Hacker reveals how to compromise e-passport systems

Published 6 October 2008

An anonymous technology researcher discusses the ease with which e-passports may be compromised by hackers

As more and more countries move to give their citizens e-passports — passports which contain the citizen’s biometric information on an RFID tag affixed to the passport; these tags, in turn can be read by RFID readers at airports and border crossings — they would find disturbing the revelations by a technology researchers that these e-passports can be easily compromised. The researcher who claims to have created code that can emulate and clone e-passports has given details of the purported hack. The anonymous hacker, who prefers to be known by the handle “vonJeek,” told ZDNet.co.uk that the cloned chip works by bypassing electronic security checks. “If we’re talking about bypassing, I mean manipulating the system in such a way that the intended process is not (fully) performed,” wrote vonJeek in an e-mail exchange.

CNet’s Tom Espiner writes that the researcher explained that e-passport systems use a mechanism called “passive authentication” to detect unauthorized changes of data on the chip. A document security object, or SOD, is stored in the chip which contains between two and 16 mathematical values (check values), used to check whether the passport data has been altered. The collection of values is signed using a digital signature. The signature and the public key of the signer, used to check if the signature is correct, are also in the SOD file. To check whether e-passport content has not been altered, the e-passport system reads the index to see which files are stored on the chip, then reads the indexed files. It calculates the check value of each file, and verifies whether the check values match those in the SOD file. The system checks if the digital signature in the SOD has been signed using the public key in the SOD, and whether the public key is owned by a bona fide country. To do this, an International Civil Aviation Organization (ICAO) service called the Public Key Directory (PKD) can be used.

A country can also decide to use an additional security mechanism called ‘active authentication’, which is used by the Dutch e-passport system, to check whether the chip data has been altered or cloned.

vonJeek claimed the emulator program worked by exploiting a vulnerability in how the e-passport system initially reads the index to see which files are stored on the chip. Using this vulnerability bypasses active authentication, along with any additional services such as fingerprints or other biometric checks. The researcher