Passport chips can be copied, researcher says

'The whole passport design is totally brain damaged. From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'
Written by ZDNET Editors, Contributor
The State Department is readying a new passport with RFID chips that supposedly will prevent document forgery. Privacy advocates have long worried that bad guys would easily be able to grab the data from these RFID passports with long-range readers. But now comes a new threat: A German computer scientist says the data on the chips can easily be copied, Wired News reports.
"The whole passport design is totally brain damaged," Lukas Grunwald, a security consultant with DN-Systems in Germany, says. "From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all."

A key issue is that the the current passports don't encrypt the data on the chips. "And of course if you can read the data, you can clone the data and put it in a new tag," Grunwald says. Grunwald's assertions, which he planned to demonstrate at the Black Hat security conference in Las Vegas yesterday, give fodder to opponents of the new passports. Grunwald says it took him only two weeks to figure out how to clone the passport chip.

"Either this guy is incredible or this technology is unbelievably stupid," says Gus Hosein, a visiting fellow in information systems at the London School of Economics and Political Science. "I think it's a combination of the two," Hosein says. "Is this what the best and the brightest of the world could come up with? Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don't understand?"

It's not possible, however, to actually change the data on the original chip, because the passport uses cryptographic hashes to authenticate the data.

All this is well known and no big deal, an assistant secretary of state, says.

"What this person has done is neither unexpected nor really all that remarkable," Moss says. "(T)he chip is not in and of itself a silver bullet.... It's an additional means of verifying that the person who is carrying the passport is the person to whom that passport was issued by the relevant government."
Editorial standards