Belgian electronic passports can be read without authorization
The first generation of Belgian ePassports with an integrated RFID chip were issued between the end of 2004 and July of 2006. They do not contain any protective functions to prevent unauthorized scanning. A Belgian team of researchers at the Catholic University of Louvain has discovered how easy it is to read out the holder's data stored on the chip. It only takes a few seconds to get hold of the photograph and the holder's digitized signature.
The Basic Access Control (BAC) proposed by international aerospace organization ICAO was developed using cryptographic functions to prevent this data from being read by unauthorized parties. Since July 2006, the Belgian government has been issuing passports with RFID chips that allegedly use BAC to prevent unauthorized parties from accessing the data on the passport chips. However, the access key (which consists of the holder's birthday and the number and expiry date of the passport) is reportedly on the passport in machine-readable code and is more or less easy to guess because the passport numbers were allocated incrementally and the passports expire after five years. Passports from other countries face a similar problem; for instance, the theoretical length of the key used on Dutch passports is reduced from 56 bits to 35 bits because the date of issue and the passport number are linearly related.
According to research group members Gildas Avoine, Kassem Kalach, and Jean-Jacques Quisquater, the problem discovered is particularly disappointing because foreign minister Karel De Gucht told the Belgian parliament on January 9 that Basic Access Control and Active Authentication protect the data on electronic passports. Now, Avoine, Kalach and Quisquater are calling for first-generation passports to be taken out of circulation. Furthermore, the researchers are demanding that arbitrary characters be added to the machine-readable access key in the second generation of passports, which would apparently require a change in the ICAO standard. Finally, they point out that Belgium could follow the example set by the United States and put the passports in metal protective sleeves.
- _Belgian Biometric Passport does not get a pass..._, the Catholic University of Louvain Crypto Group's report