Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Industry Group Says E-Passport Clone Poses Little Risk

Cloning a passport's inlay, according to the Smart Card Alliance, would be no different than stealing someone else's passport and trying to present that as your own at a border entry point.
By Mary Catherine O'Connor
Aug 09, 2006At last week's Black Hat computer security conference in Las Vegas, Lukas Grunwald, a consultant with computer security firm DN-Systems, demonstrated that using an open source software package called RFDump and an RFID interrogator (reader), he could duplicate the data from his RFID-enabled German passport onto an RFID access card. With the United States soon to join the handful of nations already issuing passports with embedded RFID tags (the U.S. State Department plans to begin issuing e-passports on Monday), the demo struck a nerve. At last count, a search on Google showed a few hundred news stories about the event.

One of these stories, published in Wired News, said that to read the tag in his passport, Grunwald used the same interrogator that border agents use to read e-passports and e-passport software made by Secunet Security Networks. He then used RFDump to make the clone.

Randy Vanderhoof
However, Grunwald merely cloned the data on the IC inside his passport. He did not counterfeit the passport, nor did he manipulate the data. Although Grunwald claimed to have demonstrated a fundamental security flaw in RFID-enabled passports (known as e-passports), a number of RFID technology experts say this is not true.

Smart Card Alliance is a not-for-profit association representing more than 185 companies in the banking, financial services, computer and retail markets, including Gemalto, which supplies the RFID inlays that will be used in the US e-passports. The alliance held a news teleconference Tuesday to discuss the demo and address related questions.

In order to ensure interoperability and a base level of security, the nearly 30 countries issuing or planning to issue e-passports have agreed to follow specifications developed by the International Civil Aviation Organization (ICAO) to establish required and optional types of data that can be encoded to the inlay inside each passport. The ICAO specifications support different levels of protection to reduce the chances of electronic data on one's passport being pulled, or skimmed, surreptitiously, or eavesdropped while the data is being read at a border entry point. A mesh metallic lining on the passport booklets prevents the inlay from being read until the booklet is opened. To protect the info from being pulled by an unauthorized party, the reader's operator must enter a password, written on the passport, to unlock and read the tag, through a process called Basic Access Control. This tool can also be used to encrypt the data on the tag. To access the encrypted tag data, a reader would also need access to the appropriate data keys. Grunwald reportedly pulled all the information he needed to clone his passport tag by reading through the specifications on the ICAO web site.


Chris Kapsambelis 2006-08-10 12:10:49 PM
Passport There are two big differences between stolen Passports and cloned Passports. A stolen Passport will be reported by its owner. A cloned Passport will be an unknown copy. A person can probably clone more that 60 Passports per hour. I don't believe anyone can steal 60 Passports per hour.
Yaakov Ostrover 2006-08-11 08:27:28 PM
Patent The e-passport might be infringing this US patent: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=7&f=G&l=50&co1=AND&d=PTXT&s1=6585154&OS=6585154&RS=6585154

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations