Hello, my name is ...
(And I have the e-passport to prove it)

Peter Gutmann, pgut001@cs.auckland.ac.nz

(This was written earlier this year and predates the later work by Adam Laurie and Jeroen van Week, so it only talks about the signing part of the work).

What did you do?

Showed that the data in an electronic passport can be altered in any way you want but still be accepted by the standard passport-verification tool used in international interoperability tests in the US, Japan, Singapore, and Germany. This implementation is internationally recognised as the electronic passport reference implementation. Specifically, I created passport data showing that I was actually Osama bin Laden (so that's where he's been all these years!), but I could just as easily have been Elvis, or Ronald McDonald, or even Inigo Montoya. Note that this proof-of-concept demo did not involve tampering with a genuine passport in any way.

(Fans of the Chaser will note that not only can you get Osama through security checkpoints by putting a Canadian flag on his limo, you can also give him a Canadian e-passport to go with it).

What's the significance of this?

Governments have made numerous claims to justify the introduction of the e-passport. It was supposed to be the most secure passport ever. Security researchers begged to differ. For example Adam Laurie showed that its contents could be read remotely while it was being sent in the post. As the UK Daily Mail put it, “A shocking security gap allows the personal details and photograph in any electronic passport to be copied from the outside of the envelope in which it is delivered to homes. The passport holder is none the wiser when it arrives because the white envelope has not been tampered with or opened”. This same attack has been repeated with different variations in other countries around the world, for example Lukas Grunwald did it in Germany (and later demoed it in the US).

The governments' last line of defence against the remote-reading and cloning attacks was the claim that even if you could quite easily read the e-passport remotely and create a perfect copy of the original (an attack that any standard paper passport is immune to), you couldn't manufacture your own e-passport out of whole cloth. That's what this demonstration shows: anyone with a little knowledge can invent their own passport data, which is accepted as genuine by the reference e-passport implementation. It's never been this easy to create your own e-passport, and you can be anyone you want on it!

So it's a bug in the implementation?

No, it's a bug in the whole design of the e-passport. The reference implementation is doing exactly what the design requires.

You can't alter the electronic data in the original passport though can you?

No, but you don't have to. The passport reader has no idea whether the electronic tag (known as an RFID tag) that it's talking to is the one in the passport or not, it simply sends out a signal and talks to anything that responds assuming that it's the passport (there's no way to avoid this, that's how RFID works, and this problem had already been acknowledged in the e-passport planning stages). The completely unnecessary use of an RFID tag decouples the electronic information from the physical passport document, opening up a new range of attacks that were never possible with a standard paper passport. In order to feed my fake data to a passport reader all I need to do is disable the RFID tag in the passport and get my DIY tag somewhere into its vicinity (taped to the back of my boarding pass, in the palm of my hand, under my watch strap, whatever, the bare tag itself is only about 6mm square). The reader has no idea whether it's talking to a tag inside the passport or a tag located somewhere else. That's the neat thing about wireless communication, you're not tied to a fixed location. Unfortunately while this is great for cellphones it's less useful in a security application.

Why was something like this deployed then if it's insecure?

Massive political pressure from the US mostly, with a bit of collaboration from a few governments who had motives of their own such as introducing national ID cards through the back door (the UK) or who thought it'd be a great way of showcasing their country's IT industry (Germany). The Washington Post covers some of the politics involved in an extensive two-part story that reads like a rerun of “Enron: The Smartest Guys in the Room” (most of the passport coverage is in the second part). The report “A Case Study of the Security and Privacy Risks of the U.S. e-Passport” contains more on the lack of care applied to the RFID passport process in the US. There's more coverage in a later Washington Post article, including telling comments from the chairman of the Senate Homeland Security Committee.

Mostly though the reason why countries rushed out such unsound technology in such a hurry was pressure from the US, carefully policy-laundered through the ICAO. The security threat being countered with the e-passport is that if you don't issue it, the US will make it extremely difficult and expensive for your citizens to travel there. Governments responded to this security threat by performing the silly-walk that the US required.

So this demonstration of problems is politically motivated?

Not at all, it's entirely technically motivated. As the BBC put it, “Nearly every country issuing this passport has a few security experts who are yelling at the top of their lungs and trying to shout out: 'This is not secure. This is not a good idea to use this technology'”.. The Budapest Declaration on Machine Readable Travel Documents stated in 2006 that “By failing to implement an appropriate security architecture, European governments have effectively forced their citizens to adopt new [passports] which dramatically decrease security and privacy and increase the risk of identity theft. Put simply, the current implementation of the European passport uses technologies and standards that are poorly conceived for its purpose” (the Budapest Declaration covers the European Union, but the same comments apply to passports everywhere else as well). Even the ICAO's own documents state that the e-passports aren't secure: “Compared to paper based [passports] copying the signed data stored on the RF-Chip is easily possible in general”. Unfortunately this information seems to be being ignored by governments, although given that the US hasn't really given them much choice, they're stuck between a rock and a hard place.

Doesn't this demonstration help the terrorists?

Issuing and making people carry passports that act as remote bomb-detonators and that enable identity theft helps the terrorists. Warning people that these things aren't a good idea helps the public. In fact given the recent carefully targeted theft of 3,000 blank passports in the UK complete with unlocked RFID chips ready to be programmed, it's likely that the criminal fraternity has known about this issue for quite some time.

How can we protect ourselves?

One way to make it a bit harder is to carry your passport in a shielded container that blocks the ability to read it using cheap readers, you can order these from various vendors over the Internet. The problem is that this only raises the bar a bit (in technical terms the passport-bags provide about 7-8dB of attenuation so all you need to do is increase the reader power a bit to read right through them). In non-technical terms it's a bit like closing a window to try and stop the noise from a rowdy party next door, all they have to do is turn the volume up a bit and you're back to square one. It could also be argued that it's unfair to expect passport holders to have to go out and waste their time and money fixing a problem that should never have existed in the first place.

A more complete answer describing how to fully protect yourself might be seen as advocating the destruction of a small portion of some government-owned property so I respectfully decline to answer this question :-).

Are there any other weaknesses introducted by the e-passport?

How much time do you have? (See also the reply to the “where can I read more” question at the end for a link to more information). One neat attack, demonstrated by German security researcher Lukas Grunwald, has shown that you can use data in the passport to attack the passport reader. The technical details are in the linked article so I won't repeat them here but in simplified form what the introduction of the e-passport does is open up the passport system to the same sort of attacks that Internet viruses use to propagate. I found similar issues when I created my Osama e-passport, the software was accepting all sorts of malformed data that it shouldn't have. In one case I fed it a signature that wasn't even valid according to the technical specs and yet it verified without any problems.

Turning a passport from a passive paper document verified by skilled humans into an active electronic artefact processed by (often buggy) software opens it up to the same sorts of attack that have made the Internet what it is today. As RSA labs research manager Ari Juels puts it, “The world of RFID is like the Internet in its early stages. Nobody thought about building security features into the Internet in advance, and now we're paying for it in viruses and other attacks. We're likely to see the same thing with RFIDs”.

By introducing computers and software into the passport system the e-passport also introduces software bugs, hackers, and viruses, something that was never an issue with a purely passive paper passport. The resulting computer software-based e-passport is therefore significantly less secure (and because of its wireless capabilities significantly more risky to carry) than the original purely passive physical document.

What will the government response to this news be?

“This weakness is purely theoretical”, “Being able to remotely read, copy, and undetectably alter this does not mean that the passport can be forged” (this is an update of a real quote from the UK Home Office when passport cloning was first demonstrated), “We have extra security measures in place to prevent this attack”, and many more. Take your pick.

One specific counterargument that's almost certain to come up is the there's a proposed component of the system called a public key directory (PKD) that's supposed to prevent this. Once it's deployed and activated, at some point in the future. If countries decide to use it (at the moment most don't). And assuming it works completely flawlessly. Oh, and also assuming that it can't be bypassed using software bugs of the type that Lukas Grunwald and I (and no doubt numerous others) have found. In any case at the currente date, three years after e-passports were first deployed, it still remains a vapourware product with only ten out of 183 ICAO members expressing any interest in it and only five actually using it.

Where can I read more about this?

The endless security problems of the e-passport have been covered fairly extensively in the media, particularly in the UK. One source that tries to bring the salient points togther in one place is “Why Biometrics and RFID are not a Panacea: A Comedy of Errors, in Three Acts” (make sure you read the bit about how Germany solved the failure-to-enroll problem :-).