The International Civil Aviation Organization, the United Nations body that developed the standards for e-passports, opted to store travelers' fingerprints as a digital photo, no different than if you were to press the tabs of your fingers against a flatbed scanner. As a result, it's possible to seize the image and use it to impersonate a passport holder by essentially hijacking their fingerprints. Japanese researchers several years ago demonstrated the ability to make false fingerprints using gelatin material that could be placed over a finger.
To access any data on the passport, the attacker would need to unlock it using a machine-readable code printed on the passport's face. Additionally, the International Civil Aviation Organization recommends that issuing countries protect biometric data on the e-passport with an optional feature known as Extended Access Control, which protects the biometric data on the chip by making readers obtain a digital certificate from the country that issued the passport before the equipment can access the information.
That certificate is only valid for a short period of time, but the chips contain no onboard clock to handle the digital certificate's expiration, which makes them vulnerable as well, says Grunwald. "It's a basic mistake," he says.
The U.S. State Department had no immediate comment Tuesday. Grunwald's DefCon talk, "First We Break Your Tag, Then We Break Your Systems," is scheduled for Friday.