Skip to main content

An ePassport is a Fiendishly Slippery Thing

No sooner are new electronic identification methods out on the street than do electronic tricksters (and presumably cyber bad guys) hack them.

When America and the EU introduced "ePassports" in the mid-2000s, the documents had no security, not even basic encryption, which meant that the holder's details were being offered up to the world at large.

The passports had RFID chips to let machines read basic information, including photos and fingerprints, and for the first time in history, a traveler — at least in theory — could have his identity details "skimmed" by any hacker wielding a fairly cheap RFID receiver.

Use of RFID, or radio-frequency identification, has exploded over the last few years. The chips turn up in everything from retail items to house pets to electronic toll passes (EZPass, FasTrak). "We can use RFID to identify something or someone," says Gildas Avoine, a computer scientist in Belgium who has criticized the new European ePassports, "or we can use RFID to authenticate - meaning to identify with proof of identity. If we use RFID for a supply chain, or for cattle, or for pets, and so on, what we want is just to identify. Not proof, just to identify."

But authentication can be fiendishly difficult. Hackers had such an easy time skimming first-generation ePassports that Western governments added a layer of security in mid-2006. Now the RFID readers need a password to read the owner's data. Most passports issued after 2006 — when European countries introduced ePassports under American pressure — have "Basic Access Control," an encryption method that requires a code from the reader for the microchip to unscramble its data.

Fair enough, but Avoine showed the codes could were still not secure. In a second test, his group found that the code for Belgian passports could still be interpolated with a minimum of effort. “All the passports we tried during our work have been or would have been cracked within one hour in the worst case,” his group reports.*

A test by the London Times in 2008 found British ePassports to be no more secure. The newspaper hired computer scientist Jeroen van Beek at the University of Amsterdam to test new and supposedly fake-proof British ePassport technology. (The United States pressured all EU governments to adopt them after the 9/11 attacks in 2001.)

"Using his own software, a publicly available programming code, a £40 card reader and two £10 RFID chips," writes the Times, "Mr van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports."

What he did, specifically, was skim data from two British passport chips, then replace the image files with digital photos of Osama bin Laden.

The British government argued at the time that safeguards already built into the system would detect Mr. Van Beek's (and other) cloned chips at any European border. But those safeguards weren't mandatory until June 2009, when the EU started to use an authentication method called Extended Access Control, which means passports issued before mid-2009 are still easy to hack.

American passports now come with a so-called Faraday cage — a metal mesh inside the cover that blocks the RFID signal as long as the passport stays closed. "The passport never emits by itself," says Avoine, the Belgian computer scientist. "So the reader sends an electronic signal to the passport, and the passport answers. With a Faraday cage you are no longer able to reach the RFID tag in the passport" until someone opens it up.

In the meantime, though, state and federal government agencies in the U.S. have started to issue both driver's licenses and "passport cards" (for travel to Canada and Mexico) tagged with RFID. Since the cards have no covers to close, they're easy to skim, and in early 2009, a British hacker named Chris Paget rigged up a receiver in his car with $250 worth of equipment, and drove around San Francisco for about 20 minutes.

He picked up RFID codes — in this case unique numbers assigned to the chips like digital Social Security numbers — from two passport cards carried by strangers on the street. Then he posted a video of his hacking mission on the Web.

Avoine says Paget's ride around the block simply shows what RFID chips are good for. Secure and verifiable human "authentication" may be difficult; electronic human retail is another matter. "The passport card emits this number," he said, "and perhaps we cannot link this number with a person," without a database to serve up personal details, which may have its own security problems. "But it's an issue anyway, because we can track someone. We cannot get their personal information, but we can track their movements."

* This paragraph originally read: Fair enough, but Avoine showed the codes could be interpolated from characters printed in the passports themselves. That meant a man with a scanner walking down the corridor of a train might not manage to skim your private details, but a pickpocket who swiped your passport and brought it home might manage to crack the chip and make a counterfeit.

Sign up for our free e-newsletter.

Are you on Facebook? Become our fan.

Follow us on Twitter.

Add our news to your site.