E-passports vulnerable to traceability attacks, allowing real-time tracking of passport holders

A model of an e-passport // Source: strike-the-root.com

Computer scientists in Britain have uncovered weaknesses in electronic passports issued by the United States, the United Kingdom, and some fifty other countries that allow attackers to trace the movements of individuals as they enter or exit buildings.

Dan Goodin writes that scientists from University of Birmingham said that the so-called traceability attack is the only exploit of an e-passport that allows attackers remotely to track a given credential in real time without first knowing the cryptographic keys that protect it. What is more, RFID, or radio-frequency identification, data in the passports can not be turned off, making the threat persistent unless the holder shields the government-mandated identity document in a special pouch.

“A traceability attack does not lead to the compromise of all data on the tag, but it does pose a very real threat to the privacy of anyone that carries such a device,” the authors, Tom Chothia and Vitaliy Smirnov, wrote. “Assuming that the target carried their passport on them, an attacker could place a device in a doorway that would detect when the target entered or left a building” (a PDF of the paper is here).

To exploit the weakness, attackers would need to observe the targeted passport as it interacted with an authorized RFID reader at a border crossing or other official location. They could then build a special device that detects the credential each time it comes into range. The scientists estimated the device could have a reach of about twenty inches. “This would make it easy to eavesdrop on the required message from someone as they used their passport at, for instance, a customs post,” the authors wrote.

The attack works by recording the unique message sent between a particular passport and an official RFID reader and later replaying it within range of the special device. By measuring the time it takes the device to respond, attackers can determine whether the targeted passport is within range. In the case of e-passports from France, the process is even easier: electronic credentials from that country will return the error message “6A80: Incorrect parameters” if the targeted person is in range and “6300: no information given” if the person is not.

Goodin writes that the research is only the latest to identify the risks of embedding RFID tags into passports and other identification documents. Last year, information-security expert Chris Paget demonstrated a low-cost mobile platform that surreptitiously sniffs the unique digital identifiers in U.S. passport cards and next-generation drivers licenses. Among other things, civil liberties advocates have warned that those identifiers could be recorded at political demonstrations or other gatherings so police or private citizens could later determine whether a given individual attended.

To be sure, the practicality of traceability attacks is more limited because a targeted passport first must be observed within range of a legitimate reader. Once this hurdle is cleared, however — as would be relatively easy for unscrupulous government bureaucrats to do — the attack becomes a viable way to track a target.

Chothia and Smirnov of the University of Birmingham’s School of Computer Science said the security hole can be closed by standardizing error messages and “padding” response times in future e-passports. This, though, will do nothing to protect holders of more than 30 million passports from more than fifty countries who are vulnerable now, they said.

Goodin notes that this is sure to fuel criticism of RFID-enabled identification. “This is a great example of why e-passports are a bad idea,” Paget wrote in an e-mail to the Register. “It’s simply too expensive to replace vulnerable documents (especially when they have a 10-year lifespan) in response to legitimate security concerns, regardless of their severity. People will continue to poke holes in e-passports; without a mechanism to fix those problems there’s a strong argument that’s we’re better off without the RFID.”