RFID enabled e-passport skimming proof of concept code released
(RFIDIOt)


By Adam Laurie (adam laurie thebunker net)

The latest version of RFIDIOt, the open-source python library for RFID exploration/manipulation, contains code that implements the ICAO 9303 standard for Machine Readable Travel Documents in the form of a test  program called 'mrpkey.py'.

This program will exchange crypto keys with the passport and read and display the contents  therein, including the facial image and the personal data printed in the passport. Currently the data read is limited to the following objects:

Data Group: 61 (EF.DG1 Data Recorded in MRZ)
Data Group: 75 (EF.DG2 Encoded Identification Features - FACE)

Other Data Groups will be implemented as and when examples come to the
author's attention.

The ICAO standard relies on a 'secret' key to protect the RFID chip from casual reading, which is derived from data printed inside the passport. However, this data is also potentially available by other means, so the key for a specific passport could be derived without physical access to the passport. The information required is as follows:

The Passport number

The Date Of Birth of the holder

The Expiry Date of the Passport

(Each of the fields also has a check digit which can be calculated by the software if not otherwise available).

The author has previously shown that this data can be obtained through other channels, such as poorly secured websites, as it is a subset of the data that is required by the US Homeland Security for Advance Passenger Information, and is therefore commonly collected by airlines and other associated organizations.
 


This article, from the UK national newspaper The Guardian, gives more details of one of the techniques used:
Q. What could a boarding pass tell an identity fraudster about you? A. Way too much

 

Others have also highlighted the possibility of brute forcing the keys, given that the components are largely predictable, giving a much smaller key space than might otherwise be supposed:
Privacy issues with new digital passport



The demonstration code (RFIDIOt.py version 0.1g) can be found here: RFIDIOt



The ICAO 9303 standard documents can be found here:
 Machine Readable Travel Documents

Get the reader from ACG   It is called the HF Dual ISO



Enjoy!
Adam
--
Adam Laurie Tel: +44 (0) 1304 814800
The Bunker Secure Hosting Ltd. Fax: +44 (0) 1304 814899
Ash Radar Station http://www.thebunker.net
Marshborough Road
Sandwich mailto:adam (at) thebunker (dot) net [email concealed]
Kent
CT13 0PL
UNITED KINGDOM PGP key on keyservers

Q. What could a boarding pass tell an identity fraudster about you? A. Way too much

But they have some uses:-

Suicide bombers know this.

 

Errors & omissions, broken links, cock ups, over-emphasis, malice [ real or imaginary ] or whatever; if you find any I am open to comment.

Email me at Mike Emery. All financial contributions are cheerfully accepted. If you want to keep it private, use my PGP Key Home Page

Updated  on  Thursday, 12 June 2008 09:53:23