The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips does not
work. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.
The manipulated information is displayed without any alarms going off.
The exploitation of this loophole is trivial and can be verified using
Regardless how good the intention of the government might have been, the
facts are that tested implementations of the ePassports Inspection System
are not secure.
ePassports give us a false sense of security: We are made to believe
that they make usemore secure. I’m afraid that’s not true: current
ePassport implementations don’t add security at all.