E-passport at risk of being targetted by terrorists

[David Farber <dave () farber net>]

Begin forwarded message:

From: adam <lists () beecher net>
Date: October 23, 2006 12:04:21 AM EDT
To: Dave Farber <dave () farber net>
Subject: E-passport at risk of being targetted by terrorists

Hi Dave,

Two articles about new RFID "ePassports" in Ireland are attached, for  
IP if
you like.

Thanks,
Adam Beecher


--------------------------------------------------

E-passport at risk of being targetted by terrorists.
http://www.digitalrights.ie/2006/10/22/e-passport-at-risk-of-being- 
targetted
-by-terrorists/
October 22nd, 2006

Digital Rights Ireland director, Antoin O'Lachtnain, in an interview  
with
Mark Tighe of the Sunday Times (
http://www.timesonline.co.uk/article/0,,2091-2415780.html ) today,  
gave an
insight into the possibilities of Ireland's new electronic passport  
being
targetted by criminals.

The lack of security measures, protecting the passport from being  
"skimmed",
are a real risk, exposing these passports to the possibility of being  
read
and the contents copied by terrorists.

Recent press coverage has exposed (
http://www.theregister.co.uk/2006/08/04/e-passport_hack_attack/ ) the
security risks associated with electronic passports.

    'Terror risk' for electronic passport
    Mark Tighe
    THE new Irish e-passport is lacking a basic security feature  
contained
in the American version, leaving Irish passport holders open to  
targeting by
terrorists, according to a leading lobby group.

    Digital Rights Ireland (DRI) claims the lack of any shielding in  
the
passports means "skimmers" will be able to detect the passports from  
picking
up their frequencies, and even identify nationality, without the holder
knowing.

    The new passports were launched last week by the Department of  
Foreign
Affairs, ahead of a US deadline requiring countries on its visa-waiver
programme to start issuing passports with a radio transmitter chip  
(RFID)
from Tuesday. The department expects to issue 750,000 by the end of  
2007.

    While the chip is meant to be read from only a few centimetres,
prototype testing showed they could be detected up to 9m (30ft) away.  
This
led the US State Department to introduce a metal mesh in the passport  
cover
to "make unauthorised reading of the passport very difficult from any
appreciable distance as long as the passport is closed".

    An encryption system prevents skimmers from accessing the  
biometric data
on the chip but security firms have demonstrated that a hand-held  
scanner is
able to identify the presence of unshielded passports. Researchers are
examining whether it will be possible to identify the passport  
nationality.

    Antoin O'Lachtnain, a director of DRI, said it was unbelievable  
Ireland
did not follow America's lead in providing shielding. "The only  
reason we
are implementing the e-passport is because the Americans told us we  
had to,"
he said. "I really think e-passport holders should use a shield, such  
as a
piece of tinfoil, to prevent the RFID chip being read without their
knowledge."

    Some companies are already offering special wallets with shields to
protect passports against skimmers.

    O'Lachtnain said skimming technology would advance over the planned
10-year lifespan of the passports. "Terrorists could use a scanner to
identify a group of, say, British or American nationals by the  
passport they
are carrying and then kidnap them or kill them in a suicide bombing,"  
said
O'Lachtnain.

    The Department of Foreign Affairs said shielding was not  
necessary as
the passports must be open at very close proximity to the reader. A  
source
at the International Civil Aviation Organisation said: "I think it  
will not
be long before other countries move to implement similar shielding."


--------------------------------------------------

New Irish Passports have RFID chip
October 20th, 2006

http://www.digitalrights.ie/2006/10/20/new-irish-passports-have-rfid- 
chip/

Despite the recent press attention to the launch of 'biometric'  
passports,
not many reporters have focused on the fact that these new passports  
seem to
include Radio Frequency ID (RFID) chips. From the Department of Foreign
Affairs website ( http://www.dfa.ie/services/passports/ePassports.asp )

"The chip technology allows the information stored in an Electronic  
Passport
to be read by special chip readers at a close distance."

The technology the Department of Foreign Affairs chose to protect the
information in the chip from being read remotely (eavesdropped) by  
anyone
within 5 metres (15 feet) is called Basic Access Control (BAC).

Basic Access Control is used by other countries, such as the  
Netherlands to
protect their RFID Passports from eavesdroppers. However, a Dutch  
security
testing lab called Riscure has examined the reliability of BAC and found
that it is quite possible for a determined eavesdropper to break the  
control
with a handheld reader, and an ordinary PC from within 5 metres.  
( Slides
outlining this attack method:
http://www.riscure.com/2_news/200604%20CardsAsiaSing%20ePassport% 
20Privacy.p
df )

The Department of Foreign Affairs has confirmed to DRI that the new RFID
passports are not issued with sequential numbers, which increases the
security of the chip. However the US, which also uses BAC, has gone  
further
by placing shielding equipment in the covers of the passports  
(essentially a
metal foil layer).

"To further protect against skimming, the U.S. e-passport will include a
shielding material in the passport cover that will make unauthorized  
reading
of the passport very difficult from any appreciable distance as long  
as the
passport is closed." http://travel.state.gov/passport/eppt/ 
eppt_2788.html

We will be enquiring as to whether the Department of Foreign Affairs  
intends
to do likewise and attempt to keep our members informed. If any or our
members or readers would like to contact us on this topic, or offer  
their
help or expertise in addressing it contact Bernard Tyers at the contacts
given here.






-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/