[Stuart Fiske] Because of the CHYP Electronic Passport Interoperability Service, we’ve already had a few calls about today’s Wired News story on the cloning of e-passports.   But what exactly is this story about?  Is it about uncrackable e-passports being broken open by hackers?  Or is it about someone reading the specifications and discovering that e-passports work as they are supposed to?

Technorati Tags: , , ,

I don’t understand the word "crack" in the context of the electronic passports. There is nothing personal stored in the chip that is not human readable on the data page of the passport.  If you want to make a clone of the data inside the chip in my passport, you can do it by reading my passport: you don’t need to read what’s in the chip.  Obviously it saves a bit of time getting the digital photo out of the chip, but it’s just the same as the photo in the passport.
"Basic Access Control" doesn’t protect the data stored in the chip: it just means that you have to have access to the physical passport in order to read the chip.  "Active Authentication" in the specifications allows the data to be linked to the specific chip, but it’s an optional extra which can be implemented if any government so chooses.  It’s a bit like the Static Data Authentication (SDA) versus Dynamic Data Authentication (DDA) issue for "chip and PIN" cards.
Of course, if you have physical access to my passport you can read all the other chip data which secures my personal data as being valid, but you can’t change it, only copy it.   So you could copy my passport but what’s the point if you can’t change my data to match your face? When a passport control person puts your passport in their reader, it displays the picture inside the chip: if it doesn’t match the picture in the passport (or your face), I expect they will notice.
Much as we love them, this is just not a "brilliant hackers break unbreakable code" story.  It’s a "person reads specification" story.

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights