Feeds

Elvis has left the border: ePassport faking guide unleashed

Not good enough to work - probably

Protecting users from Firesheep and other Sidejacking attacks with SSL

The Hacker's Choice (THC) has released details of a procedure that allows you to "create a backup of your own passport chip(s)" - or, if you were that way inclined, use a modified chip to build a fake ePassport that will not be detected by at least some passport readers.

THC offers a video of "Elvis's" passport being approved by a reader at Amsterdam airport. Note that the reader is a public verification terminal, not one at a border check, so there's no illegal act being committed, nor does the video prove that a fake ePassport could get through a border.

But could that happen?

THC provides a walk through of the process of producing a viable clone of an ePassport chip, and of producing one with altered data that will still be passed by machines of similar capabilities to the one at Amsterdam airport. The procedure builds on - and cites - earlier work by Adam Laurie (tools to read the chip's content) and Jeroen van Beek's demo at BlackHat this year. Updated (i.e., altered) chip data is then signed using Peter Gutmann's CryptLib.

What you would then have - if, that is, you would ever do such a thing - is a spoof (say, Elvis') or forged ePassport that would pass some readers, but not all of them. But Entrust, which handles PKI security for ePassports, doubts that any of these readers will ever show up at a live border checkpoint.

"It's exceedingly unlikely," says PKI product manager Mark Joynes, arguing that the equipment used by van Beek for his demo is intended for test and development purposes, not for border deployment. "Governments' security experts aren't dummies and they aren't going to make those mistakes."

Jeroen van Beek's presentation gives a run down of how this particular class of equipment can be fooled, while the University of Amsterdam's SNE/OS3 site explains what's going on in more detail. By manipulating ePassport data an attacker can circumvent optional security features such as Active Authentication, which is itself currently used only by a limited number of countries (current UK and US passports do not use it).

The existence of countries not using this feature is crucial to the exploit demonstrated, because it means that readers need to cater for ePassports that don't have Active Authentication as a defence against cloning. Deleting the public key of the Active Authentication key pair causes the reader to assume that Active Authentication isn't enabled for the passport, and because that's permissible under ICAO rules - but not advisable - it doesn't flag it as a problem.

For the next part of the exploit, van Beek was able to copy his own data onto a passport chip, sign it, and have it passed by the reader. Tim Moses, senior director at Entrust's advanced security technology group, explains that what's failing here is not the signature, but the certificate chain. The signature itself, he points out, is a perfectly valid one backed by a self-signed certificate, and it's the check of whether or not that certificate has been issued by a bona fide authority that is absent. Yes, that music you hear is the sound of angels dancing on a pinhead, but nevertheless what the man says is true.

The $64,000 question is therefore whether or not a proper certificate check will be present at border control. The 'official' channel for this is the ICAO Public Key Directory (PKD), but as of May only nine countries - Australia, Canada, Germany, Japan, New Zealand, Republic of Korea, Singapore, the UK, and the US - were participating, although France is likely to have joined by now. "PKD is getting greater use than it has in the past," says Joynes, but he confirms that these numbers sound right, and points out that the PKD isn't the only route for distribution of countries' public keys. The number of bilateral agreements is growing, and countries are starting to establish Certificate Trust Lists, where numbers of them are, effectively, grouped in trusted relationships.

The bottom line, says Entrust, is that the ability to validate certificates should always be present at border crossings, and there machines will set off an alert if "Elvis" attempts to get by. Would one expect a machine such as the Amsterdam airport one, which is intended to display the content of a passport chip but not (as OS3 itself points out) guaranteed to verify the chip, to check certificates? Possibly not.

This and other weaknesses could be dealt with, Jeroen van Beek argued at BlackHat, if key security features were mandatory rather than optional, as is currently the case. "If one party doesn't use a feature," he said, "the security level of the entire system (globally!) depends on compensating measures". He argues that automated border control (which is currently planned for the UK) should only be used for ePassports with all security features enabled and that all countries should be using a trusted PKI system.

"I wouldn't disagree with that," says Joynes, adding that ICAO's recommendations and documentation nevertheless provides you with sufficient tools to implement a secure system. Systems are insecure, he says, "where they are not implementing all of the security measures correctly." Which is more or less what van Beek's been saying. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.