The security standard ICAO 9303 allows e-passport readers at airports to scan the chip inside a passport and identify the holder.

Researchers at the University of Luxembourg have discovered a flaw in the security standard used in biometric passports (e-passports) worldwide since 2004. This standard, ICAO 9303, most recently updated in 2015, allows e-passport readers at airports to scan the chip inside a passport and identify the holder

Security mechanisms in electronic passports

Most passports today use the standard ICAO 9303, which is issued by the International Civil Aviation Organization (ICAO). The standard includes a so-called Basic Access Control (BAC) protocol that protects the passport data from being read remotely without direct access to information printed on the front page of the e-passport

If the passport is protect by the BAC protocol, this means that it should not be possible to read it out of a jacket pocket. Passport data is stored on a contactless chip of the ID document. To access this data, a special reading device, for example at the airport, must perform two steps. Firstly, a page of the passport is presented to the reader from which the reader generates a key using the information on that page. Secondly, that key is used in an encrypted exchange between the contactless chip and the reader. That way the exchange of data on the passport chip should be secure.

Flaw in security standard allows tracking movements

Dr. Ross Horne, Prof. Sjouke Mauw, PhD candidate Zach Smith and Master student Ihor Filimonov tested the ICAO 9303 standard. They discovered a flaw that allows specific non-authorised equipment to trace the movements of e-passport holders, without however reading passport data.

“With the right device, you can scan passports in close vicinity and re-identify passport holders who have recently passed through a passport control point, keeping track of their movements”, Dr. Horne explains. “Thus, passport holders are not protected against having their movements traced by an unauthorized observer.”

Limits and implications of the flaw

An unauthorised device scanning a passport within several meters can thus identify and keep track of that passport, even though it cannot read the passport. The privacy of the passport holder may be vulnerable to potential attacks, even though the flaw does not allow attackers to read all information from a given passport or to compromise biometric information stored in a chip inside the passport.

“As most passports today use the same standard, this security flaw potentially has global impact,” continues Dr Horne. In Europe, such a security breach likely violates requirements from the EU data protection framework. Governments have the responsibility to protect individual privacy and to ensure that official documents are bulletproof against such attacks.

Using counterexamples to represent an attack

The researchers discovered this attack without handling any personal data. They generated a counterexample for a logical definition of what it means for an e-passport protocol to be unlinkable, by using a method called bisimilarity. In this method, a counterexample represents an attack that may be exploited by a malicious observer, who may attempt to link sessions involving the same e-passport.

The discovery of this attack emphasizes the need to improve methods to assist with detecting and mitigating privacy flaws in critical infrastructure. Researchers at the University of Luxembourg aim to take a leading role in this effort to enable security practitioners to swiftly identify privacy solutions.

Researchers suggest solutions

The researchers shared their test results with ICAO in June 2019. They also outlined several approaches for restoring privacy protection, notably a simple timing check inside official readers ensuring the reader cannot be exploited in a privacy attack. This is based on the assumption that the manufacturers of e-passport readers must take responsibility for ensuring privacy protection of passport holders.

The results of the study “Breaking Unlinkability of the ICAO 9303 Standard for e-Passports Using Bisimilarity” were presented on Tuesday 24 September at ESORICS 2019, a high-level systems security conference in Europe. The 24th edition of ESORICS is organised by the Interdisciplinary Centre for Security, Reliability and Trust (SnT) at the University of Luxembourg, from 23 to 27 September.

Author: University of Luxembourg
Editor: Michele Weber (FNR)




Here is a link to the study abstract.

Aussi dans cette rubrique

Cybersécurité Cyberattaque au Luxembourg : questions aux experts

Le professeur Marcus Völp de l'Université du Luxembourg sur les cyberattaques de la semaine passée et du futur.

Outstanding PhD Thesis FNR Awards 2023: Comment entraîner l’intelligence artificielle à prédire des situations difficiles

Salah Ghamizi, chercheur post-doctoral du groupe « Security Design and Validation » au SnT, a été sélectionné dans la catégorie «Outstanding PhD Thesis» pour les FNR Awards 2023.

Thèse doctorale exceptionelle FNR Awards 2022: pour le développement des futurs systèmes de communication sans fil

Aakash Arora a reçu un prix pour son travail scientifique sur les algorithmes de traitement du signal pour les futurs systèmes sans fil à antennes multiples.

Sécurité informatique Ce que les mouvements de la souris révèlent sur l’utilisateur et comment l’éviter

Les mouvements de la souris d’ordinateur en disent déjà long sur son utilisateur. Cela pose des problèmes importants en termes de protection des données, qui sont toutefois possible de résoudre.