Software Lets User Manipulate Passport Data
Washington Post, September 30, 2008
Are you in need of a quick passport don’t doesn’t necessarily care if the personal information doesn’t match up to who you really are? If so, then you might want to check on Jeroen van Beck’s new tool that allows you to modify data on computer chips imbedded in dozens of country’s passports, including those from the U.S. van Beck’s software specifically targets electronic passports which include chips that contain a person’s name, date of birth, passport number and photograph. In a demo given to The Times Online, van Beck demonstrated the ease in which information can be changed, copied and deleted, all of which can help hide the true identity of the passport holder.
According to the article, “Building on research from the UK, Germany and New Zealand, Mr van Beek has developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organization to test them. It is also the software recommended for use at airports.”
While these chips are designed to be signed with cryptographic keys held by the issuing country, not all e-passport participating countries have agreed to share these keys. According to Adam Laurie, a freelance security researcher with RFIDiot.org, this in turn allows individuals to sign the bogus information using his/her own personal cryptographic key without too many countries realizing it.
“This is the big problem with the whole thing: It relies on checking the digital signatures of the content on the passport, but if nobody’s checking those signatures, you can’t tell if the data is legitimate,” Laurie said.
Well said by Laurie. What good is a digital signature if no one is factually checking it? And digital signatures alone aren’t always the answer to ensuring that data has not been tampered. From start-up businesses to Fortune 500 companies to government institutions – they all need to be aware of content security risks and the ways in which criminals are manipulating them. Electronic passports are a great effort toward identification authenticity, but their effectiveness can only go as far as its security measures allow.