ePassports alert

09 May 2008

Some rather alarming new research has raised questions about biometric passports, which are issued in the EU according to a standard template set out by the European Commission in 2004, writes Stephen Gardner. The passports hold personal data in radio frequency identification (RFID) chips, which send out wireless signals across short distances. When the Commission put forward the specifications, it trumpeted them enhancing “security and reliability”. But it hasn't taken long for researchers at Dutch and German universities to trash that claim. Unlike American passports, which protect the RFID chips with metal strips, meaning they can only be read if the passport is opened and placed in front of a reader, EU passports encrypt the signal sent out by the chips. This can be broken by 'brute force' attacks -- trying every possible encryption key until the security barrier is unlocked and the biometric data revealed. Some countries have made this easier by handing out passport serial numbers in sequence. Even easier, though, is identifying which country a passport was issued by. The Commission ePassport technical standard was not standard enough. Different national passports send out slightly different signals, which can be picked up and quickly interpreted. The researchers speculate that these weaknesses could be exploited to create bombs that explode if someone of a particular nationality comes close (this has even been demonstrated in a Youtube movie, though this has been removed from the website as “inappropriate”). But not to worry: the British passport website makes the point that the passports send out a wireless signal “just a few centimetres.” Er, except perhaps not – researchers have shown that eavesdropping on the passports is possible as much as nine metres away. A version of this article originally appeared in Private Eye.

 

< Prev		Next >