Although the scientists could not read the personal data on a particular passport without having physical access to it, this new discovery makes it possible to detect the passport of a particular individual at a distance ranging between 50cm and a few metres. This does not require the person doing the tracking to know anything about their victim and there is no way for an individual to detect if he or she is being tracked.
An e-passport is the most recent generation of passport. It is an identification document combining a traditional passport with a RFID tag capable of performing cryptographic operations, storing biometric data and other personal information. All e-passports have RFID chips embedded into them – these carry personal information such as date of birth, passport number and a photograph, and they respond to any radio signal sent to them.
Cheap and easily available RFID tag readers can be used to send a signal to a passport. University of Birmingham computer scientists have shown that by replaying a particular message, the attacker can distinguish any passport from any other. An attacker could identify a target by using the reader to send a signal to the target’s passport and then, for instance, build a device that could be left by a door to detect when the target entered or left the building.
Dr Tom Chothia, researcher at the University of Birmingham’s School of Computer Science, says, ‘It is claimed that RFID tags will make passports more secure and that personal data will be protected from any unauthorised attempts to read it. However our discovery has shown that there is a flaw that makes it possible to identify the movements of a particular passport without having to break the passport’s cryptographic key. In a worst case scenario, this flaw in the system would make it possible to build a bomb that would explode on detection of a particular passport, killing the bearer.’
He continued, ‘E-passports have now been issued to over 30 million people, all of whom may be at risk of being identified using our attack method. We have tested British, French, German, Greek, Irish and Russian passports, which have all shown this error and we have informed the UK government about our discovery.’
Such attacks would not be possible if passports used a contact-based smart chip instead of an RFID tag. Using contact based chips would make it impossible to read the data on the card without the knowledge and consent of the bearer.
This work will be presented at the Conference on Financial Cryptography and Data Security at the end of January.
Ends
Notes to Editors
For further media information
Kate Chapple, Press Officer, University of Birmingham, tel 0121 414 2772 or 07789 921164.
