November 21, 2006 | By Hugh D'Andrade

British RFID Passports Easily Hacked

New passports issued in the UK contain Radio Frequency Identification (RFID) chips, supposedly for purposes of increased security. But a report in the British newspaper The Guardian found the passports surprisingly easy to read and copy. Using a device purchased for £250, a Guardian reporter was able to view and copy information from several of the new passports.

Although the new passports use a strong crypto algorithm to protect their biometric data, the encryption key is easy to steal. As the ICAO's website reveals, the key consists of the passport number, the holder's date of birth, and the expiration date.

Obtain those details — or even brute force them (the University of Cambridge's Ross Anderson says the RFID's do not lock themselves after even high numbers of repeated attempts) — and you can read out enough data to create a cloned passport.

Phil Booth, from the organization NO2ID, took part in the newspaper's investigation. "This is simply not supposed to happen," says Booth. "This could provide a bonanza for counterfeiters because drawing the information from the chip, complete with the digital signature it contains, could result in a passport being passed off as the real article. You could make a perfect clone of the passport."

Since a reader can potentially scan a passport from as much as 30cm away, a passport could be read and cloned without the passport ever leaving the victim's pocket.

Click here for more information on EFF's work to prevent RFID tags in ID cards and elsewhere.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

"Shadow Regulation" deals aren't the way to address online problems. Our new infographic outlines a better approach. https://www.eff.org/deeplinks...

Sep 30 @ 2:50pm

Queens, NY! EFF will be at World Maker Faire at the NY Hall of Science this weekend. Come explore and say hi! #WMF16 http://makerfaire.com/new-york/

Sep 30 @ 1:26pm

What do you call it when companies make back-room deals to control Internet content? We call it Shadow Regulation. https://www.eff.org/deeplinks...

Sep 29 @ 3:14pm
JavaScript license information