Let's take a look at a few other things now possible with ePassports:
ePassports aid Data Theft:
The 3 meter barrier has recently been broken for reading RFID data (e.g. your ePassport data)
from a distance 3 meters away. Attacks always get better. They never get worse. The next barrier
is 5, 10 and 20 meters.
An attacker can read the data from your ePassport (while you walk in the street!) and can use
your credentials to authenticate himself or duplicate your passport.
ePassports aid Terrorism:
Thanks to the ePassports is it now possible to build Smart-IED's. A Smart-IED waits until
a specific person passes by before detonating or let's say until there are more than 10
americans in the room. Boom.
Do ePassports make you feel more safe now as the government says they would do?
Breaking in?
The weakness is in the way the system has been rolled out. The terminal accepts
self-signed data.
This attack is different to the grundwalk attack. VonJeek's attack makes it possible to copy,
forge and modify the data so that it is still accepted as a genuine valid passport by the terminal.
Using a Certification Authority (CA) could solve the attack but at the same time
introduces a new set of attack vectors:
1. The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker.
Single point of failures are not good. Attractive targets are not good.
Any person with access to the CA key can undetectably fake passports. Direct attacks, virus,
misplacing the key by accident (the UK government is good at this!) or bribery are just a few
ways of getting the CA key.
2. The single CA would need to be trusted by all governments. This is not practical as this
means that passports would no longer be a national matter.
3. Multiple CA's would not work either. Any country could use its own CA to create a valid
passport of any other country. Read this sentence again: Country A can create a passport data
set of Country B and sign it with Country A's CA key. The terminal will validate and display the information
as data from Country B.
This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.
Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not
be detected.
Note: The last item received some comments. Some readers suggested that this can be fixed. Yes,
of course, any system can be fixed. Indeed it would be a first good step by the terminal to check
that a passport from country A is also signed with the CA key of country A and not by the CA key of
country B.
The current implementation and plans make it unlikely that this will be implemented securely. In the
end we are trusted those people who gave out ePassports that can be read by anyone and not just
authorized terminals. We are trusting those people who say that good security practice to verify
the validity of a passport is optional and not mandatory.
So what's the solution? We know that humans are good at Border Control. In the end they
protected us well for the last 120 years. We also know that humans are good at pattern
matching and image recognition. Humans also do an excellent job 'assessing' the person
and not just the passport. Take the human part away and passport security falls apart.
