E-passport security

The British newspaper The Times published an article and a background article about e-passports, which are passports with a builtin wireless (RFID) chip.
This article refers to a theft in England where 3.000 blank passports and visas have been stolen and to Jeroen van Beek. Jeroen works at KPMG and is part time researcher at the System and Network Engineering research group of the University of Amsterdam.

To answer frequently posed questions and to avoid misunderstandings this page contains a number of facts about e-passports in general and about this research in specific.


What is an e-passport?

An e-passport is a passport that contains a chip that implements the ICAO standard for Machine Readable Travel Documents (MRTD's).


Does The Netherlands issue electronic travel documents (MRTD's)?

Yes, the passports and identification cards, that are issued currently in The Netherlands, are equipped with a wireless readable chip containing an MRTD-application.


What does the chip contain?

The chip always contains the same personal data that is also printed on the document, including a digital photo. Depending on the issuer (usually the issuing country) the chip may contain additonal data. From June 2009 onwards chips in travel documents from EU-member states will contain a digital representation of fingerprints.


The Times article mentions that chips can be cloned. How is that done?

The chips on English e-passports – like chips from many other countries – can be cloned. Dutch e-passports are equipped with chips with an optional mechanism (called Active Authentication) which makes cloning of Dutch chips a bigger challenge.


At the BlackHat briefings it is shown that manipilation of ePassport content allows an attacker to skip optional security features such as Active Authentication. Is this correct?

Yes, Golden Reader Tool can be fooled by index manipulation attacks. Note that Active Authentication is only used by a limited number of countries (not seen on e.g. US and UK MRTD's).


Can this index manipulation problem be solved?

Yes, this issue can be solved by determining what files are stored in the chip using a specific method (using EF.SOD instead of EF.COM). This should be mandatory in the ICAO specification. The currently described method in a number of ICAO examples (including the “worked example”) is unsafe.


The Times article mentions that chips can be produced with for instance a photo of Elvis Presley and that these work on Dutch readers. How is that done?


os3reactie_html_2ef88df.jpg



The content of self programmed chips (not the chips in the e-passport) can be changed at will. The ICAO-standard for MRTD's describes how possible modifications can be detected. The Dutch equipment, as can be found in several municipal offices, does not detect these modifications. This means an e-passport of, for instance, Elvis Presley can be fabricated and read. Notice that this equipment according to paspoortinformatie.nl does not guarantee verification and is only meant to show the content of the chip.


The Times article mentions that the tested software application is “recommended for use at international airports”. What about this?

ICAO documentation specifies this Golden Reader Tool as “It further describes tools that have been created to allow Issuing Authorities and Inspection Authorities to evaluate and confirm proper operation of an e-MRTD; specifically reference hardware (the “Golden Reader” hardware) and reference software (the “Golden Reader Tool – GRT”).”. We are not aware of the use of this software on international airports.


The Times article mentions that only a few countries use the the Public Key Directory (PKD) of ICAO. Is a system unsafe if this PKD is not used?

No. The public keys of countries can be obtained through other channels. The Dutch government offers the Dutch key information for instance as a download on the Internet. This does not mean that all countries really do use this information.


Is the PKD used by the MRTDs as used in The Netherlands?

According to ICAO documentation this was not the case in May 2008. As far as we know, this is still correct.


Is the design of the system broken and can altered chips hence be used or abused anywhere?

No. The standards document made by ICAO enables the possibility to implement a secure system. Weaknesses as mentioned in the Times article are the result of – deliberately or not – not implementing all security measures described by ICAO. This problem is especially present in certain reading equipment.


Are there no uniform requirements for reading equipment?

No. Each government is responsible itself for reading equipment and their requirements. As far as we know no definitive set of requirements is available for Dutch reader equipment. We have no information on foreign equipment.


Do you alter the original passport chip content?

No, we're using smart cards (JCOP41) to emulate the original chip. This smart card can e.g. be hidden in a real non-chipped passport. For use with chipped passports the original chip needs to be disabled (e.g. using a hammer or microwave).


Can chips in the stolen English passports be overwritten?

Based on currently available information we cannot make statements about this.


What would be a good solution?

To better guarantee the safety of e-passports in the future it is absolutely necessary to evaluate important public systems like this in an open evaluation procedure. The past, referring for instance to voting computers and the OV-chipcard, has proven that closed (unpublished) implementations are not very secure after all. Although parts of the e-passport documentation are available (for a fee), no open documentation nor evaluation is available for reader equipment. It is necessary that not only the travel document, but the system as a whole can be evaluated and studied.