the specifications on the ICAO web site.
Login and post your comment!
Not a member?
Signup for an account now to access all of the features of RFIDJournal.com!
SEND IT YOUR WAY
RFID JOURNAL EVENTS
ASK THE EXPERTS
Simply enter a question for our experts.