Your new e-passport can be cloned

The U.S. State Department is already issuing passports containing an electronic Radio Frequency Identification (RFID) chip containing data about the passport holder, and not only do the chips provide no national security benefit whatsoever, they are also easy to forge.

Homeland Stupidity first reported on the ease of cloning e-passports in February, when a Dutch security firm broke the weak security on the chips in Dutch passports.

Now RFID expert Lukas Grunwald, a security consultant with DN-Systems in Germany, is demonstrating at the Black Hat Briefings in Las Vegas Thursday how he was able to download the data from RFID chips in German passports and make an exact copy of the RFID chip. This is a required step in forging such an e-passport.

“Either this guy is incredible or this technology is unbelievably stupid,” says Gus Hosein, a visiting fellow in information systems at the London School of Economics and Political Science and senior fellow at Privacy International, a U.K.-based group that opposes the use of RFID chips in passports.

“I think it’s a combination of the two,” Hosein says. “Is this what the best and the brightest of the world could come up with? Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don’t understand?”

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country’s e-passport, since all of them will be adhering to the same ICAO standard. — Wired News

In June, the Department of Homeland Security Privacy Advisory Committee published a draft report showing that the use of RFID tags for identification posed risks to personal privacy and security but offered no national security benefits or performance benefits.

Unfortunately, I didn’t make it to Black Hat Briefings or DEFCON this year. Maybe next year–