By Jeremy Kirk
IDG news service
02 October 2008
Data on radio chips can be cloned and modified without detection,
according to a security researcher, raising question marks over the use
of so-called e-passports that use RFID chips.
Upwards of 50 countries are rolling out passports with embedded RFID
(radio frequency identification) chips containing biometric and personal
data. The move is intended to cut down on fraudulent passports and
strengthen border screenings, but security experts say the systems have
Dutch researcher Jeroen van Beek has released a software toolkit that
can be used to encode RFID chips with false information. In a
demonstration video, van Beek shows how a scanner at Amsterdam's airport
reads a passport chip he encoded with Elvis Presley's information and
It means that a fraudster could potentially create a fake passport with
an RFID chip that would appear legitimate. The reason the data looks
legitimate is due to a fundamental problem in how governments are
setting up systems to handle e-passports, said Adam Laurie, a freelance
security researcher who worked with van Beek on the demonstration.
Passport data on RFID chips is signed with a digital certificate
belonging to the country to which the passport was issued. E-passport
systems are supposed to verify that certificate when scanning a
passport, Laurie said.
All countries issuing e-passports are supposed to upload their digital
certificate to the Public Key Directory (PKD), a database that should be
queried to ensure the certificate is correct, Laurie said.
But only 10 of the 50 or so countries have agreed to upload those
certificates to the PKD, Laurie said. Only five countries are
contributing to the database, he said.
"Basically, the whole thing falls down," Laurie said. The e-passport
system's security is rooted in the back-end database checks of those
certificates, he said.
In van Beek's demonstration, the passport chip containing fraudulent
data presents its own certificate that appears to be from a legitimate
authority but isn't. Since the Netherlands doesn't use PKD to verify
passport certificates, the certificate is accepted, Laurie said.
Register now for HITBSecConf2008 - Malaysia! With
a new triple-track conference featuring 4 keynote
speakers and over 35 international experts, this
is the largest network security event in Asia and
the Middle East!