Quote:

---

FAKE ELVIS PASSPORT PASSES THROUGH AIRPORT SECURITY

Today, I see this article on CNN about two self-named "ethical hackers," Adam Laurie (director of security research and development firm, Aperture Labs) and Jeroen Van Beek (founder of security audit company, Dexlab, in The Netherlands) who hacked into the security chip on an ePassport and changed it to say it belonged to Elvis Presley. They then used the hacked passport to go through an automated passport scanning system being tested at Amsterdam's Schiphol International Airport.

If you remember, Schiphol Airport is where security scanners failed to detect the bomb attached to the body of 23-year-old Nigerian, Umar Farouk Abdulmutallab, who was headed for Detroit on Christmas Eve.

Laurie and Van Beek say their Elvis passport stunt was meant to expose how easy it is to fool a passport scanner with a fraudulent biometric chip. (Back in 2008, Van Beek put Osama bin Laden's face on the passport of a 16-month-old British boy.)

Not so good in light of the recent events where a gang of assassins forged passports in a plot that lead to the death of senior Hamas militant, Mahmoud al-Mabhouh, in Dubai in January.

Creating a passable Elvis passport was relatively easy, explained Van Beek:

Quote:

---

"What we did for that chip is create passport content for Elvis Presley and put it on a chip and sign it with our own key for a non-existent country. And a device that was used to read chips didn't check the country's signatures."

---

The problem is that there is no single standard all countries follow for verifying biometric data on the security chip. That produces loopholes that can be easily exploited.

Laurie and Van Beek stress that an international agreement is needed to close these security holes.

http://news.discovery.com/tech/fake-elvis-passport-passes-through-airp
ort-security.html

http://aperturelabs.com
http://www.dexlab.nl

---

Quote:

---

Omar bin Laden with his English wife Jane Felix and 20 of Usama's family live in Iran

Passports: This isn’t supposed to happen: how a baby became bin Laden

Jeroen van Beek takes the passport of a 16-month-old British boy and puts it on to a £40 smartcard reader the size of an iPod. He punches a code into his computer and, within seconds, the information contained in the passport’s microchip appears on screen.

This is not supposed to happen, as communication between the chip and the reader uses powerful encryption, but a renowned British computer expert called Adam Laurie worked out how to crack the code 18 months ago.

Within seconds, in his university office in Amsterdam, Mr van Beek, 30, copies the contents of the microchip on to another chip, making a clone of the first. He launches some software called Golden Reader Tool – the International Civil Aviation Organisation (ICAO) standard kit for checking biometric passports – and the new chip is flagged up as authentic.

As amazing as this may seem, this is nothing new. A German computer academic called Lukas Grunwald first cloned chips from his country’s passports two years ago.

What is new and potentially devastating, however, is what comes next.

On his computer, Mr van Beek alters the cloned chip and removes the image of the child, the Times photographer Michael Crabtree’s son, Thomas, and replaces it with the image of Osama bin Laden. He does the same with the passport of my partner, Suzanne Hallam, installing the image of Hiba Darghmeh, a Palestinian suicide bomber instead. And, if the chips had contained other biometric data, such as fingerprints or iris scans, he could have changed those too.

At first, Golden Reader refuses to authenticate the new, altered chips. A digital key signature, a certificate of authenticity, has been changed, and the reader is concerned. But Mr van Beek falls back on the work of Peter Gutmann, from Auckland University, New Zealand, who found a way to programme another key signature into the chip. The ICAO’s reader software now accepts both chips as genuine.

If we were criminals, we would have been able to create a passport in the name of a real person with a chip containing our biometrics – facial image, fingerprints and so on – and travel the world as that individual. When we presented our fake passport at borders, our image (and in EU passports issued from next June, fingerprints) would match those held in our supposedly secure biometric passports.

As identity theft goes, we could not have been more thorough. We have taken a tool designed to make an individual’s identity more secure, and changed it to validate our criminal activity. Of course, we would then need either genuine blank passports, like the 3,000 stolen on Monday last week, or fake passports – which these chips were supposed to have made obsolete – in which to put our clones.

The first electronic passports, or e-passports, were introduced by Malaysia ten years ago. After the 9/11 attacks, the US told other countries that they would have to introduce biometric passports if they wanted to avoid their citizens having to apply for visas each time they travelled there. Now costing £72, they were first issued in Britain in March 2006. Implementa-tion cost about £250 million, all of which was funded by the public by way of passport fees. Each passport contains a radio frequency identification (RFID) chip with an antenna which, when contacted by a reader with the correct encrypted codes, bounces back the information it holds.

Among the computing and electronic privacy communities, this technology has been treated with suspicion. In the US, a special foil security cage had to be inserted into new passports when researchers managed to read chips from a distance of several feet.

In Britain, details held on one passport chip were read from inside a sealed envelope by Adam Laurie in response to Home Office claims that remote reading would be impossible.

Mr van Beek, whose research in Amsterdam University’s system and network department is sponsored by the accountancy firm KPMG, has even created a passport chip featuring the identity of Elvis Presley.

The Elvis passport has been accepted as genuine by a public e-passport reader at a Dutch town hall. Oddly, though, the Dutch Government later insisted that the reader was not designed to check the security features of passports.

There is a simple tool that could foil all this fakery, but the international community is failing to use it. The ICAO, a United Nations agency, set up a centralised database to combat cloning and faking 16 months ago called the Public Key Directory, or PKD. It is operated by a Singaporean company, Netrust, which beat seven others to win the contract.

Remember that replacement key certificate that Mr van Beek programmed into our passport chips? The PKD would flag that up if you tried to use your passport at the border of a country that was a member.

At present, key signature codes can be checked only if e-passport countries choose to swap details of those keys, one country at a time. The UK does this with thirty-five countries, leaving ten uncheckable. Under the PKD system, border readers would instantly send back details of the digital signature of the chip in the fake passport – and check it against codes supplied by the issuing country.

Mr Laurie, the expert who first cracked the UK passport encryption and the founder of the website rfidiot. org, said that it was vital that all countries signed up to the directory.

He said: “If you are 99 per cent secure, then you are 100 per cent vulnerable, because that 1 per cent can be exploited.”

http://www.timesonline.co.uk/tol/news/uk/crime/article4467098.ece

---