Microchips in e-passports easily forged

Published 8 August 2008

Dutch researcher uses his own software, a publicly available programming code, a £40 card reader, and two £10 RFID chips to clone and manipulate two passport chips to a point at which they were ready to be planted inside fake or stolen paper passports; the altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports; the researcher took less than an hour to alter the chips

We reported yesterday that the supposedly tamper-proof, forgery-proof biometric e-passports, which more and more governments adopt as a way to fight terrorism and crime, are not so safe after all. The Times’s Steve Boggan writes that a researcher demonstrated that the new documents may be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports. In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports. The demonstration is a serious blow to the U.K. Home Office’s claim that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. This argument was always suspect becasue only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined.

Boggan notes that some of the forty-five countries, including Britain, swap codes manually, but criminals could use fake e-passports from countries which do not share key codes, which would then go undetected at passport control. Tens of millions of microchipped passports have been issued by the forty-five countries in the belief that they will make international travel safe — but the tests suggest that the microchips are vulnerable to cloning and that bogus biometrics could be inserted in fake or blank passports.

The tests for the Times were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam. Building on research from the United Kingdom, Germany, and New Zealand, van Beek has developed a method of reading, cloning, and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organization (ICAO) to test them. It is also the software recommended for use at airports. Using his own software, a publicly available programming code, a £40 card reader, and two £10 RFID chips, van Beek took less than an hour to clone and manipulate two passport chips to a point at which they were ready

view counter
view counter