Encrypted RFID passport data intercepted and cracked

A Dutch television news program has commissioned experiments by security research firm Riscure in which radio communications between the RFID chip in a prototype Dutch passport (using the same technology and encryption scheme recently adopted as an international standard and being deployed in USA passports) were intercepted, stored for analysis later at leisure, the password cracked in about 2 hours on a PC, and the digitized fingerprint, photograph, and all other encrypted and plain text data on the RFID chip in the password recovered.

Like the RFID passports scheduled for deployment in the USA by the end of this year (although the date seems to keep slipping due to technical, manufacturaing, and relaibility problems), the Dutch passports use ISO 14443 chips and the “Basic Access Control” encryption scheme, both of which have been adopted by ICAO as global standards and, through laws mandating “compliance” with ICAO standards, incorporated by reference into national laws in the USA and many other countries.

Under the “Basic Access Control” (BAC) scheme, the decryption key is derived from the subset of passport data printed in optically-readable type in the “Machine Readable Zone” (MRZ) at the bottom of the “data page” of the passport. The theory is that the exchange between the reader and the chip in the passport, even if intercepted, can’t be decrypted without access to this data (which, unlike the RFID data, would be hard to obtain remotely). The newly-reported Dutch experiment shows that this isn’t true: anyone who can eavesdrop on the radio conversation between a “basic access control” RFID passport chip and a legitimate reader can later decrypt it and recover the data.

The attack was made somewhat easier and quicker, in the Dutch case, by patterns in the assignment of passport numbers that form part of the MRZ data and thus the basis of the BAC decryption key. But since the passport cracking and decryption can be performed at leisure, once the encrypted data stream is captured and stored, this would only effect the time required to crack each passport with a given computer, not the basic possibility of doing so.

Neither the “Nieuwslicht” (Newslight) television report (as translated by my Dutch colleague), nor the press release on the Riscure Web site, specify the range at which the radio exchange between the chip in the passport and a reader (such as would be deployed at an immigration checkpoint or airline check-in counter) was intercepted. But another Dutch rearch presentation cited in The Register (UK) suggests that it could be up to 10 meters (30+ feet).

That’s far more range than what’s necessary for a slight variant of the threat scenario I presented to Frank Moss, director of the the USA State Department’s Passport Office, last year at CFP — and to which he has yet to respond:

Pick out someone who looks similar to the person for whom you want a new identity, follow them up to the counter where their passport’s RFID chip is interrogated by a reader, intercept (with e.g. a radio receiver you wheel around in a nondescript suitcase) and store the radio traffic, and use it (once decrypted) to produce a cloned passport or some other forged identity credential. (Strictly speaking, decrypting the data on the RFID chip isn’t even essential to making a perfect bitwise clone, although it would help greatly in forging the photo.)

Ironically, in the USA it’s diplomats, some of whom were already supposed to have been issued RFID passports by now, who are the first people being placed in danger of remote identification, targetting, identity theft, and impersonation by anyone who intercepts and decrypts their RFID passport data.

The USA government has staked a lot on its push for the ICAO standards, and their incorporation into law in the USA. Willingly or not, many other countries have gone along. The big question now is whether the USA and its allies in ICAO and elsewhere will withdraw their RFID passport plans as fatally flawed, or will make an attempt to salvage them with ineffectual minor repairs — as the USA already did when it agreed to use BAC, after first proposing to deploy RFID passports that transmit biometric and other data in the clear.

On a related note, I’ve gotten a lot of e-mail from readers wanting to know how to tell if their new passports have embedded RFID chips. I neglected, unfortunately, to take pictures of the sample RFID passports Moss passed around at CFP. All of them included a distinctive and fairly prominent (but not intuitively obvious as meaning “contains an RFID chip”) logo on the cover. The odd thing is that I can’t find an image of this logo anywhere on the Passport Office Web site (the only image of the RFID passport is of the inside data page, which contains no RFID indicia, not the outer cover with the RFID logo) or in any of the ICAO documents discussing the proposals for a standard RFID logo. (It’s needed so that border guards, immigration officers, and other government agents can distinguish a passport with a defective or disabled RFID chip from a passport that never contained an RFID chip.) The only way for me to interpret the reluctance to have this logo publicized is that the government fears that people who already identify RFID chip numbers as the Satanic “mark of the beast” in the Christian Bible would identify the RFID logo itself as an even more literal “mark” of the beast. But if anyone got a picture of the logo on the cover of Moss’ RFID passport at CFP, or can find any other image of the RFID passport logo, please send me a copy, and I’ll post it.

(Thanks to Katherine Allbrecht of Spychips.com for being the first to bring the Dutch news to my attention. See her excellent new blog with Liz McIntyre, co-author of the Spychips book, for more news about RFID chips.)

[Addendum, 1 February 2006: See my follow-up article with the RFID passport logo.]