Tests Reveal E-Passport Security Flaw
The first interoperability test between electronic-passport chips and readers was a terrible muddle, but vendors say future government testing will allow them to polish their products.
This summer, the National Institute of Standards and Technology (NIST) performed the interoperability tests for the Department of Homeland Security over three days at facilities in Morgantown, W.Va.; a second round of testing began in late August in Sydney, Australia, and featured chip and reader vendors trying to sort out varying interpretations of the International Civil Aviation Organization’s (ICAO) e-passport specification.
The tests show Type B contactless interface technology faced more difficulties than the Type A interface, and the ICAO requires readers support both standards while cards only have to use one. Though the interoperability issues could be likened to those that crop up during normal PC industry plugfests, experts were especially worried by NIST researchers’ ability to scan e-passport data from as far as 30 feet away; ICAO specifications call for data to be transmitted over just a few inches in order to preserve personal data.
Users could insert foil sheets to protect their e-passports from remote readers, but ICAO specifications do not require anything more than public-key-infrastructure-enabled digital signatures.
Biometric data is recommended, however, and some European countries are planning on active, on-chip authentication schemes.
Vendors are also proactively working on security components that government agencies can decide to implement at their discretion, such as chip modifications from Infineon that make those chips more difficult to hack.
Gemplus’ Jean-Paul Caruano said the ICAO specification described basic access control through encryption, while security expert Bruce Schneier warned that e-passport data readable from a distance could aid thieves or terrorists targeting certain nationalities.
Abstracted by the National Law Enforcement and Corrections Technology Center(NLECTC) from the EE Times (08/30/04) No. 1336, P. 1; Yoshida, Junko.