ibnlive » Blogs

Jaimon Joseph
Tuesday , July 20, 2010 at 23 : 17

The fake passport blog - part 2


In a country where Nepali's, Bangladeshis and Pakistani's can practically walk across the border - why should a terrorist bother to fake a biometric passport?

It could come useful in certain situations. Why would someone like David Headley risk a clandestine crossover, when he could live in the best of hotels, mix in the most hallowed social circles - legally? It's also a neat trick to shift blame to an Indian citizen, after a terrorist attack.

But an "attack" is not the only thing a cloned biometric passport can be used for. It can also be used to steal your identity. For cheap. If my last post made you believe it's almost impossible to mess around with a biometric passport, I'm very sorry. Because this one - is about how it's already been done. With equipment that costs less than ten thousand rupees.

Lukas Grunwald, a German security expert, did it in 2006. British newspapers reported on a similar stunt by Adam Laurie, in 2007. Jeroen Van Beek, a researcher in the Netherlands, actually walked into Amsterdam airport with a fake biometric passport made in the name of Elvis Presley. He was not stopped.

Just Google their exploits - most technically minded terrorists probably already have. Here's a quick account of how they did it.

A biometric passport has a chip, about the size of the one in your mobile phone SIM. That chip is embedded in a radio transmitter, slightly smaller than your visiting card. The entire unit is then sealed, into the last, thick page of our passports. You'll get one of these things when you apply to renew your passport.

Effectively - this passport is now a tiny radio transmitter. It emits radio signals at a certain frequency. And over those radio waves, it transmits the information stored in its chip.

If you have a radio scanner listening in on that specific frequency - you can intercept that data. You could be standing ten meters away, you wouldn't even need to touch the passport. You could read it, then clone it.

I'll get into the specifics later. But here's why you should begin to get worried.

1.) Let's say a terrorist knows he looks a fair bit like you. First, he'd clone all your passport details by eavesdropping on the chip. Then insert his new, cloned chip into a fake paper passport he's already made.

He'd grow a beard or a pony tail - to confuse the airport guards. When they test his passport on their reader, it wouldn't ring any alarms - after all it's a perfect clone of a perfectly valid passport.

When they try to physically cross check his appearance against your facial image stored on the chip, they wouldn't spot a difference. A biometric facial or fingerprint scanner would have rung alarms - but they're very expensive and used at very few counters. So a terrorist COULD cross borders - using YOUR passport details.

There is also a psychological problem - if the machine says a passport is OK, airport officials will tend to believe it and drop their guard. They won't bother to do a more careful physical check. Because that would take more time - and after all wasn't the biometric passport meant to save time at check in counters?

2.) Or let's say it's scamsters who want to target you. The postman or courier boy who delivers your passport home, could copy details from its chip, without even opening the envelope. So could a hotel attendant abroad - when you show him your passport to book a room. Among those details, will be an exact digital copy of the first page of your passport.

This first page is something we often photocopy. We use it as a proof of identity - to open a bank account, to apply for a new phone connection, for a driving license etc. The scamster could send that first page to an Indian bank and open a new account in your name. And funnel in dirty money into it, without you ever knowing.

3.) There's another loophole in the "Biometric Passport as extra security" scheme. When you walk into a country like the US with your passport, your info is not only scanned and crosschecked - it's also stored on their servers for a very long time. This supposedly happens to all passports presented at immigration - part of their "War on Terror" is keeping track of the details and frequency of people's visits.

In theory, a corrupt official in the department could gather your private data and sell it to people on the black market. Right now - someone else can't easily match your unique biometrics. But technology gets better everyday, so a leak in the department would mean a terrorist could walk around with your identity.

4.) Another pinprick in the "security" angle. At least one researcher has shown how to trigger a small bomb when it comes close enough to radio signals transmitted by a particular country's passport. Terrorists could also use a similar technique can to single out people of a particular country from a group - and target them for kidnapping/elimination.

It's not just passports. The technology can be used to eavesdrop and clone other RFID or Radio Frequency Identification Devices. That includes the card you use to get entry into your office, your new driving license and perhaps even the upcoming UID or Universal Identity card.

Getting back to the passports. Inexpensive Radio Frequency scanners can easily be bought online. You could also build one by modifying the Bluetooth receiver on your PC. Software like Golden Reader, that let you communicate with a passport chip, are easily available on the net. The International Civil Aviation Organization or ICAO - the nodal agency behind the biometric passport movement, has it on its website.

When held over a passport reader at the airport, the chip and the reader first challenge each other with a code. Once each is satisfied the other's a genuine party - the chip transmits the info it carries to the reader.

To prevent people from eves-dropping on this exchange, the designers of biometric passports used a simple trick. They printed a twenty four character, two line strip of data on one of the pages of the passport.

This "Strip" is called a "Machine Readable Zone", or MRZ. Only after swiping this strip through a machine, would the passport reader be able to generate a valid challenge that the passport chip would respond to. So whoever wants to read the passport, would have to have it open, in his hand.

Smart. The problem is, the characters they've decided to print on that strip. Your date of birth, your passport number, its date of expiry and so on - in a specific pattern.

Clever programmers can guess those details. Your DOB, they find from sites like Facebook. From public databases online - they observe patterns in a long series of passport numbers. They also find out the number of passports issued everyday in the country.

They feed all that research into a maths formula that's often used by companies to generate things like random credit card numbers. And crack the MRZ of your passport, on a normal home PC, in under two hours. The big expense - about Rs 10,000 for a radio scanner. With the MRZ code, a terrorist or scamster can suck data from your chip, standing upto ten meters away at the check in counter.

Governments could of course put in place a more complex passport numbering system. But though such demonstration attacks have been widely reported in the foreign press, they haven't moved on this yet.

When someone like a postman has the luxury of holding your physical passport in his hand, he can suck it dry with another trick. He swipes the passport against his radio scanner many, many times.

The more the number of swipes, the higher the chance of the computer mathematically guessing the security code. In an ATM, if you enter the wrong code thrice - you're locked out and can't withdraw any money. A similar safety feature hasn't yet been built into these passport chips.

A small backgrounder on how all this started in the first place. After 9/11, America decided that all foreigners entering its borders would need to have machine readable passports with biometrics - on the assumption that these would be tough to forge.

It demanded this of the 27 countries that had a visa waiver agreement with it. Most of Europe fell in line and soon, the rest of the world.

After researchers publicly carried out attacks on these passports, FIDIS, or the "Future of Identity in the Information Age" - a European Union funded body called the technology used in them "poorly conceived".

"European governments have forced their citizens to adopt documents which dramatically reduce their security and privacy and increase the risk of identity theft."

The Indian Government however - doesn't seem to have listened.


Previous Comments


More about Jaimon Joseph

I've always been scared around gadgets and software. And in awe of people who're good with them. After three years of science and tech reporting though, I think I'm starting to get the hang of things. Before this, I covered automobiles, health, careers and business, for seven years. Nice thing about technology is, it lets me poach into all those fields once in a while. I love this job. But I'm not sure how I managed to land it. I did my BA in Advertising from Delhi College of Arts and Commerce and MA in Journalism from Madurai Kamaraj University. I wanted to be a cartoonist, a guitar player and a footballer but sucked in all those fields. I can play the flute and harmonica though. And I have an interest in machines that move - it was cars and bikes earlier but considering there's nothing revolutionary happening there, it's military stuff now. I'm the sort who drools over figures. Not the 36-24-36 types. But top speed, acceleration, fuel consumption, drag co-efficient. I drive an Alto though. And usually take the Metro to work.


Recent Posts