Tool to backup, modify and clone ePassport released

Wendy M. Grossman ukcrypto at chiark.greenend.org.uk
Fri, 03 Oct 2008 11:13:23 +0100 

Charles Lindsey wrote:
> On Thu, 02 Oct 2008 22:13:14 +0100, Ian Batten <igb@batten.eu.org> wrote:
> 
>>>
>>> Lots of people know my passport number. It's a standard item 
>>> requested by airlines when booking, conferences [1] when registering, 
>>> hotels when checking in.
>>
>> But we run around in circles.  If someone knows your passport number, 
>> what additional information of value could they extract from your 
>> passport? ...
> 
> It enables that someone to decode all the stuff on the chip, if he 
> manages to catch you within 2m (thereabouts) of himself.
> 
> Maybe that is no big deal, but people are jumping up and down at the 
> thought it might be possible, so what are they worrying about? Is it 
> just the start of the slippery slope that starts with "if you have 
> nothing to hide, why should you worry ...?".
> 

It seems to me there are two concerns:

1) that over time more information will be added to the chip that can 
also be captured by a third party

2) that given a set of valid data (full name, city of birth, dob, date 
of expiry, passport number) it becomes possible to clone a passport 
without having access to it. My birth city and dob are in Wikipedia; my 
middle name is known to some friends and a few banks and governments; 
one of my passport numbers is known to the issuing countries, presumably 
my airlines (who swipe it when I fly), and maybe one or two hotels (I 
rarely stay in hotels, and even more rarely the kind that want passport 
numbers); my other passport number is much less widely known.

I don't think it makes sense to argue whether it's easier for someone to 
compile this information from other sources than to swipe it via RFID 
leakage. I think the point is that the more open routes there are to the 
data the less you can trust the document as a secure means of 
identification. I live on the first floor and keep my door locked. It 
would be much harder for a would-be burglar to climb up a ladder and 
through a window. Still lock the windows, though. Mostly.

wg