Tool to backup, modify and clone ePassport released

steve ukcrypto at chiark.greenend.org.uk
Sat, 4 Oct 2008 07:56:58 +0000 

Hi,

Ian, your are argueing about 'the secrecy of your data' but the real
problem is somewhere else. It is your choice how public you want to make
your data or not. Other folks might not want to be as 'open' as you are.

This is your choice and it's your responsibility.

The problem with rfid and epassport is that it is no longer your choice.
It's the choice of the attacker as you are forced to use the epassport
and can not prevent others from reading your data.

If you are not worried about someone stealing your data because your
data is public already (other people might have a different opinion on
this) then consider that somebody can track you: Anyone
can read the epassport info without any authentication required. This
means someone can tell when you enter which building or what shop or
who you meet or sit at the same table with.

And let's not forget with all the other issues with the epassport,
including people using your credentials to authenticate themself
(forging of epassports), ...

The real question is: Do ePassport make us more safe (as we are told
and what the justification for the 50GBP is) or do they make use less
safe? Does it make sense to roll out ePassports in the way they want
to roll it out or should other security features be added? 

steve


On Thu, Oct 02, 2008 at 10:13:14PM +0100, Ian Batten wrote:
> >
> >Lots of people know my passport number. It's a standard item  
> >requested by airlines when booking, conferences [1] when  
> >registering, hotels when checking in.
> 
> But we run around in circles.  If someone knows your passport number,  
> what additional information of value could they extract from your  
> passport?  If I want a photograph of you I need to disambiguate you  
> from an Australian SF author, but 
> http://www.ripe.net/info/ncc/staff/pics/roland_perry.jpg is passport-alike 
>  enough.
> 
> What else is there on a passport that's worth an RF attack?  I can't  
> believe your date of birth would be that hard to obtain by easier means.
> 
> ian
>