Feeds

Elvis has left the border: ePassport faking guide unleashed

Not good enough to work - probably

The essential guide to IT transformation

The Hacker's Choice (THC) has released details of a procedure that allows you to "create a backup of your own passport chip(s)" - or, if you were that way inclined, use a modified chip to build a fake ePassport that will not be detected by at least some passport readers.

THC offers a video of "Elvis's" passport being approved by a reader at Amsterdam airport. Note that the reader is a public verification terminal, not one at a border check, so there's no illegal act being committed, nor does the video prove that a fake ePassport could get through a border.

But could that happen?

THC provides a walk through of the process of producing a viable clone of an ePassport chip, and of producing one with altered data that will still be passed by machines of similar capabilities to the one at Amsterdam airport. The procedure builds on - and cites - earlier work by Adam Laurie (tools to read the chip's content) and Jeroen van Beek's demo at BlackHat this year. Updated (i.e., altered) chip data is then signed using Peter Gutmann's CryptLib.

What you would then have - if, that is, you would ever do such a thing - is a spoof (say, Elvis') or forged ePassport that would pass some readers, but not all of them. But Entrust, which handles PKI security for ePassports, doubts that any of these readers will ever show up at a live border checkpoint.

"It's exceedingly unlikely," says PKI product manager Mark Joynes, arguing that the equipment used by van Beek for his demo is intended for test and development purposes, not for border deployment. "Governments' security experts aren't dummies and they aren't going to make those mistakes."

Jeroen van Beek's presentation gives a run down of how this particular class of equipment can be fooled, while the University of Amsterdam's SNE/OS3 site explains what's going on in more detail. By manipulating ePassport data an attacker can circumvent optional security features such as Active Authentication, which is itself currently used only by a limited number of countries (current UK and US passports do not use it).

The existence of countries not using this feature is crucial to the exploit demonstrated, because it means that readers need to cater for ePassports that don't have Active Authentication as a defence against cloning. Deleting the public key of the Active Authentication key pair causes the reader to assume that Active Authentication isn't enabled for the passport, and because that's permissible under ICAO rules - but not advisable - it doesn't flag it as a problem.

For the next part of the exploit, van Beek was able to copy his own data onto a passport chip, sign it, and have it passed by the reader. Tim Moses, senior director at Entrust's advanced security technology group, explains that what's failing here is not the signature, but the certificate chain. The signature itself, he points out, is a perfectly valid one backed by a self-signed certificate, and it's the check of whether or not that certificate has been issued by a bona fide authority that is absent. Yes, that music you hear is the sound of angels dancing on a pinhead, but nevertheless what the man says is true.

The $64,000 question is therefore whether or not a proper certificate check will be present at border control. The 'official' channel for this is the ICAO Public Key Directory (PKD), but as of May only nine countries - Australia, Canada, Germany, Japan, New Zealand, Republic of Korea, Singapore, the UK, and the US - were participating, although France is likely to have joined by now. "PKD is getting greater use than it has in the past," says Joynes, but he confirms that these numbers sound right, and points out that the PKD isn't the only route for distribution of countries' public keys. The number of bilateral agreements is growing, and countries are starting to establish Certificate Trust Lists, where numbers of them are, effectively, grouped in trusted relationships.

The bottom line, says Entrust, is that the ability to validate certificates should always be present at border crossings, and there machines will set off an alert if "Elvis" attempts to get by. Would one expect a machine such as the Amsterdam airport one, which is intended to display the content of a passport chip but not (as OS3 itself points out) guaranteed to verify the chip, to check certificates? Possibly not.

This and other weaknesses could be dealt with, Jeroen van Beek argued at BlackHat, if key security features were mandatory rather than optional, as is currently the case. "If one party doesn't use a feature," he said, "the security level of the entire system (globally!) depends on compensating measures". He argues that automated border control (which is currently planned for the UK) should only be used for ePassports with all security features enabled and that all countries should be using a trusted PKI system.

"I wouldn't disagree with that," says Joynes, adding that ICAO's recommendations and documentation nevertheless provides you with sufficient tools to implement a secure system. Systems are insecure, he says, "where they are not implementing all of the security measures correctly." Which is more or less what van Beek's been saying. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?