Tool to backup, modify and clone ePassport released

Peter Tomlinson ukcrypto at chiark.greenend.org.uk
Wed, 01 Oct 2008 15:52:09 +0100 

Ian Batten wrote:
> On 01 Oct 08, at 1514, Peter Tomlinson wrote:
>> steve wrote:
>>> absolutely. That's how it should be. Unfortunatly it's possible to 
>>> ready
>>> the data from your epassport by anyone from 3 meter distance. Without
>>> you authorizing it or knowing it.
>> Perhaps monitor from a distance the reading of a passport when it is 
>> presented to a dedicated reader, if the reader is not screened, I think.
> OK, that's a risk I'd not thought of.  So you could probably monitor 
> some passports while you progress through the queue at immigration 
> between when you get within range of the readers and when you're 
> passed through and leave the area.   That would give you access to the 
> encrypted form of known-good passports (because you can observe the 
> hold being passed through).
>
> But if the passport data is encrypted under a key derived from the 
> serial number of the passport, it's not clear how serious the attack 
> is.  A brute-force search (or something better than that) will yield 
> name, passport number and a few other odds and ends, which are of 
> value. How much value, I don't know, I suspect not a great deal beyond 
> a small amount of ID theft.  Launching a passive RF attack in a 
> monitored, secured, CCTV'd area to obtain a small amount of ID-theft 
> material doesn't strike me as a well-targeted use of baddies' 
> resources.  And quite what you can achieve with a passport number but 
> without the passport, I don't know.
But we heard recently from HO that passports will double as ID cards, 
which suggests that the technology has converged (at least in the mind 
of one lady). It was also said some while ago that there would be 10,000 
ID card 'readers' to be deployed. Sadly for those who want to snoop on 
passports in an insecure area, that is unlikely to be enough of the 
readers for it to be possible to have one on the counter of every bank 
branch or even in the interview cubicles. However, this is entering a 
fantasy realm, because if we have ID cards we really want eID cards that 
we can use via a PC, and that needs a rather better security model.

Peter