Written by Technorati Tags: e-Passports, RFID, security, travel
I don’t understand the word "crack" in the context of the electronic passports. There is nothing personal stored in the chip that is not human readable on the data page of the passport. If you want to make a clone of the data inside the chip in my passport, you can do it by reading my passport: you don’t need to read what’s in the chip. Obviously it saves a bit of time getting the digital photo out of the chip, but it’s just the same as the photo in the passport.
"Basic Access Control" doesn’t protect the data stored in the chip: it just means that you have to have access to the physical passport in order to read the chip. "Active Authentication" in the specifications allows the data to be linked to the specific chip, but it’s an optional extra which can be implemented if any government so chooses. It’s a bit like the Static Data Authentication (SDA) versus Dynamic Data Authentication (DDA) issue for "chip and PIN" cards.
Of course, if you have physical access to my passport you can read all the other chip data which secures my personal data as being valid, but you can’t change it, only copy it. So you could copy my passport but what’s the point if you can’t change my data to match your face? When a passport control person puts your passport in their reader, it displays the picture inside the chip: if it doesn’t match the picture in the passport (or your face), I expect they will notice.
Much as we love them, this is just not a "brilliant hackers break unbreakable code" story. It’s a "person reads specification" story.
