Recent reports about the ability to clone identity information held in new UK passports have been confirmed by leader of New Zealand's e-passport project.
The New Zealand Department of Internal Affairs (DIA) said there isn’t enough data stored on radio frequency ID (RFID) cards within its similarly styled passports’ chips to create counterfeit travel documents.
The UK government faced demands to recall 3m micro-chipped biometric passports earlier this month after it was revealed they could be electronically attacked and cloned with a £174 microchip reader.
DIA passport manager David Philp confirms that it is possible to access the RFID information and use it to make a clone. But the RFID chip in the e-passports currently issued in New Zealand is just one security feature out of more than 50 contained in the passport.
Having just a cloned chip isn’t sufficient to create a counterfeit passport, said Philp. He added that while New Zealand passports are “highly desirable," the DIA has seen very few credible counterfeited ones, he says.
While the general design goal of the e-passport is to lock the holder’s identity to the document in a secure manner, Philp said that there has to be a balance between risk management and customer service.
The passport has to be readable around the world in a reasonable amount of time and ideally in more situations than just immigration.
Philp gave airport check-ins as one example of where RFID-equipped passports should be readable.
Making the e-passport harder to read is possible, said Philp, but it would make immigration processing take longer and inconvenience people.
Researcher Peter Gutmann at the University of Auckland’s department of Computer Science was sceptical that the RFID chip provides any real security benefit. In fact, Gutmann went further and said in his technical background paper “Why biometrics is not a panacea”, that RFIDs in passports “are a disaster waiting to happen”.
German and Dutch passports have already been compromised, according to Gutmann, and this can be done remotely as well. He pointed to successful attacks by Dutch RFID security specialist Harko Robroch, who has intercepted passport and reader device communications from five meters away. Gutmann says eavesdropping on the reader was possible up to 25 meters.
In comparison, the Guardian newspaper has claimed UK passports are readable 7.5cm away, a far shorter distance than Robroch’s interception, but enough in situations such as public transport, where people are close together, to siphon off the data stored in the RFID chip.
However, Gutmann’s worst-case scenario for RFIDs in passports occurs not when they’re being compromised for counterfeiting purposes, but are used to identify the holder. The RFID chip could be used to trigger explosive charges and Gutmann points to a study that shows the current US passport design caused a small, non-lethal explosive charge concealed in a rubbish tin to detonate.
Terrorists could then target specific nationalities automatically, said Gutmann.
The New Zealand DIA is said not to be concerned about the UK reports.
The Identity and Passport Service has spent £60m on new passport production lines for the new £66 documents, which were introduced in March.