Can the e-passport be easily cloned and is this a vulnerability?

This is a common myth and usually takes the form of hackers and journalists claiming that they have "cracked it!". All they have done is to read the data from the e-passport chip (after satisfying the BAC protection as per the standard) and to program another chip with the same data. Reading the data from the chip is exactly how the system is meant to work. Programming another chip with the same data is about as useful as photocopying a traditional passport - it is not going to get a different person through border control. In any case, the cloned chip has to be incorporated into the traditional paper passport booklet, with all its security features, which is not a trivial exercise.

The myth often implies that the cloned chip can then be altered with a different photo or personal data (eg the "Elvis" e-passport story). While once the data is altered this is no longer a cloned chip (ie an exact copy), any tampering will be detected by the digital signatures and the PKI authentication process.

An optional specification in the International Civil Aviation Organization Doc 9303 standard is "Active Authentication" (AA). AA works by having a private/public key pair, where the private key is imbedded in the chip and cannot be read out. If the public key is then copied (cloned) to another chip along with the rest of the data, the keys will no longer match and an AA authentication check will reveal this. Many countries have adopted AA and this will effectively eliminate cloning, although we believe that cloning was never a serious vulnerability.

See also, Can the information on my epassport chip be altered? And What makes an epassport hard to counterfeit?

Courtesy the Keesing Journal, 2009

Rate this tip: 
  • My comment
  • Comments [0]

Add new comment

To prevent automated spam submissions leave this field empty.
By submitting this form, you accept the Mollom privacy policy.

No comments available

If you do not findthe answer you're looking for...

Ask your question