E-Passports Can Be Cloned in Minutes, Claims Researcher

Newly issued e-passports were cloned and passed off as genuine in a test conducted by Dutch researcher Jeroen van Beek, of the University of Amsterdam, for the UK-based Times Online. Two British passports (which contained RFID chips) were manipulated by van Beek and passport reader software used by the Unite Nations deemed them genuine.

That's unsettling considering 3,000 blank British passports were stolen last week. E-passports were first introduced here in the U.S. and abroad years ago and were billed as a more secure and convenient way of verifying a person's ID.

If spoofing an e-passport wasn't frightening enough then consider the fact that van Beek was able to do all of this in under an hour. He used his own software, lines of code that are publicly available, a £40 card reader and two £10 RFID chips. The two altered passports contained images of Osama bin Laden and a Palestinian suicide bomber, so that neither van Beek nor The Times could be accused of forging viable travel documents.

UPDATE: In response to the alleged spoofing the UK's Home Office, a government department responsible for security, is rejecting the claims the passports have been successfully cloned. However, this wouldn't be the first time an e-passport has been hacked.

The Times Online offered a scenario that could happen to anyone one of us in any country we may visit. Often times travelers are asked to release our passports for photocopying at hotels or car rental shops and that gives a hacker the perfect opportunity to read and clone our data. A hacker could then implant his/her photo, fingerprints and any other biometric data while leaving our name and birthday intact and we'd never know.

Forging e-passports could be much harder, but because the 45 countries issuing them have not gotten onboard with a Public Key Directory code system passports remain vulnerable to cloning. The Public Key Directory code would register all passports to have a unique number. The Public Key Directory would be a central repository of passport numbers and activity making it hard for one passport to be in two different places at the same time without raising a red flag.

So the question remains why all 45 countries haven't registered with the PKD. That is really the only way the system becomes fool-proof.

Subscribe to the Daily Downloads Newsletter

Comments