"The whole passport design is totally brain damaged," Lukas Grunwald, a security consultant with DN-Systems in Germany and an RFID expert, said. "From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all." The controversial e-passports contain radio frequency ID, or RFID, chips that the U.S. State Department and others say will help thwart document forgery. But Lukas Grunwald, a security consultant with DN-Systems in Germany and an RFID expert, says the data in the chips is easy to copy.
The United States has led the charge for global e-passports because authorities say the chip, which is digitally signed by the issuing country, will help them distinguish between official documents and forged ones. The United States plans to begin issuing e-passports to U.S. citizens beginning in October. Germany has already started issuing the documents.
"And of course if you can read the data, you can clone the data and put it in a new tag," Grunwald says. The cloning news is confirmation for many e-passport critics that RFID chips won't make the documents more secure.
"Either this guy is incredible or this technology is unbelievably stupid," says Gus Hosein, a visiting fellow in information systems at the London School of Economics and Political Science and senior fellow at Privacy International, a U.K.-based group that opposes the use of RFID chips in passports.
"I think it's a combination of the two," Hosein says. "Is this what the best and the brightest of the world could come up with? Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don't understand?"
Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.
Frank Moss, deputy assistant secretary of state for passport services at the State Department, says that designers of the e-passport have long known that the chips can be cloned and that other security safeguards in the passport design -- such as a digital photograph of the passport holder embedded in the data page -- would still prevent someone from using a forged or modified passport to gain entry into the United States and other countries.
Moss also said that the United States has no plans to use fully automated inspection systems; therefore, a physical inspection of the passport against the data stored on the RFID chip would catch any discrepancies between the two.
"I want to say to people that if you're using RFID passports, then please make it secure," Grunwald says. "This is in your own interest and it's also in my interest. If you think about cyberterrorists and nasty, black-hat type of guys, it's a high risk.... From my point of view, it should not be possible to clone the passport at all."
