It was demonstrated today at the BlackHat conference.
Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.
In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker -- Walluf, Germany-based ACG Identification Technologies -- but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.
He then launched a program that border patrol stations use to read the passports -- called Golden Reader Tool and made by secunet Security Networks -- and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.
Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader -- which can also act as a writer -- and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.
As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.
The result was a blank document that looks, to electronic passport readers, like the original passport.
I've long been opposed (that last link is an op-ed from The International Herald-Tribune) to RFID chips in passports, although last year I -- mistakenly -- withdrew my objections based on the security measures the State Department was taking.
That's silly. I'm not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.
Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won't be perfect. And a passport has a ten-year lifetime. It's sheer folly to believe the passport security won't be hacked in that time. This hack took only two weeks!
The best way to solve a security problem is not to have it at all. If there's an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there's no RFID chip, then the security problem is solved.
Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can't do, I am opposed to the idea.
Crossposted to the Schneier on Security blog.