Thread: Cloned e-passports fiasco renews calls for £4.7bn ID card s

The Times
August 7, 2008

Cloned e-passports fiasco renews calls for £4.7bn ID card scheme to be axed

Richard Ford, Home Correspondent and Sam Coates, Chief Political Correspondent

Opposition MPs accused the Government last night of being naive in believing that new microchipped passports would be foolproof against criminals involved in identity theft.

After The Times disclosed that new passports could be cloned and manipulated in minutes and would then be accepted as genuine, MPs also gave warning of serious implications for the security of the Government's £4.7 billion identity card scheme.

The identity card project, which starts this year when cards are issued to foreign nationals from outside Europe, relies on microchips similar to those cloned in minutes by a computer researcher as part of tests conducted for The Times.

Chris Huhne, the Liberal Democrat home affairs spokesman, joined calls for the whole project to be scrapped. “The Government is clearly incapable of creating a criminal-proof gold standard for identity,â€

From The Times
August 6, 2008

‘Fakeproof’ e-passport is cloned in minutes

Steve Boggan

New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports.

Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.

In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined.

Some of the 45 countries, including Britain, swap codes manually, but criminals could use fake e-passports from countries that do not share key codes, which would then go undetected at passport control.

The tests suggest that if the microchips are vulnerable to cloning then bogus biometrics could be inserted in fake or blank passports.

Tens of millions of microchipped passports have been issued by the 45 countries in the belief that they will make international travel safer. They contain a tiny radio frequency chip and antenna attached to the inside back page. A special electronic reader sends out an encrypted signal and the chip responds by sending back the holder’s ID and biometric details.

Britain introduced e-passports in March 2006. In the wake of the September 11 attacks, the United States demanded that other countries adopt biometric passports. Many of the 9/11 bombers had travelled on fake passports.

The tests for The Times were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam. Building on research from the UK, Germany and New Zealand, Mr van Beek has developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organisation to test them. It is also the software recommended for use at airports.

Using his own software, a publicly available programming code, a £40 card reader and two £10 RFID chips, Mr van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports.

A baby boy’s passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either Mr van Beek or The Times was faking viable travel documents.

“We’re not claiming that terrorists are able to do this to all passports today or that they will be able to do it tomorrow,â€