How to clone the copy-friendly biometric passport

So easy the manual tells you that you can do it

ICAO (we mentioned this quite recently) stresses that machine checking of the document is not intended to substitute for ID checking of the bearer. The ICAO systems are designed to impede the forgery or falsification of the document itself, and not to give any kind of guarantee that the bearer matches the document. Grunwald's demo doesn't quite knock the hell out of this, because all it produces is a copied chip, but it does tend to indicate that the authenticity of the full document may not be entirely rock-solid. Whatever ICAO says, however, using machines as substitutes for 'fallible' human checkers is a major part of the exercise for some governments, and opportunities for forgers can be seen here.

A full copy passport will pass a machine, and the picture (which is on the chip) only provides a barrier here if there's also a machine trying to match the face of the bearer to the face in the passport. Even then, current systems can only rationally be used as an aid or indicator for a human checker, so if there isn't one of these present it's not likely to be used. Where there is likely to be a human checker present, it will still be feasible for people carrying copied passports to pass by provided they look approximately like the picture in the passport (i.e., just the same as the good old days), because the chip in the passport will validate in the reader. Note also that the mere presence of the reader, the chip and the general ePassport security pixie dust will - no matter what the circulars say - have a psychological effect on border control staff. They will tend, because the machine says the passport's clean, to drop their guard, not really inspect either picture or bearer properly. This kind of effect is well documented, and it's the same kind of thing as people walking in and out of companies unchallenged despite wearing a security tag in the name of 'Michael Mouse'.

The Wired write-up suggests that "a terrorist whose name is on a watch list could carry a passport with his real name and photo printed on the pages, but with an RFID chip that contains different information cloned from someone else's passport" - but although this is possible in some circumstances, it's chancy because it oughtn't to work for reading terminals where the chip data is put onto a screen for border control. And then, nabbed with a definitely mucked-around passport, the bearer is in trouble. Grunwald suggests that the ePassport data could also be put onto a card, and then put between the chip on the ePassport and the reader, meaning that the reading comes from the card rather than the ePassport.

This is basically the same exploit, producing a data mismatch that is vulnerable to visual inspection, but is potentially helpful to the intruder because the ePassport can be genuine (although possibly on a watchlist), and because the card could be used or not depending on whether an opportunity were available.

Note also that the ability to produce a copy that will pass an unattended machine scan easily severely impedes the use of the ePassport as a general identity document and, provided what goes for ePassports goes for ID cards (which the Home Office tells us it does) undermines the UK ID card's ability to act as one. And ask yourself how you close an ID card - we'd like to know too.

ICAO suggests higher levels of security to protect additional biometrics such as fingerprint and iris, and some of these could also be used to protect the 'vanilla' ePassport. Encryption, for example, can be used to combat skimming, but in a document with a ten year lifespan encryption (as ICAO freely admits) is likely to have a limited effect. Nor does it prevent an exact copy being made. A PKI system can also be used in an attempt to ensure that the reader itself is authorised, and thus to protect the additional biometrics. This requires processing on the passport chip, and again doesn't stop a complete copy being made. This PKI system, as explained here with reference to the European biometric passport, is run by the issuing authority, and is different from the PKI system administered by ICAO, which is intended to ensure that the passport chip itself has been signed by a bona fide issuing authority.

Other security, as we are all aware, is envisaged by at least some countries in the form of an online check of a central register. For facial-only biometric passports the subversion routes detailed above clearly still work here, because the copy is of a genuine chip, and it will therefore any record of that chip held on the register. Local fingerprint checking means you (you the suspect, that is) have probably got a problem because your prints don't match those on the chip. But as most of the passports in the world aren't going to have fingerprints in them for many years, it's entirely unclear why you (you the terrorist, that is) have decided to copy a fingerprinted passport.

Although online fingerprint checks aren't specifically relevant to the Grunwald demo, it's worth considering them briefly here as they're being presented by the UK, and are currently being used by the US, as a component of border defence. Effectively, an online check needn't relate to the passport at all (in the US case it doesn't), because it just checks the subject against a register of existing images. So if you'd already been into the US on one passport and you came in on another, copied passport, the fingerprint check in theory ought to get you. In the case of the UK, where the register doesn't exist and there's severe doubt that it ever will, it's more a case of in theory on steroids, but it's the same deal provided it works and provided the terminal actually does an online check. Even for those countries that do intend to check fingerprints against a central register, this will almost certainly be done only at limited number of points of entry, and possibly not all of the time at all of these.

Which, really, leaves us dealing with the baseline ICAO security, the obvious vulnerabilities in its specification, and sufficiently porous borders for these vulnerabilities to be exploited. Kind of like the good old days (i.e., today), isn't it? Except it costs us more. ®

Sponsored: 5 critical considerations for enterprise cloud backup