Researchers at the University of Luxembourg have discovered a flaw in the security standard used in biometric passports (e-passports) worldwide since 2004. This standard, ICAO 9303, most recently updated in 2015, allows e-passport readers at airports to scan the chip inside a passport and identify the holder
Security mechanisms in electronic passports
Most passports today use the standard ICAO 9303, which is issued by the International Civil Aviation Organization (ICAO). The standard includes a so-called Basic Access Control (BAC) protocol that protects the passport data from being read remotely without direct access to information printed on the front page of the e-passport
If the passport is protect by the BAC protocol, this means that it should not be possible to read it out of a jacket pocket. Passport data is stored on a contactless chip of the ID document. To access this data, a special reading device, for example at the airport, must perform two steps. Firstly, a page of the passport is presented to the reader from which the reader generates a key using the information on that page. Secondly, that key is used in an encrypted exchange between the contactless chip and the reader. That way the exchange of data on the passport chip should be secure.
Flaw in security standard allows tracking movements
Dr. Ross Horne, Prof. Sjouke Mauw, PhD candidate Zach Smith and Master student Ihor Filimonov tested the ICAO 9303 standard. They discovered a flaw that allows specific non-authorised equipment to trace the movements of e-passport holders, without however reading passport data.
“With the right device, you can scan passports in close vicinity and re-identify passport holders who have recently passed through a passport control point, keeping track of their movements”, Dr. Horne explains. “Thus, passport holders are not protected against having their movements traced by an unauthorized observer.”
Limits and implications of the flaw
An unauthorised device scanning a passport within several meters can thus identify and keep track of that passport, even though it cannot read the passport. The privacy of the passport holder may be vulnerable to potential attacks, even though the flaw does not allow attackers to read all information from a given passport or to compromise biometric information stored in a chip inside the passport.
“As most passports today use the same standard, this security flaw potentially has global impact,” continues Dr Horne. In Europe, such a security breach likely violates requirements from the EU data protection framework. Governments have the responsibility to protect individual privacy and to ensure that official documents are bulletproof against such attacks.
Using counterexamples to represent an attack
The researchers discovered this attack without handling any personal data. They generated a counterexample for a logical definition of what it means for an e-passport protocol to be unlinkable, by using a method called bisimilarity. In this method, a counterexample represents an attack that may be exploited by a malicious observer, who may attempt to link sessions involving the same e-passport.
The discovery of this attack emphasizes the need to improve methods to assist with detecting and mitigating privacy flaws in critical infrastructure. Researchers at the University of Luxembourg aim to take a leading role in this effort to enable security practitioners to swiftly identify privacy solutions.
Researchers suggest solutions
The researchers shared their test results with ICAO in June 2019. They also outlined several approaches for restoring privacy protection, notably a simple timing check inside official readers ensuring the reader cannot be exploited in a privacy attack. This is based on the assumption that the manufacturers of e-passport readers must take responsibility for ensuring privacy protection of passport holders.
The results of the study “Breaking Unlinkability of the ICAO 9303 Standard for e-Passports Using Bisimilarity” were presented on Tuesday 24 September at ESORICS 2019, a high-level systems security conference in Europe. The 24th edition of ESORICS is organised by the Interdisciplinary Centre for Security, Reliability and Trust (SnT) at the University of Luxembourg, from 23 to 27 September.
Editor: Michele Weber (FNR)
Here is a link to the study abstract.