Belgium: RFID passports containing sensitive information discovered to be unencrypted, and encrypted ones are easy to decipher

A team of cryptography researchers discovered that around 720,000 passports issued by Belgium between late 2004 and July 2006 are not encrypted and the sensitive material they contain, including the holder's signature and photograph, could be read using a commercial RFID chip reader held 10 centimetres away, reported Belgian website Rue 89 on 6 June 2007.

The Crypto Group team of Louvain University made the discovery as they were trying to crack the encryption that supposedly protected the European Union RFID-chip passports, without their attempts giving rise to any reaction, until they realised that the passports' RFID chips lacked any cryptographic encryption.

The same team also ran tests on the passports issued after July 2006, whose RFID chip is protected by a key based on a passport's issue and expiry date, and its serial number. The researchers were easily able to lower the possible combinations for a serial number (two letters and six numbers) to 24,000 after a preliminary cross checking of sequences of numbers with time breaks between issue dates. They estimate that it would take an average of half an hour to check these possibilities, whose number could be lowered through a more detailed examination, at a rate of 400 attempts per minute.

"Les passeports belges cryptés comme des passoires", Rue 89, 6.6.2007; available at: -belges-cryptes-comme-des-passoires

Statewatch News online | Join Statewatch news e-mail list | EU research resources: Joint online subscription

Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.