Scan This Guy's E-Passport and Watch Your System Crash

A security researcher has revealed additional vulnerabilities in the documents.

ByABC News
February 11, 2009, 8:08 PM

Aug. 1, 2007 — -- A German security researcher who demonstrated last year that he could clone the computer chip in an electronic passport has revealed additional vulnerabilities in the design of the new documents and the inspection systems used to read them.

Lukas Grunwald, an RFID expert who has served as an e-passport consultant to the German parliament, says the security flaws allow someone to seize and clone the fingerprint image stored on the biometric e-passport, and to create a specially coded chip that attacks e-passport readers that attempt to scan it.

Grunwald says he's succeeded in sabotaging two passport readers made by different vendors by cloning a passport chip, then modifying the JPEG2000 image file containing the passport photo. Reading the modified image crashed the readers, which suggests they could be vulnerable to a code-injection exploit that might, for example, reprogram a reader to approve expired or forged passports.

"If you're able to crash something you are most likely able to exploit it," says Grunwald, who's scheduled to discuss the vulnerabilities this weekend at the annual DefCon hacker conference in Las Vegas.

E-passports contain radio frequency ID, or RFID, chips that are supposed to help thwart document forgery and speed processing of travelers at U.S. entry points. The United States led the charge for global e-passports because authorities said the chip, which is digitally signed by each issuing country, would help distinguish official documents from forged ones.

But Grunwald demonstrated last year at the BlackHat security conference how he could extract the data on a passport chip, which is read-only, and clone it to a read-write chip that appears the same to an e-passport reader. Now Grunwald says he was able to add data to the cloned chip that would allow someone to attack the passport reader.

He conducted the attack by embedding a buffer-overrun exploit inside the JPEG2000 file on the cloned chip that contains the passport photo. Grunwald says he tested his exploit on two passport readers that were on display at a security conference he attended.