Biometric passports 'easily cloned'

The new generation of e-passport, due to be issued to US citizens from October, can be cloned easily – not good news on a day when airports on both sides of the Atlantic are on high-security alert.

German researchers at the Black Hat security conference in Las Vegas have shown how e-passports, sporting an RFID (radio frequency identification) chip containing biometric data, can be copied using a laptop, RFID reader and smartcard reader – yours for an outlay of less than $1,500.

Security experts say this is no great surprise: RFID tags are meant to be cheap and easy to produce.

The tags are used increasingly in logistics, attached to goods so they can be automatically identified as they move from one depot to another through the supply chain.

That makes RFID a suitable technology for tracking tins of soup in Wal-mart, but not up to the job of protecting against identity theft.

"RFID was never designed to manage personal identity details," says Stijn Bijnens, Senior Vice President, Identity Management of Cybertrust. "We have seen the activity of cyber criminals shift from hacking into internet-connected systems to identity theft. This is a real potential threat and you will see cases of fraud based on e-passport [forgery]."

The data in an RFID tag is protected by a password that can be easily cracked.

According to the security experts, the US should be following the lead of several European countries and using more robust public key infrastructure (PKI) systems which use strong encryption to scramble data.

A PKI passport would be more expensive than one with an RFID tag because it would require a chip to perform the cryptography computations required by PKI. But the price of these chips is falling as they are deployed in their millions in identity card and health card schemes in countries such as Belgium, Germany, Finland and Estonia.