Belgium: RFID passports containing sensitive information discovered to be unencrypted, and encrypted ones are easy to decypher

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

A team of cryptography researchers discovered that around 720,000 passports issued by Belgium between late 2004 and July 2006 are not encrypted and the sensitive material they contain, including the holder's signature and photograph, could be read using a commercial RFID chip reader held 10 centimetres away, reported Belgian website Rue 89 on 6 June 2007.

The Crypto Group team of Louvain University made the discovery as they were trying to crack the encryption that supposedly protected the European Union RFID-chip passports, without their attempts giving rise to any reaction, until they realised that the passports' RFID chips lacked any cryptographic encryption.

The same team also ran tests on the passports issued after July 2006, whose RFID chip is protected by a key based on a passport's issue and expiry date, and its serial number. The researchers were easily able to lower the possible combinations for a serial number (two letters and six numbers) to 24,000 after a preliminary cross checking of sequences of numbers with time breaks between issue dates. They estimate that it would take an average of half an hour to check these possibilities, whose number could be lowered through a more detailed examination, at a rate of 400 attempts per minute.

"Les passeports belges cryptés comme des passoires", Rue 89, 6.6.2007; available at: -belges-cryptes-comme-des-passoires 

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error