- March 2006 – UK introduces RFID-enabled, ICAO-compliant ‘e-passports’;
- March 2007 – Adam Laurie demonstrates ability to unlock e-passport chip data for ‘read’ access;
- August 2008 – Jeroen van Beek demonstrates ability to clone e-passport chip and implant bogus images;
- August 2009 – Same techniques applied to clone UK ID card and modify its data.
Technological progress being what it is, we can already see – over the 3 years since their introduction – the erosion of some of the security features of the RFID implementation: for instance, in response to the August 2008 attack, the Home Office responded that
“it had yet to see evidence of someone being able to manipulate data in an e-passport. A spokesman said: “No one has yet been able to demonstrate that they are able to modify, change or alter data within the chip. If any data were to be changed, modified or altered it would be immediately obvious to the electronic reader.”
Note the careful phrasing there: “data in an e-passport”. What the attacks have demonstrated is that you can read the information off a chip, write it to another chip, and modify that version in such a way that it fools the standard UN/ICAO “Golden Reader” software. These two pages give more details and are a useful counter-balance to the “e-passports cracked, nation doomed” headlines:
- Q&A about Jeroen van Beek’s hack, from 2008;
- Register article on “how to clone an e-passport”, from Aug 4th 2006 (yes, 3 years ago last Tuesday!)
So, should we be surprised at this sequence of hacks? In one sense, no: essentially, all it illustrates is one of a set of basic principles about credentials. The diagram below shows how these attacks fit into that set of principles: in this instance, the ‘weak link’ comes when an authenticating party relies exclusively on the RFID chip to establish the connection between the credential and the person presenting it.
This diagram is just the latest embodiment of something I’ve been using since about 2005 to illustrate what I call the “chain of trust”. That is: the purpose of a credential is to provide some level of proof that the person presenting it now ‘is identical with’ the person to whom it was issued. This is a narrow but very useful definition of the term ‘identity’. What level of proof the credential can provide depends on the strength of several factors over the lifetime of the credential (and, indeed, its bearer).
In the current sequence of hacks, what is being tested is the integrity of the credential as a whole (can bogus data be successfully encapsulated in a credential which appears genuine?), and the robustness of the authentication step (does it rely solely on the credential, or does it also involve comparison with an ‘authoritative’ repository?).
The Home Office, IPS and ICAO have all pointed out that the attacks fail to overcome some of the safeguards built into the system as a whole. For instance, ICAO note that the passport hack would be revealed by a check against their PKD database; the UK authorities point out that a cloned ID card with the user’s details modified will fail a check against the National Identity Register (assuming that that repository still contains the details of the user to whom the card was originally issued). Those defences are all true – but they do not prove that the implementation of these RFID chips is secure as a whole. They show that it is secure in certain use cases – for instance, when the card is not used as a stand-alone authentication mechanism, but is used in conjunction with online access to other components of the system (such as the PKD or the National Identity Register) – and that checks against those components are, in turn, secure. The also show that in some entirely realistic use-cases – for instance, where an online check against the NIR or deployment of full-function card readers would be prohibitively expensive – the level of proof the credentials can deliver is substantially reduced.
Again, the answer to the question ‘should this surprise us?’ is probably ‘no’. On the other hand, let’s not forget that successive proponents of the ID card scheme have given a hostage to fortune in the form of the phrase “the gold standard of identity”. Some of them have even referred to commercial organisations “queueing up to rely on it as proof of identity”. It is one thing to proclaim this as a political aspiration; it is, as the hacks have demonstrated since the chips’ introduction, quite another to translate that into a comprehensive implementation which delivers the same ‘gold standard’ to all relying parties.