Feeds

E-passport security flaw allows remote ID of nationality

Hi-tech Fagin flaw

3 Big data security analytics techniques

Security researchers have discovered a technique for reliably detecting the presence and nationality of a nearby e-passport.

Most newly issued passports carry an embedded RFID containing digitally signed biometric information. Access to this chip is wireless, which introduces a security risk, the possibility that an attacker might be able to access data on a person’s passport without the owner knowing.

Security precautions ought to prevent unauthorised access to data held on a next-generation e-passport. But a trio of researchers from Lausitz University of Applied Sciences, Germany and Radboud University, in The Netherlands, have shown that its trivial to at least remotely detect the presence of a passport and determine its nationality. "Although all passports implement the same international standard, experiments with passports from ten different countries show that characteristics of each implementation provide a fingerprint that is unique to passports of a particular country," the researchers explain.

To frustrate wireless reading of passport content without an owner’s consent, e-passports use a mechanism called Basic Access Control (BAC). The approach means that in order to read data from the RFID chip you need to optically read a key, printed in passports. This key is based on a passport serial number. Subsequent communication between a passport and a reader is then encrypted to prevent eavesdropping. All EU passports implement BAC.

Weaknesses in the encryption mechanism used in BAC in withstanding brute force attacks have already been reported.

The latest research uncovers a different shortcoming - the possibility that thieves could use technology to detect the presence and nationality of passports in a crowd, the sort of information that might be useful for a hi-tech pickpocket.

"This turns out to be surprisingly easy to do," the researchers report. "Although passports implement the same standard, there are differences that can be detected, especially by sending ill-formed requests, before Basic Access Control takes places."

The attack works because ICAO (International Civil Aviation Organization) specs do not prescribe a standard response to particular malformed requests, leaving room for diversity among implementations. If the ICAO specs did require a standard response for commands not listed in the specs and all malformed requests, this would make distinguishing passport nationalities much harder or even impossible, the researchers note.

Using this scanning approach the team was able to reliably detect the nationality of passports from 10 different countries: Australia, Belgium, France, Germany, Greece, Italy, the Netherlands, Poland, Spain, and Sweden. E-passports from other countries implementing BAC might also be vulnerable.

Eavesdropping on e-passports has been shown to be possible from up to nine meters for passive eavesdropping. Scanning passports involves generating a stronger magnetic field, creating practical problems for would-be thieves. Even so previous researcher suggests a device capable of scanning up to 25cm can be made for around $100.

The researchers - Wojciech Mostowski and Erik Poll, both from Radboud University, and Henning Richter of Lausitz University - argue their findings strengthen the case for metal shielding to prevent communication between a reader and a passport while the identity document is closed. This safeguard is already used in US passports as an alternative to Basic Access Control.

"While not an immediate security threat to the passport itself, it could be a concern to the passport holder," the researchers note. "This functionality is clearly useful for passport thieves."

The researchers also document other approaches to fingerprinting e-passports. Any research documenting cryptographic shortcomings is interesting but we can't help thinking that, in practice, would-be passport thieves would find it easier simply to hang around airports and wait for arrivals from a country whose passports they are interested in nicking. Alternatively they might hang around downtown airport shuttle terminals and take their chances there.

The researchers paper can be found here (PDF). ®

Combat fraud and increase customer satisfaction

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.