[LINK] Passport hacker warns of identity risk

Geoffrey Ramadan gramadan at umd.com.au
Wed Dec 13 23:04:18 AEDT 2006

How remarkable... you have to obtain the basic printed information on 
you e-Passport FIRST "by other means" which then enables you to read the 
contents of the e-Passport!

Which is not the same as being able to read any passport.

The ability to identify a passport type, without the Basic Access Code, 
if true, would be a concern. Again as previously advised, enclose the 
passport in a metal jacket or simply wrap it in tin-foil. Problem solved.

Geoffrey Ramadan B.E.(Elec)
Chairman, Automatic Data Capture Association (www.adca.com.au)
Managing Director, Unique Micro Design (www.umd.com.au)

Adam Todd wrote:
> Gee.
> Remember you heard it here FIRST on LINK, about three months ago!
> Passport hacker warns of identity risk
> Asher Moses
> December 12, 2006
> An example of the new ePassport
> Photo: DFAT
> AdvertisementAdvertisement
> A professional hacker who claims to have found a way to steal the 
> personal information contained in the new Australian ePassport says 
> he's working on a way to do it from a distance.
> Briton Adam Laurie said his reader and software program are capable of 
> accessing the data stored on the passport's computer chip, even 
> through coat pockets, as long as the coat is within a few inches of 
> the reader.
> He had previously used the same tools to hack into Britain's 
> electronic passport, and warns it could enable criminals to steal your 
> identity or terrorists to target you based on your nationality
> He claims such a "hack" would also allow someone that looks like the 
> passport holder to "clone" passports, and cross borders using a false 
> identity.
> Department of Foreign Affairs and Trade (DFAT) yesterday downplayed 
> the security risks and denied that the passport could be read from a 
> distance, since a secret key was required to access the chip.
> "We are fully aware of the points raised, and they in no way 
> compromise the security of Australia's ePassport," the spokeswoman said.
> "Each passport has a unique key which must be entered before the 
> operator can access the information on the passport chip. The key is 
> contained in the machine-readable zone on the data page of each 
> passport."
> But Mr Laurie said the key is derived from basic information that can 
> be obtained through other means, so possession of the target passport 
> is not required.
> "As far as the key is concerned ... the information needed to derive 
> this key is available not only on the printed page inside the 
> passport, but sometimes from other sources such as online airline 
> booking sites," Mr Laurie said in an email.
> "The information required is the date of birth, expiry date of the 
> passport, and the passport number.
> "This means that you would be unable to read the passport of a random 
> passer-by, but if you were targeting a specific individual, and could 
> get prior knowledge of those bits of information, you could read the 
> passport without touching or seeing it."
> In the same email, Mr Laurie said his reader is capable of capturing 
> the data from inches away, and he's "working on a reader with a more 
> powerful antenna" that could pick up the data at an even greater 
> distance.
> "The problem is you're centralising all the information an identity 
> thief needs in order to try and steal your identity," Mr Laurie told 
> ABC radio's AM program last week.
> Launched in October 2005, the ePassport was hailed as "the most secure 
> Australian passport ever".
> It has been issued to all new passport applicants (including renewals) 
> since then, and includes an embedded microchip that digitally stores 
> all of the information contained on the passport's photo page 
> (including the photograph).
> The chip can be read electronically by airlines and airport officers, 
> aiding in identity verification - through facial recognition 
> technology - and potentially making passport fraud significantly harder.
> But the Government had not taken sufficient effort to stop 
> unauthorised reading of the computer chips, said Mr Laurie.
> He added that the potential for "identity theft" will only increase as 
> more data is stored on the chip.
> "If they start storing the actual biometrics, the iris scans, the 
> fingerprints, and so on, then they're providing more and more of this 
> data again in a central pool, that the identity thief can use," he 
> told the ABC.
> Mr Laurie also raised the concern of "profiling", whereby an attacker 
> could potentially target specific nationalities.
> "If, for some reason, I wanted to target Australian passport holders 
> and the chip 'tells' me that it's an Australian passport, then I've 
> accomplished my goal [of targeting specific nationalities]," he said.
> He said that even without the aforementioned access key, he could 
> "easily" determine the type of passport involved. This could be 
> dangerous if it's used by terrorists to target certain groups.
> While the Government questions the security risks posed by Mr Laurie's 
> findings and freely admits that "the chip is not secured against 
> reading", it is assuring people that modifying the data contained on 
> the chip is not possible.
> "It is not possible to re-write or alter an Australia ePassport chip," 
> the DFAT spokeswoman said.
> "If someone attempts to alter the information, the chip will shut down 
> and become inoperable."
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list