E-passports could be used to track their owners – British computer scientists warn.
The Register reports that the possibility was revealed by Tom Chothia and Vitaliy Smirnov, the authors of a paper titled “A Traceability Attack Against e-Passports”. They claim that they have managed to exploit a flaw in one of the passport protocols in order to trace the movements of a particular passport without breaking the cryptographic key that protects the information on it.
“A traceability attack does not lead to the compromise of all data on the tag, but it does pose a very real threat to the privacy of anyone that carries such a device. Assuming that the target carried their passport on them, an attacker could place a device in a doorway that would detect when the target entered or left a building,” says the paper.
The only difficulty in employing this method is that the attackers must first observe and record the “message” that passes between the passport and the RFID reader,
“Then, when we want to identify a particular passport, we replay this message. If this replayed message is rejected because the MAC check failed then we know this is not the same passport, as the MAC key is unique to each passport. If however the message is rejected because of a failed nonce we know that the MAC check, using the unique passport key, succeeded and therefore we have found the same passport again,” explain the scientists, then add that to fix this flaw, the error messages issued by the passports must be standardised and response times must be padded so as to remove the information leak.
“For the 30 million plus passports already issued it is too late, however, future passports and identity cards can be made safe,” they claim.
Electronic (biometric) passwords are in use in more that 50 countries in the world at present. This flaw adds to a few other known attacks that can compromise the information contained on these documents, giving those opposed to the use of the e-passport some more ammunition for defending their point of view.
To read the paper, go here.