[Dave Birch] The newspapers here are having a fine time with the very latest Dutch chip shenanigans: A Dutch researcher has shown The Times how easy it is to clone e-passport chips and change the details.

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined.

[From ‘Fakeproof’ e-passport is cloned in minutes – Times Online]

Nearly right. It’s digital signatures that “would not match” and the international database contains the public keys that allow you to check the signatures. I doubt it’s much of a threat to be honest, because you’d have to forge the paper part of the passport to match the cloned chip, and that strikes me as a little harder. The only people who read the chips, or at least attempt to read the chips, are immigration officers. My bank doesn’t have any readers, nor does my airline and nor does Eurostar or anyone else. Anyway, as the journalist points out, digital signatures are pretty useless if no-one implements them. I’m not sure why it’s in the new today, since it’s a recycling of a story that’s a couple of years old

A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.

[From Hackers Clone E-Passports]

It may be a symptom of a general collapse in public trust of any kind of government IT rather than a specific reflection on anything to do with e-passports.

Bernard Herdan, head of passports in the U.K., explained all this to some M.P.s last year:

Mr Herdan: They could not change the data in that chip, no, because of the PKI technology, which is not in the suppliers’ hands to change.

[From Uncorrected Evidence 362]

I explained what this means in more detail some time ago,

The data is signed (well, a hash of the data is signed) using a private key from the issuing country. The corresponding public keys are stored in the ICAO Public Key Directory (PKD), so the border control terminals need to download these every day, which may not have been thought through as well as it might be. But, in theory at least, you cannot forge an e-passport because you cannot forge the digital signature that is blown into the chip, even if you can forge the written signature on the passport.

[From Digital Identity Forum: Budapests]

But if the terminals don’t even attempt to obtain keys from the PKD and check the digital signature, then what’s the point of the chip?

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto

1 comment

  1. The threat isn’t so much today’s little breach, but the overall threat of the “trust me, I’m a security expert, I know what I’m doing” generation. The government (any, each) tend to stress that their proposals are good and secure, which closes the door to any sort of risk assessment and analysis. As they can’t be correct, because there is no perfect security, this leads to a sort of institutional cognitive dissonance that eventually explodes in major breaches. C.f., losing all your children’s details.
    Security “experts” have been doing the same for a decade now, and they also are found to be wearing transparent clothing. So much so that most of us inside have forgotten how to have a real security debate, and outsiders who pay money have forgotten how to trust a security claim.

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights