Scan This Guy's E-Passport and Watch Your System Crash

The International Civil Aviation Organization, the United Nations body that developed the standards for e-passports, opted to store travelers' fingerprints as a digital photo, no different than if you were to press the tabs of your fingers against a flatbed scanner. As a result, it's possible to seize the image and use it to impersonate a passport holder by essentially hijacking their fingerprints. Japanese researchers several years ago demonstrated the ability to make false fingerprints using gelatin material that could be placed over a finger.

To access any data on the passport, the attacker would need to unlock it using a machine-readable code printed on the passport's face. Additionally, the International Civil Aviation Organization recommends that issuing countries protect biometric data on the e-passport with an optional feature known as Extended Access Control, which protects the biometric data on the chip by making readers obtain a digital certificate from the country that issued the passport before the equipment can access the information.

That certificate is only valid for a short period of time, but the chips contain no onboard clock to handle the digital certificate's expiration, which makes them vulnerable as well, says Grunwald. "It's a basic mistake," he says.

The U.S. State Department had no immediate comment Tuesday. Grunwald's DefCon talk, "First We Break Your Tag, Then We Break Your Systems," is scheduled for Friday.

  • 1
  • |
  • 2
Join the Discussion
You are using an outdated version of Internet Explorer. Please click here to upgrade your browser in order to comment.
blog comments powered by Disqus
You Might Also Like...