[LINK] Passport hacker warns of identity risk
Geoffrey Ramadan
gramadan at umd.com.au
Wed Dec 13 23:04:18 AEDT 2006
How remarkable... you have to obtain the basic printed information on
you e-Passport FIRST "by other means" which then enables you to read the
contents of the e-Passport!
Which is not the same as being able to read any passport.
The ability to identify a passport type, without the Basic Access Code,
if true, would be a concern. Again as previously advised, enclose the
passport in a metal jacket or simply wrap it in tin-foil. Problem solved.
Reg
Geoffrey Ramadan B.E.(Elec)
Chairman, Automatic Data Capture Association (www.adca.com.au)
and
Managing Director, Unique Micro Design (www.umd.com.au)
Adam Todd wrote:
>
>
> Gee.
>
> Remember you heard it here FIRST on LINK, about three months ago!
>
>
>
> Passport hacker warns of identity risk
>
> Asher Moses
> December 12, 2006
>
> An example of the new ePassport
> Photo: DFAT
> AdvertisementAdvertisement
>
> A professional hacker who claims to have found a way to steal the
> personal information contained in the new Australian ePassport says
> he's working on a way to do it from a distance.
>
> Briton Adam Laurie said his reader and software program are capable of
> accessing the data stored on the passport's computer chip, even
> through coat pockets, as long as the coat is within a few inches of
> the reader.
>
> He had previously used the same tools to hack into Britain's
> electronic passport, and warns it could enable criminals to steal your
> identity or terrorists to target you based on your nationality
>
> He claims such a "hack" would also allow someone that looks like the
> passport holder to "clone" passports, and cross borders using a false
> identity.
>
> Department of Foreign Affairs and Trade (DFAT) yesterday downplayed
> the security risks and denied that the passport could be read from a
> distance, since a secret key was required to access the chip.
>
> "We are fully aware of the points raised, and they in no way
> compromise the security of Australia's ePassport," the spokeswoman said.
>
> "Each passport has a unique key which must be entered before the
> operator can access the information on the passport chip. The key is
> contained in the machine-readable zone on the data page of each
> passport."
>
> But Mr Laurie said the key is derived from basic information that can
> be obtained through other means, so possession of the target passport
> is not required.
>
> "As far as the key is concerned ... the information needed to derive
> this key is available not only on the printed page inside the
> passport, but sometimes from other sources such as online airline
> booking sites," Mr Laurie said in an email.
>
> "The information required is the date of birth, expiry date of the
> passport, and the passport number.
>
> "This means that you would be unable to read the passport of a random
> passer-by, but if you were targeting a specific individual, and could
> get prior knowledge of those bits of information, you could read the
> passport without touching or seeing it."
>
> In the same email, Mr Laurie said his reader is capable of capturing
> the data from inches away, and he's "working on a reader with a more
> powerful antenna" that could pick up the data at an even greater
> distance.
>
> "The problem is you're centralising all the information an identity
> thief needs in order to try and steal your identity," Mr Laurie told
> ABC radio's AM program last week.
>
> Launched in October 2005, the ePassport was hailed as "the most secure
> Australian passport ever".
>
> It has been issued to all new passport applicants (including renewals)
> since then, and includes an embedded microchip that digitally stores
> all of the information contained on the passport's photo page
> (including the photograph).
>
> The chip can be read electronically by airlines and airport officers,
> aiding in identity verification - through facial recognition
> technology - and potentially making passport fraud significantly harder.
>
> But the Government had not taken sufficient effort to stop
> unauthorised reading of the computer chips, said Mr Laurie.
>
> He added that the potential for "identity theft" will only increase as
> more data is stored on the chip.
>
> "If they start storing the actual biometrics, the iris scans, the
> fingerprints, and so on, then they're providing more and more of this
> data again in a central pool, that the identity thief can use," he
> told the ABC.
>
> Mr Laurie also raised the concern of "profiling", whereby an attacker
> could potentially target specific nationalities.
>
> "If, for some reason, I wanted to target Australian passport holders
> and the chip 'tells' me that it's an Australian passport, then I've
> accomplished my goal [of targeting specific nationalities]," he said.
>
> He said that even without the aforementioned access key, he could
> "easily" determine the type of passport involved. This could be
> dangerous if it's used by terrorists to target certain groups.
>
> While the Government questions the security risks posed by Mr Laurie's
> findings and freely admits that "the chip is not secured against
> reading", it is assuring people that modifying the data contained on
> the chip is not possible.
>
> "It is not possible to re-write or alter an Australia ePassport chip,"
> the DFAT spokeswoman said.
>
> "If someone attempts to alter the information, the chip will shut down
> and become inoperable."
>
>
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
More information about the Link
mailing list