New electronic and biometric passports may not be the silver bullet against forgeries that authorities claim, writes John Collins
In the coverage of the security alert in Britain following the discovery of an alleged plot to bring down transatlantic flights, it was easy to overlook reports that one of the major security measures introduced post-September 11th, 2001, was potentially compromised.
At the infamous Black Hat security hacker convention in Las Vegas earlier this month, a German security consultant showed he could clone the data held on the electronic or biometric passports being introduced by Ireland and other nations at the behest of the US.
After just two weeks, most of which was spent reading the specifications for the passports published by the International Civil Aviation Organisation (ICAO), Lukas Grunwald, a security consultant with DN-Systems in Germany, was able to read the information on an electronic passport.
Then, using commercially available equipment, he was able to produce a simple blank passport page with an embedded chip. This page, when scanned at a border crossing would then appear to immigration officials to be the original passport.
The Department of Foreign Affairs is currently at an advanced stage of a €8.8 million project to introduce the same e-passports for Irish citizens. Germany and the US have already begun to issue them.
"The whole passport design is totally brain-damaged," Grunwald told Wired News after demonstrating his cloning technique. "From my point of view, all of these RFID passports are a huge waste of money. They're not increasing security at all."
However, a Department of Foreign Affairs spokesperson was significantly less impressed with Grunwald's achievement and pointed out that he hadn't actually cloned a passport but only the data contained on the passport's chip. To complete the task, a forger or terrorist would have to produce an authentic replication of a passport and embed the chip in it - a far from trivial task.
The spokesperson also pointed out that Grunwald was not able to change the data in any way.
While the data stored on digital passports that comply with the ICAO standard is not encrypted, it is signed with a digital signature that means any attempt to change the information would render the chip unreadable.
The chips in the passports are RFID chips, which transmit radio waves that can be read by a scanner without having to come into contact with it.
To prevent scenarios such as a terrorist scanning a street to find US citizens carrying their passports, they utilise a system called Basic Access Control. This requires that information from the machine-readable area of the passport is read first before the RFID tag can be accessed.
The other major differentiator is that the passports digitise biometric data about the holder - initially a face print but the EU plans to include fingerprints by 2009.
Seán O'Connell, IT security specialist with software company CA, is also underwhelmed by Grunwald's achievement and says this vulnerability has been known for some time.
"Altering the data is a very different kettle of fish and would be very, very difficult," says O'Connell. "To do that they would have to crack very hardened encryption."
He also points out that if a forger inserted the chip in a passport with a different picture, this would be spotted at a border control because the picture on the passport and that pulled up on screen would not match.
"The present data stored on the passport includes a photograph of the holder's face, which is used for photo recognition," says O'Connell.
"But if someone steals that biometric information, it is not something that you can revoke. It is not beyond the realms of imagination to use that information elsewhere."
In other words, hackers may not use the data to create digital passports but for identity theft or other illegal purposes. O'Connell says that once accepted for passports, facial biometrics may be used for other purposes such as building access controls or for age verification.
The principle of being able to revoke a password or other security token has long been a central tenet of information security. It ensures that new passwords can be issued if an existing one is compromised. While biometric factors such as an iris scan or fingerprint are hard to forge, if they are compromised, the individual cannot change them.
What is more concerning for many observers is that the EU authorities have plans to go further than the US in terms of the biometric data stored on digital passports.
The EU Digital Passport project, which is using technology from a consortium of European companies including Siemens, Infineon and Smarticware, is working to include fingerprints by summer 2009.
Unlike the current digital photograph, the fingerprint data will be encrypted using what the consortium calls "extended access control", based on the industry standard Public Key Infrastructure (PKI).
The Department of Foreign Affairs has stated on its website that the addition of fingerprints to passports is an extension of the Schengen accord in which the Republic does not participate and there are no plans to add fingerprints to Irish passports.
Civil liberties groups and other watchdogs are up in arms about this particular proposal, which could see EU citizens, including children, being fingerprinted as a matter of course. TJ McIntyre, chairman of Digital Rights Ireland, says there is a disturbing move to increase the amount of information being stored about citizens when there is no need for it.
McIntyre also expresses concerns that standards are being set internationally with little or no public scrutiny of what is being decided by national authorities such as Ireland's data protection commissioner.
While the initial headline that digital passports have been cloned may not quite ring true, Grunwald's hacking efforts have clearly shaken confidence in digital passports.
Given that the US authorities in particular have been holding them up as a silver bullet to reduce immigration queues and ensure passports are not forgeries, it's damaging news.