[Stuart Fiske] Because of the CHYP Electronic Passport Interoperability Service, we’ve already had a few calls about today’s Wired News story on the cloning of e-passports. But what exactly is this story about? Is it about uncrackable e-passports being broken open by hackers? Or is it about someone reading the specifications and discovering that e-passports work as they are supposed to?
I don’t understand the word “crack” in the context of the electronic passports. There is nothing personal stored in the chip that is not human readable on the data page of the passport. If you want to make a clone of the data inside the chip in my passport, you can do it by reading my passport: you don’t need to read what’s in the chip. Obviously it saves a bit of time getting the digital photo out of the chip, but it’s just the same as the photo in the passport. “Basic Access Control” doesn’t protect the data stored in the chip: it just means that you have to have access to the physical passport in order to read the chip. “Active Authentication” in the specifications allows the data to be linked to the specific chip, but it’s an optional extra which can be implemented if any government so chooses. It’s a bit like the Static Data Authentication (SDA) versus Dynamic Data Authentication (DDA) issue for “chip and PIN” cards. Of course, if you have physical access to my passport you can read all the other chip data which secures my personal data as being valid, but you can’t change it, only copy it. So you could copy my passport but what’s the point if you can’t change my data to match your face? When a passport control person puts your passport in their reader, it displays the picture inside the chip: if it doesn’t match the picture in the passport (or your face), I expect they will notice. Much as we love them, this is just not a “brilliant hackers break unbreakable code” story. It’s a “person reads specification” story.
I don’t think much has changed in the press reporting of this kind of story over the years. The stories never reflect the kind of risk analysis that has gone into the design of such systems and as a consequence they don’t reflect real vulnerabilities.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers