Feeds

E-passport security flaw allows remote ID of nationality

Hi-tech Fagin flaw

High performance access to file storage

Security researchers have discovered a technique for reliably detecting the presence and nationality of a nearby e-passport.

Most newly issued passports carry an embedded RFID containing digitally signed biometric information. Access to this chip is wireless, which introduces a security risk, the possibility that an attacker might be able to access data on a person’s passport without the owner knowing.

Security precautions ought to prevent unauthorised access to data held on a next-generation e-passport. But a trio of researchers from Lausitz University of Applied Sciences, Germany and Radboud University, in The Netherlands, have shown that its trivial to at least remotely detect the presence of a passport and determine its nationality. "Although all passports implement the same international standard, experiments with passports from ten different countries show that characteristics of each implementation provide a fingerprint that is unique to passports of a particular country," the researchers explain.

To frustrate wireless reading of passport content without an owner’s consent, e-passports use a mechanism called Basic Access Control (BAC). The approach means that in order to read data from the RFID chip you need to optically read a key, printed in passports. This key is based on a passport serial number. Subsequent communication between a passport and a reader is then encrypted to prevent eavesdropping. All EU passports implement BAC.

Weaknesses in the encryption mechanism used in BAC in withstanding brute force attacks have already been reported.

The latest research uncovers a different shortcoming - the possibility that thieves could use technology to detect the presence and nationality of passports in a crowd, the sort of information that might be useful for a hi-tech pickpocket.

"This turns out to be surprisingly easy to do," the researchers report. "Although passports implement the same standard, there are differences that can be detected, especially by sending ill-formed requests, before Basic Access Control takes places."

The attack works because ICAO (International Civil Aviation Organization) specs do not prescribe a standard response to particular malformed requests, leaving room for diversity among implementations. If the ICAO specs did require a standard response for commands not listed in the specs and all malformed requests, this would make distinguishing passport nationalities much harder or even impossible, the researchers note.

Using this scanning approach the team was able to reliably detect the nationality of passports from 10 different countries: Australia, Belgium, France, Germany, Greece, Italy, the Netherlands, Poland, Spain, and Sweden. E-passports from other countries implementing BAC might also be vulnerable.

Eavesdropping on e-passports has been shown to be possible from up to nine meters for passive eavesdropping. Scanning passports involves generating a stronger magnetic field, creating practical problems for would-be thieves. Even so previous researcher suggests a device capable of scanning up to 25cm can be made for around $100.

The researchers - Wojciech Mostowski and Erik Poll, both from Radboud University, and Henning Richter of Lausitz University - argue their findings strengthen the case for metal shielding to prevent communication between a reader and a passport while the identity document is closed. This safeguard is already used in US passports as an alternative to Basic Access Control.

"While not an immediate security threat to the passport itself, it could be a concern to the passport holder," the researchers note. "This functionality is clearly useful for passport thieves."

The researchers also document other approaches to fingerprinting e-passports. Any research documenting cryptographic shortcomings is interesting but we can't help thinking that, in practice, would-be passport thieves would find it easier simply to hang around airports and wait for arrivals from a country whose passports they are interested in nicking. Alternatively they might hang around downtown airport shuttle terminals and take their chances there.

The researchers paper can be found here (PDF). ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.