Biometric passport cracked and cloned

News that attendees at a U.S. hacking conference have seen a demonstration of how to clone a digital passport has raised fresh concerns about the security of proposed new forms of ID and travel documents in the U.K.

A security researcher called Lukas Grunwald showed attendees at the Black Hat convention in Las Vegas how to clone passports, using a German passport for his demonstration. However, standardization across ePassports means the exploit would work on any other passport that uses RFID chip technology to store details of the individual--such as those now being issued in the U.K. or U.S. The demonstrated attack was carried out using freely available technology.

According to security guru Bruce Schneier, Grunwald's job was made all the more easy by the publication of standards for ePassports on the Web site of the International Civil Aviation Organization.

Simon Perry, vice president of security strategy at CA and a member of the European Network and Information Security Agency, said that if people can crack the security on bank cards then it was inevitable, in time, they would find a way to do the same with passports.

The biggest problem, Schneier wrote on his blog, is that passports will have a shelf-life of 10 years, during which time the technology will not only become antiquated but will almost inevitably be overtaken in sophistication by the methods for cracking it.

Schneier wrote: "A passport has a 10-year lifetime. It's sheer folly to believe the passport security won't be hacked in that time."

The U.K. is currently in the process of rolling out ePassports that store biometric data about the holder on a chip.

Because CA's Perry said RFID chips can increasingly be read surreptitiously, often from distances far greater than the six inches which designers originally claimed, he suggested the security conscious might like to consider investing in a metal cigarette or cigar case large enough to hold their passport.

Will Sturgeon reports for Silicon.com in London.