Electronic Passports Hacked Within Minutes, Engineer Says

By JR Raphael
Contributing Writer, [GAS]

They’re billed as an international security solution, but the high-tech electronic passports developed after 9/11 may be easier to forge than their ink-and-paper counterparts.

The passports, issued by the U.S. and 44 other countries, feature embedded microchips that contain the owner’s data. They were designed to boost protection against identity fraud and, ultimately, terrorism. Now, though, a British computer engineer says he’s found a way to clone the chips, modify the data, and turn them into fake identities — all within a matter of minutes.

The discovery comes from a set of tests commissioned by The Times. The paper had the engineer copy two British passports, then switch out the real owners’ photos with ones of Osama bin Laden and a female suicide bomber. The hacked chips were then tested with the same software used to validate the passports at airport security checkpoints — and they passed.

The finding is a stark contrast to the government’s claims that the chips are foolproof:

“The new passports use Public Key Infrastructure (PKI) technology that prevents the information stored on the chip from being altered,” the U.S. Department of State web site says. “It provides a more sophisticated means to confirm that the traveler is the rightful holder of the passport and that the passport is authentic, thus deterring would-be passport/identity thieves.”

So how could this be? It’s not as complicated as it might sound. It turns out only five of the 45 countries using the e-passports actually have the Public Key system in place, The Times points out. That means the “international database” that the software is checking is — well, relatively data-free. Even the countries that have the system up and running are only sharing passport information with a handful of other nations. And the 40 countries that don’t have it at all yet? They’d have no way of telling if a foreign passport were forged.

The real-world concern would be someone getting ahold of your passport — say, when you hand it over as a form of ID — then quickly cloning the chip before giving it back to you. At that point, all they’d have to do is swap out their picture and fingerprints for yours, then they could be traveling the world with your identity.

The UK’s Home Office is taking the stance of denial, saying no one has actually demonstrated that they can hack into the chips.

Riiiiiiight.