British E-Passports Can Be Hacked In 48 Hours

The New Zealand Department of Internal Affairs (DIA) is not concerned about reports from the United Kingdom that say radio frequency identification (RFID) chips in passports can be cracked in as little as 48 hours.

British newspaper The Guardian reports it was able to access the data stored on RFID cards in Britain’s newly launched smart passports.

However, the DIA says there isn’t enough information contained within the New Zealand passports’ chips to create counterfeit travel documents.

DIA passport manager David Philp confirmed that it is possible to access the information stored on the RFID chips and use it to make a clone. However, the RFID chip in the e-passports currently issued in New Zealand is just one security feature out of more than 50 contained in the passport.

Having just a cloned chip isn’t sufficient to create a counterfeit passport, Philp said, adding that such an endeavor is quite involved. While New Zealand passports are “highly desirable,” the DIA has seen very few credible counterfeited ones, he said.

While the general design goal of the e-passport is to lock the holder’s identity to the document in a secure manner, Philp said there has to be a balance between risk management and customer service.

The passport has to be readable around the world in a reasonable amount of time and ideally in more situations than just immigration.

Philp gave airport check-ins as one example of where RFID-equipped passports should be readable.

Making the e-passport harder to read is possible, Philp said, but it would make immigration processing take longer and inconvenience people.

Researcher Peter Gutmann at the University of Auckland’s department of computer science is skeptical that the RFID chip provides any real security benefit. In fact, Gutmann goes further and says in his technical background paper, “Why biometrics is not a panacea,” that RFIDs in passports “are a disaster waiting to happen.”

German and Dutch passports have already been compromised, according to Gutmann, and this can be done remotely as well. He points to successful attacks by Dutch RFID security specialist Harko Robroch, who has intercepted passport and reader device communications from 5 meters away. Gutmann says eavesdropping on the reader was possible up to 25 meters.

In comparison, The Guardian article says U.K. passports are readable 7.5 centimeters away, a far shorter distance than Robroch’s interception, but enough in situations such as public transport, where people are close together, to siphon off the data stored in the RFID chip.

However, Gutmann’s worst-case scenario for RFIDs in passports occurs not when they’re being compromised for counterfeiting purposes, but when they are used to identify the holder. The RFID chip could be used to trigger explosive charges, and Gutmann points to a study that shows the current U.S. passport design caused a small, non-lethal explosive charge concealed in a trash can to detonate.

Terrorists could then target specific nationalities automatically, says Gutmann.

By Juha Saarinen, Computerworld New Zealand

Keep checking in at our Security Feed for updated news coverage.