Tool to backup, modify and clone ePassport released

[Ian Batten]

On 01 Oct 08, at 1514, Peter Tomlinson wrote:

> steve wrote:
>> absolutely. That's how it should be. Unfortunatly it's possible to  
>> ready
>> the data from your epassport by anyone from 3 meter distance. Without
>> you authorizing it or knowing it.
> Perhaps monitor from a distance the reading of a passport when it is  
> presented to a dedicated reader, if the reader is not screened, I  
> think.

OK, that's a risk I'd not thought of.  So you could probably monitor  
some passports while you progress through the queue at immigration  
between when you get within range of the readers and when you're  
passed through and leave the area.   That would give you access to the  
encrypted form of known-good passports (because you can observe the  
hold being passed through).

But if the passport data is encrypted under a key derived from the  
serial number of the passport, it's not clear how serious the attack  
is.  A brute-force search (or something better than that) will yield  
name, passport number and a few other odds and ends, which are of  
value. How much value, I don't know, I suspect not a great deal beyond  
a small amount of ID theft.  Launching a passive RF attack in a  
monitored, secured, CCTV'd area to obtain a small amount of ID-theft  
material doesn't strike me as a well-targeted use of baddies'  
resources.  And quite what you can achieve with a passport number but  
without the passport, I don't know.

ian