Increasing Privacy Threats in the Cyberspace: The Case of Italian E-Passports

The recent introduction of electronic passports (e-Passports) motivates the need of a thorough investigation on potential security and privacy issues. In this paper, we focus on the e-Passport implementation adopted in Italy. Leveraging previous attacks to e-Passports adopted in other countries, we analyze (in)security of Italian e-Passports and we investigate additional critical issues. Our work makes several contributions. 1. We show that in some concrete scenarios, Italian e-Passports are prone to eavesdropping attacks, where one can unnoticeably obtain private data stored in the e-Passport using RF communication, while the passport is stored in a bag/pocket. Moreover, we show how to trace e-Passports by successfully linking two or more communication transcripts related to the same e-Passport. 2. We propose a set of open-source tools that build successful attacks to the security of Italian e-Passports. Among them, we provide a simulator that produces attacks without requiring physical passports and RFID equipment. 3. We show that the random number generator included in the RFID chips produces bits that are noticeably far from the uniform distribution, thus potentially exposing Italian e-Passports to several other attacks.

[1]  Serge Vaudenay,et al.  About Machine-Readable Travel Documents , 2007 .

[2]  Martin Hlavác,et al.  A Note on the Relay Attacks on e-passports: The Case of Czech e-passports , 2007, IACR Cryptol. ePrint Arch..

[3]  Florian Michahelles,et al.  Strengthening the Security of Machine Readable Documents by Combining RFID and Optical Memory Devices , 2006 .

[4]  Ahmad-Reza Sadeghi,et al.  Resettable and Non-Transferable Chip Authentication for E-Passports , 2008 .

[5]  Paul A. Karger,et al.  Security and Privacy Issues in Machine Readable Travel Documents (MRTDs) , 2005 .

[6]  Ahmad-Reza Sadeghi,et al.  Improved Security Notions and Protocols for Non-transferable Identification , 2008, ESORICS.

[7]  Jean-Jacques Quisquater,et al.  ePassport: Securing International Contacts with Contactless Chips , 2008, Financial Cryptography.

[8]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[9]  Serge Vaudenay,et al.  E-Passport Threats , 2007, IEEE Security & Privacy.

[10]  Christof Paar,et al.  E-Passport: The Global Traceability Or How to Feel Like a UPS Package , 2006, WISA.

[11]  David A. Wagner,et al.  Security and Privacy Issues in E-passports , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[12]  Ahmad-Reza Sadeghi,et al.  Identification Protocols Revisited - Episode I: E-Passports , 2008 .

[13]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.