[LINK] Passport hacker warns of identity risk

Adam Todd link at todd.inoz.com
Tue Dec 12 17:49:47 AEDT 2006 


Gee.

Remember you heard it here FIRST on LINK, about three months ago!



Passport hacker warns of identity risk

Asher Moses
December 12, 2006

An example of the new ePassport
Photo: DFAT
AdvertisementAdvertisement

A professional hacker who claims to have found a way to steal the personal 
information contained in the new Australian ePassport says he's working on 
a way to do it from a distance.

Briton Adam Laurie said his reader and software program are capable of 
accessing the data stored on the passport's computer chip, even through 
coat pockets, as long as the coat is within a few inches of the reader.

He had previously used the same tools to hack into Britain's electronic 
passport, and warns it could enable criminals to steal your identity or 
terrorists to target you based on your nationality

He claims such a "hack" would also allow someone that looks like the 
passport holder to "clone" passports, and cross borders using a false identity.

Department of Foreign Affairs and Trade (DFAT) yesterday downplayed the 
security risks and denied that the passport could be read from a distance, 
since a secret key was required to access the chip.

"We are fully aware of the points raised, and they in no way compromise the 
security of Australia's ePassport," the spokeswoman said.

"Each passport has a unique key which must be entered before the operator 
can access the information on the passport chip. The key is contained in 
the machine-readable zone on the data page of each passport."

But Mr Laurie said the key is derived from basic information that can be 
obtained through other means, so possession of the target passport is not 
required.

"As far as the key is concerned ... the information needed to derive this 
key is available not only on the printed page inside the passport, but 
sometimes from other sources such as online airline booking sites," Mr 
Laurie said in an email.

"The information required is the date of birth, expiry date of the 
passport, and the passport number.

"This means that you would be unable to read the passport of a random 
passer-by, but if you were targeting a specific individual, and could get 
prior knowledge of those bits of information, you could read the passport 
without touching or seeing it."

In the same email, Mr Laurie said his reader is capable of capturing the 
data from inches away, and he's "working on a reader with a more powerful 
antenna" that could pick up the data at an even greater distance.

"The problem is you're centralising all the information an identity thief 
needs in order to try and steal your identity," Mr Laurie told ABC radio's 
AM program last week.

Launched in October 2005, the ePassport was hailed as "the most secure 
Australian passport ever".

It has been issued to all new passport applicants (including renewals) 
since then, and includes an embedded microchip that digitally stores all of 
the information contained on the passport's photo page (including the 
photograph).

The chip can be read electronically by airlines and airport officers, 
aiding in identity verification - through facial recognition technology - 
and potentially making passport fraud significantly harder.

But the Government had not taken sufficient effort to stop unauthorised 
reading of the computer chips, said Mr Laurie.

He added that the potential for "identity theft" will only increase as more 
data is stored on the chip.

"If they start storing the actual biometrics, the iris scans, the 
fingerprints, and so on, then they're providing more and more of this data 
again in a central pool, that the identity thief can use," he told the ABC.

Mr Laurie also raised the concern of "profiling", whereby an attacker could 
potentially target specific nationalities.

"If, for some reason, I wanted to target Australian passport holders and 
the chip 'tells' me that it's an Australian passport, then I've 
accomplished my goal [of targeting specific nationalities]," he said.

He said that even without the aforementioned access key, he could "easily" 
determine the type of passport involved. This could be dangerous if it's 
used by terrorists to target certain groups.

While the Government questions the security risks posed by Mr Laurie's 
findings and freely admits that "the chip is not secured against reading", 
it is assuring people that modifying the data contained on the chip is not 
possible.

"It is not possible to re-write or alter an Australia ePassport chip," the 
DFAT spokeswoman said.

"If someone attempts to alter the information, the chip will shut down and 
become inoperable."

More information about the Link mailing list