The ePassport cloning myth never dies

Here we go again with the BBC reporting the same myth that electronic passports have been “cloned

Here we go again with the BBC reporting the same myth that electronic passports have been “cloned” which got a lot of readers from digg and slashdot.  This grossly misinformed myth has been repeated so many times by the press that the lie has basically become true.  I’m going to try and set it straight one more time.

Let’s examine this so called “cloning” vulnerability.  We basically have a researcher Lukas Grunwald going around telling any gullible reporter that he’s “cracked” RFID ePassports because he copied the data on the RFID chip from a Passport.  I met Mr. Grunwald at Black Hat 2006 this past summer and spent 20 minutes talking with him and verified that he had cracked nothing.  In order to crack an RFID ePassport, you’ll need to do one of the following things.

  • It's not a crack unless someone can intercept the RFID wireless data remotely WITHOUT physical possession of the ePassport from arms length away.  If you have physical possession of the passport, you’re SUPPOSE to be able to read the data which obviously means you can make a replica of it and there is nothing strange about this like the media is making it out to be.  An exact replica of someone else’s passport with their name and their face on it isn’t exactly useful unless you can do plastic surgery on your face to make it look exactly like the photo in the stolen ePassport.  The fact that the media is having a field day on the mere replication of someone else’s ePassport is just shoddy reporting.
  • It is possible to demonstrate a serious crack when given possession of an ePassport if you can clone it AND customize it.  That last bit is something Grunwald won’t tell reporters unless they specifically ask him.  I asked him if he got that last part and he replied “of course not”.  It's sad that the media hasn't picked up on this minor detail.
  • Another way you can demonstrate a crack in RFID ePassports (which really isn’t unique to RFID) is if you can plant malformed data on an ePassport to have it exploit the ePassport reader software.  When I asked Grunwald if he had done this, his reply was that he needs money for research.  Now there’s nothing wrong with research grants, but most security researchers I know usually at least demonstrate something substantial on their own time first before they ask for money. 

The bottom line is that these so called “cloning” cracks in ePassports are bogus and they all cite the same guy Lukas Grunwald over and over again who admittedly hasn’t cracked anything.  The problem is that the reporters don’t understand the technology and can’t ask the right questions.

Before anyone thinks that I’m for the use of RFID in Passports, I’ve slammed the use of RFID in ePassports many times because there is no reason to be using RFID in Passports.  The way RFID is being implemented in ePassports means that they have all the inconveniences of a contact system with all the security liabilities of a wireless solution which is the worst of both worlds.  But this is a case against the implementation of RFID in a Passport and NOT a case against electronic Passports with tamper proof digital signatures.