Cloning e-passports

Bruce Shneier has pointed to another article on the security of e-passports. This one focuses on cloning, but contrarily to a previous article, which simply mentioned that cloning was possible (which is natural, since nothing is done to avoid it), the authors now look for ways to actually exploit the cloned passports. The ideas are described in great details, but here are a few of them in a few words:

  • If fingerprints are used, use fake fingers, in particular at automated checkpoints (which do not exist yet, but could come in the near future).
  • If pictures are used, exploit the fact that humans are imperfect. Choose a person with similar face, add/remove beard/hair, and get through customs.

Interestingly enough, these two attacks are based on the fact that customs officers will trust the technology, and that they will be more relaxed if they rely on “secure passsports”.

There remains one major difficulty. Skimming is easy, so you can spy on an exchange at customs. However, decrypting the information isn’t as simple. The encryption key is based on public information (birth date, passport number, passport expiry date), but this information is only available in the passport itself. The authors propose several schemes to get this information, in particular schemes from anybody who has access to the passport during its production and delivery (including post office staff). Even in the case of post office employees, they know the name (on the envelope, which can lead to an estimate of the birth date) and the expiration date (roughly 10 years from now). All they miss is the passport number, which is not completely random. However, they are not sure that the picture/fingerprint of the person matches the one of the person for which a passport must be made.

There is another possibility of attack, which would work with people entering the United States on visa waivers (i.e., those who are required to carry an electronic passport). It is based on two important facts about the handling of passports:

  • All US visitors on visa waivers have to fill out an I-94W form every time they enter the country. The problem is that this form is very confusing, so many people have to fill out several before to succeed. US customs lines are often littered with I-94W, which include the birth date and passport numbers of people who are currently going through customs (and getting their passport data read).
  • It is of course possible to record the exchange between the passport and the reader and decipher it in the comfort of your home.

So, here is a plan for getting all the information you need for making a fake passport for a friend, for instance if pictures are used as biometrics:

  1. Get in a tourist flight from a country where your look is very common.
  2. If you are lucky, sit close to a person that looks like your friend. This person will fill out the I-94W during the flight. Just look at what they write (birth date and passport number).
  3. If you are less lucky, get out of the flight as fast as you can, and look at people discarding I-94W forms on tables. Locate one that looks like your friend, and pick up the leftover form, or note the birth date and passport number.
  4. Stay close to your victim in the line. When they pass through customs, record the exchange between their passport and the reader.
  5. Back at home, try all possible expiration dates (3650 in theory, much less if you exclude week-ends, around 250 if you consider that e-passports have onyl been in use for less than a year.

This all looks very, very easy. Even a bit too much to make me comfortable. Note that there are quite a few variants, depending on the passport scheme used and on the risks that you are ready to take:

  • If fingerprints are used, things are even easier. Just pick up any I-94W form (which is littered with fingerprints from the right person) and follow that person through customs.
  • Even simpler and less risky, think at places where people show passports. It is quite common at hotels, so the accomplice could work as hotel staff, and wait patiently for a person who looks like your friend. Then, find a way to scan their passport (you may need good OCR software, since you cannot use a cusoms reader).

There are probably many other ways to fool the system. But there also are a few countermeasures, against this attack and others:

  • For individuals: consider your passport number and expiration date confidential. Never use your passport for anything else than customs; carry another fomr of id. Never discard documents with these numbers on them, especially if associated to your name.
  • For customs: consider the I-94W and other forms sensitive. Avoid piles of discarded documents on writing tables. Make sure that they are discarded neatly. Avoid other personal information than the name on the forms (all other information available on the passport could be printed by the customs officer).

Such countermeasures are simple to implement for countries, but maybe not for individuals. I remember when I was much younger, how difficult it was to enter a bar in the US by showing a French Id. People would look suspiciously at it, because it is not written in english and it does not look like a US driving license. This must of course be much worse for people from another origin (japanese, arabic, or any country that does not use the roman alphabet). In that case, showing your passport is often the only solution. Too bad.

EDITED (22/11): Replaced name by birth date in MRZ data.

November 20, 2006 – 10:55 | By Eric Vétillard | Posted in Applications, Identity, News, Security | Comments (0)

No Comments

Leave a Reply

Your email is never shared.Required fields are marked *