ePassports crypto protection under attack
Belgium has been quick to adopt ePassports as early as 2004. The cryptography researchers have established that first-generation Belgian passports (issued between the end of 2004 and July 2006) fail to include any security mechanism that would ensure the protection of personal data. They have run a demonstration that showed it was possible to read first generation passport from a short distance, potentially while it is still in the pocket of a prospective victim.
Since July 2006, with the second-generation ePassports, Basic Access Control (BAC), a protection mechanism has been implemented following International Civil Aviation Organization (ICAO) standards. Two coded lines (Machine Readable Zone) at the bottom of the first page of the passport must be read to get access to the content of the chip. However, UCL researchers discovered that data on the second generation ePassports might still be read, using a form of brute-force attack, as the content of the two lines (date of birth, of expiry, and the passport number) from the machine readable zone can be guessed to a certain extent with an exhaustive search on all the possible combinations of birth date/expiry date/passport number.
Further to their works, G. Avoine, K. Kalach and J.-J. Quisquater consider that Belgian biometric passports of first generation must be taken out of circulation without further delay. The researchers underline that the Belgian passport could also follow the example of the American passport and insert in its cover a radio-blocking shield (Faraday cage) that will prevent electronic reading of the passport while it is closed.
The never-ending story of security where a new level of security is quickly overcome by new threats goes on again… Building up both on the needs for additional security for governments and the need for additional privacy for citizens is a very efficient driver for the industry. Every time a new technology is challenged, some solutions are proposed, that lead to more R&D, and more innovative products, and eventually more sales for the security industry.