A Dutch researcher has published code that purports to emulate and clone e-passports, and has released a video to prove it works.
The researcher claims the proof of concept video, posted this week to The Hackers Choice website, shows an e-passport self-reader at Schiphol airport in Amsterdam accepting a passport and chip with fake details (those of Elvis Presley) with no alarm apparently being raised.
The hacker, who goes by the name 'vonJeek', also published emulation code for use with a blank JCOP v4.1 72k smartcard. Once the code is uploaded to the card, the chip can be cloned using a customised version of Adam Laurie's RFIDIOT tool, the researcher claimed.
"Regardless how good the intention of the government might have been, the facts are that tested implementations of the e-passports inspection system are not secure," wrote vonJeek on The Hacker's Choice website.
"E-passports give us a false sense of security: We are made to believe that they make use more secure. I'm afraid that's not true: current e-passport implementations don't add security at all."
Writing on behalf of vonJeek on the UK Crypto mailing list, 'Steve' said the hack works because International Civil Aviation Organisation passport standards support self-signing of digital certificates.
"The passport data also do not need to be signed by the country issuing them," Steve wrote. "They can be signed by any other country. For example, Zimbabwe can create UK passport data and sign it with its designated and assigned [certification authority] key."
The UK Identity and Passport Service said UK passports remained secure. A spokesperson said: "We take security and privacy very seriously, which is why the British biometric passport meets international standards as set out by International Civil Aviation Organisation and we remain confident that it is one of the most secure passports available."
