Feeds

Elvis has left the border: ePassport faking guide unleashed

Not good enough to work - probably

The Power of One eBook: Top reasons to choose HP BladeSystem

The Hacker's Choice (THC) has released details of a procedure that allows you to "create a backup of your own passport chip(s)" - or, if you were that way inclined, use a modified chip to build a fake ePassport that will not be detected by at least some passport readers.

THC offers a video of "Elvis's" passport being approved by a reader at Amsterdam airport. Note that the reader is a public verification terminal, not one at a border check, so there's no illegal act being committed, nor does the video prove that a fake ePassport could get through a border.

But could that happen?

THC provides a walk through of the process of producing a viable clone of an ePassport chip, and of producing one with altered data that will still be passed by machines of similar capabilities to the one at Amsterdam airport. The procedure builds on - and cites - earlier work by Adam Laurie (tools to read the chip's content) and Jeroen van Beek's demo at BlackHat this year. Updated (i.e., altered) chip data is then signed using Peter Gutmann's CryptLib.

What you would then have - if, that is, you would ever do such a thing - is a spoof (say, Elvis') or forged ePassport that would pass some readers, but not all of them. But Entrust, which handles PKI security for ePassports, doubts that any of these readers will ever show up at a live border checkpoint.

"It's exceedingly unlikely," says PKI product manager Mark Joynes, arguing that the equipment used by van Beek for his demo is intended for test and development purposes, not for border deployment. "Governments' security experts aren't dummies and they aren't going to make those mistakes."

Jeroen van Beek's presentation gives a run down of how this particular class of equipment can be fooled, while the University of Amsterdam's SNE/OS3 site explains what's going on in more detail. By manipulating ePassport data an attacker can circumvent optional security features such as Active Authentication, which is itself currently used only by a limited number of countries (current UK and US passports do not use it).

The existence of countries not using this feature is crucial to the exploit demonstrated, because it means that readers need to cater for ePassports that don't have Active Authentication as a defence against cloning. Deleting the public key of the Active Authentication key pair causes the reader to assume that Active Authentication isn't enabled for the passport, and because that's permissible under ICAO rules - but not advisable - it doesn't flag it as a problem.

For the next part of the exploit, van Beek was able to copy his own data onto a passport chip, sign it, and have it passed by the reader. Tim Moses, senior director at Entrust's advanced security technology group, explains that what's failing here is not the signature, but the certificate chain. The signature itself, he points out, is a perfectly valid one backed by a self-signed certificate, and it's the check of whether or not that certificate has been issued by a bona fide authority that is absent. Yes, that music you hear is the sound of angels dancing on a pinhead, but nevertheless what the man says is true.

The $64,000 question is therefore whether or not a proper certificate check will be present at border control. The 'official' channel for this is the ICAO Public Key Directory (PKD), but as of May only nine countries - Australia, Canada, Germany, Japan, New Zealand, Republic of Korea, Singapore, the UK, and the US - were participating, although France is likely to have joined by now. "PKD is getting greater use than it has in the past," says Joynes, but he confirms that these numbers sound right, and points out that the PKD isn't the only route for distribution of countries' public keys. The number of bilateral agreements is growing, and countries are starting to establish Certificate Trust Lists, where numbers of them are, effectively, grouped in trusted relationships.

The bottom line, says Entrust, is that the ability to validate certificates should always be present at border crossings, and there machines will set off an alert if "Elvis" attempts to get by. Would one expect a machine such as the Amsterdam airport one, which is intended to display the content of a passport chip but not (as OS3 itself points out) guaranteed to verify the chip, to check certificates? Possibly not.

This and other weaknesses could be dealt with, Jeroen van Beek argued at BlackHat, if key security features were mandatory rather than optional, as is currently the case. "If one party doesn't use a feature," he said, "the security level of the entire system (globally!) depends on compensating measures". He argues that automated border control (which is currently planned for the UK) should only be used for ePassports with all security features enabled and that all countries should be using a trusted PKI system.

"I wouldn't disagree with that," says Joynes, adding that ICAO's recommendations and documentation nevertheless provides you with sufficient tools to implement a secure system. Systems are insecure, he says, "where they are not implementing all of the security measures correctly." Which is more or less what van Beek's been saying. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.