How to clone the copy-friendly biometric passport

So easy the manual tells you that you can do it

The Power of One eBook: Top reasons to choose HP BladeSystem

ICAO (we mentioned this quite recently) stresses that machine checking of the document is not intended to substitute for ID checking of the bearer. The ICAO systems are designed to impede the forgery or falsification of the document itself, and not to give any kind of guarantee that the bearer matches the document. Grunwald's demo doesn't quite knock the hell out of this, because all it produces is a copied chip, but it does tend to indicate that the authenticity of the full document may not be entirely rock-solid. Whatever ICAO says, however, using machines as substitutes for 'fallible' human checkers is a major part of the exercise for some governments, and opportunities for forgers can be seen here.

A full copy passport will pass a machine, and the picture (which is on the chip) only provides a barrier here if there's also a machine trying to match the face of the bearer to the face in the passport. Even then, current systems can only rationally be used as an aid or indicator for a human checker, so if there isn't one of these present it's not likely to be used. Where there is likely to be a human checker present, it will still be feasible for people carrying copied passports to pass by provided they look approximately like the picture in the passport (i.e., just the same as the good old days), because the chip in the passport will validate in the reader. Note also that the mere presence of the reader, the chip and the general ePassport security pixie dust will - no matter what the circulars say - have a psychological effect on border control staff. They will tend, because the machine says the passport's clean, to drop their guard, not really inspect either picture or bearer properly. This kind of effect is well documented, and it's the same kind of thing as people walking in and out of companies unchallenged despite wearing a security tag in the name of 'Michael Mouse'.

The Wired write-up suggests that "a terrorist whose name is on a watch list could carry a passport with his real name and photo printed on the pages, but with an RFID chip that contains different information cloned from someone else's passport" - but although this is possible in some circumstances, it's chancy because it oughtn't to work for reading terminals where the chip data is put onto a screen for border control. And then, nabbed with a definitely mucked-around passport, the bearer is in trouble. Grunwald suggests that the ePassport data could also be put onto a card, and then put between the chip on the ePassport and the reader, meaning that the reading comes from the card rather than the ePassport.

This is basically the same exploit, producing a data mismatch that is vulnerable to visual inspection, but is potentially helpful to the intruder because the ePassport can be genuine (although possibly on a watchlist), and because the card could be used or not depending on whether an opportunity were available.

Note also that the ability to produce a copy that will pass an unattended machine scan easily severely impedes the use of the ePassport as a general identity document and, provided what goes for ePassports goes for ID cards (which the Home Office tells us it does) undermines the UK ID card's ability to act as one. And ask yourself how you close an ID card - we'd like to know too.

ICAO suggests higher levels of security to protect additional biometrics such as fingerprint and iris, and some of these could also be used to protect the 'vanilla' ePassport. Encryption, for example, can be used to combat skimming, but in a document with a ten year lifespan encryption (as ICAO freely admits) is likely to have a limited effect. Nor does it prevent an exact copy being made. A PKI system can also be used in an attempt to ensure that the reader itself is authorised, and thus to protect the additional biometrics. This requires processing on the passport chip, and again doesn't stop a complete copy being made. This PKI system, as explained here with reference to the European biometric passport, is run by the issuing authority, and is different from the PKI system administered by ICAO, which is intended to ensure that the passport chip itself has been signed by a bona fide issuing authority.

Other security, as we are all aware, is envisaged by at least some countries in the form of an online check of a central register. For facial-only biometric passports the subversion routes detailed above clearly still work here, because the copy is of a genuine chip, and it will therefore any record of that chip held on the register. Local fingerprint checking means you (you the suspect, that is) have probably got a problem because your prints don't match those on the chip. But as most of the passports in the world aren't going to have fingerprints in them for many years, it's entirely unclear why you (you the terrorist, that is) have decided to copy a fingerprinted passport.

Although online fingerprint checks aren't specifically relevant to the Grunwald demo, it's worth considering them briefly here as they're being presented by the UK, and are currently being used by the US, as a component of border defence. Effectively, an online check needn't relate to the passport at all (in the US case it doesn't), because it just checks the subject against a register of existing images. So if you'd already been into the US on one passport and you came in on another, copied passport, the fingerprint check in theory ought to get you. In the case of the UK, where the register doesn't exist and there's severe doubt that it ever will, it's more a case of in theory on steroids, but it's the same deal provided it works and provided the terminal actually does an online check. Even for those countries that do intend to check fingerprints against a central register, this will almost certainly be done only at limited number of points of entry, and possibly not all of the time at all of these.

Which, really, leaves us dealing with the baseline ICAO security, the obvious vulnerabilities in its specification, and sufficiently porous borders for these vulnerabilities to be exploited. Kind of like the good old days (i.e., today), isn't it? Except it costs us more. ®

Top three mobile application threats

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.