‘Fake proof’ e-passport is cloned in minutes

* Home Office previously argued that fake chips could be detected
* Serious questions raised about ID card scheme

New micro chipped passports, designed to be foolproof against identity theft, can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports, The Times reported on Wednesday.

Tests exposed security flaws in the microchips introduced to protect against terrorism and organized crime. The flaws also undermine claims that 3,000 blank passports stolen in Britain last week were worthless because they could not be forged.

Home office: The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international database. But only 10 of the 45 countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year.

The tests were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam. Van Beek developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organization to test them. It is also the software recommended for use at airports.

Using his own software, a publicly available programming code, a £40 card reader and two £10 RFID chips, van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports.

A baby boy’s passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either van Beek or The Times were faking viable travel documents.

Questions: The tests raise serious questions about the government’s £4 billion identity card scheme, which relies on the same biometric technology. Last night Dominic Grieve, the Shadow Home Secretary, called on ministers to take urgent action to remedy the security flaws discovered by The Times. “It is of deep concern that the technology underpinning a key part of the UK’s security can be compromised so easily,” he said.

The ability to clone chips leaves travellers vulnerable to identity theft when they surrender their passports at hotels or car rental companies. Criminals in the back office could read the chips and clone them

The Home Office said last night that it had yet to see evidence of someone being able to manipulate data in an e-passport. A spokesman said: “No one has yet been able to demonstrate that they are able to modify, change or alter data within the chip. If any data were to be changed, modified or altered it would be immediately obvious to the electronic reader.”

The International Civil Aviation Organization said: “The PKD ensures that e-passports used at border control points . . . are genuine and unaltered. In effect it renders the passport foolproof. However, all states issuing e-passports must join the PKD, otherwise that assurance cannot be given.”

Source: Daily Times, 7/8/2008

Leave a Reply