Is the Biometric Passport Safe?

Are you concerned about the Security of your Biometric Passport?

Although most governments claim that their biometric encoded passports are safe from attack. However, many such attacks have been documented over the years since the introduction of the biometric chip passport. This is a real concern to Passport Holders!

Why are Biometric Microchips Used in Passports?

The RFID biometric microchip provides an additional way to verify and authenticate a passport and the information it contains. It can help expedite the processing of passport holders entry and exit applications at immigration and customs offices at airports. It also helps to make passports more difficult to counterfeit.

igogeer.com - passport with chip

To illustrate some of the concerns about the Biometric Passport we are presenting a few reported examples.

Since the introduction of biometric passports several attacks have been presented and we demonstrated them here:

Non-traceable chip characteristics. In 2008 a Radboud/Lausitz University team demonstrated that it’s possible to determine which country a passport chip is from without knowing the key required for reading it. The team fingerprinted error messages of passport chips from different countries. The resulting lookup table allows an attacker to determine from where a chip originated. In 2010 Tom Chothia and Vitaliy Smirnov documented an attack that allows an individual passport to be traced, by sending specific BAC authentication requests.

Passive Authentication (PA). In 2006 Lukas Grunwald demonstrated that it is trivial to copy passport data from a passport chip into a standard ISO/IEC 14443 smartcard using a standard contactless card interface and a simple file transfer tool. Grunwald used a passport that did not use Active Authentication (anti-cloning) and did not change the data held on the copied chip, thus keeping its cryptographic signature valid.

In 2008 Jeroen van Beek demonstrated that not all passport inspection systems check the cryptographic signature of a passport chip. For his demonstration Van Beek altered chip information and signed it using his own document signing key of a non-existing country. This can only be detected by checking the country signing keys that are used to sign the document signing keys. To check country signing keys the ICAO PKD can be used. Only 5 out of 60+ countries are using this central database. Van Beek did not update the original passport chip: instead an ePassport emulator was used.

Also in 2008, The Hacker’s Choice implemented all attacks and published code to verify the results. The release included a video clip that demonstrated problems by using a forged Elvis Presley passport that is recognized as a valid US passport.

Active Authentication (AA). In 2005 Marc Witteman showed that the secret Active Authentication key can be retrieved using power analysis. This may allow an attacker to clone passport chips that use the optional Active Authentication anti-cloning mechanism on chips – if the chip design is susceptible to this attack. In 2008 Jeroen van Beek demonstrated that optional security mechanisms can be disabled by removing their presence from the passport index file. This allows an attacker to remove – amongst others – anti-cloning mechanisms (Active Authentication). The attack is documented in supplement 7 of Doc 9303 (R1-p1_v2_sIV_0006) and can be solved by patching inspection system software. Note that supplement 7 features vulnerable examples in the same document that – when implemented – result in a vulnerable inspection process.

As these cases demonstrate biometric passport technology is not infallible and all users must take extreme care when using their personal passport.

Upcoming Article:
Look out for our next article in this series – “Is Your Smartcard Safe?” You will find it informative and fascinating reading. Click HERE to read this article.

Protect your Biometric Passport from unauthorized scanning by electronic criminals. This product will provide that protection.

 

Igogeer.com - deluxe money belt with rfid blocking - ad 728x99

Image: USA Passport with Microchip