Forged passports may seem like the stuff of spy novels, but they have appeared in the real world, having been used by individuals who went on to take part in terrorist attacks. To add a layer of security that goes beyond what's printed on the page, many nations are adopting passports with an RFID chip that contains a duplicate of the printed information, secured by encryption. A security researcher hired by a British newspaper has now shown that it's possible to replace the data in the RFID chip, and the lack of international cooperation in the sharing of encryption information may mean the hack goes undetected in many places.

The basics behind the RFID scheme are pretty simple. Passports contain printed copies of a personal photo and key biometric information, such as height, date of birth, etc. With the right equipment and blank passports, it's possible to forge these printed materials. RFID chips embedded in the passports are intended to help detect these forgeries, as they carry a duplicate of this information—if the two don't match, then the forgery should be obvious. (The US State Department maintains an FAQ addressing this technology.)

Of course, it's entirely possible to forge an RFID chip, which is precisely what a security researcher in Amsterdam did at the request of The Times. Jeroen van Beek of the University of Amsterdam was given two valid passports that contained RFID chips. Using an $80 RFID reader, van Beek was able to obtain a copy of all the biometric data, substitute arbitrary values for each of the fields, then write the modified data back out to a separate $40 RFID chip. The Times reports that the process took about an hour. In an amusing twist—and to avoid charges that they were actually engaged in illegal forgery—van Beek uploaded Osama bin Laden's vitals onto the blank RFID chip.

There's still the matter of forging the printed material to match, but the fact that this was already being done was the justification for the RFID chip in the first place.

Those who created the RFID scheme apparently recognized the danger of this hacking and included some sort of encrypted hash value that could verify that the data had not been tampered with; van Beek's method does nothing to compensate for this, and thus leaves the forgeries at risk of detection. Unfortunately, a lack of international cooperation has meant that the risk of detection remains minimal and easily avoided.

The forgery detection scheme relies on a Public Key Directory maintained by the International Civil Aviation Organization. Each country issuing RFID-equipped passports can upload public signature information to the directory, which would allow changes to the biometric information to be detected. As of last year, only seven countries had signed up for the directory. According to The Times, over 45 are now issuing RFID passports. Germany appears to be one of the laggards, but it appears to be hesitating because it's unsure whether the method by which passport issuers submit their certificates to the directory is itself secure.

All a hacker would have to do is figure out which countries are not part of the directory and target forgeries to those nations. The story is a disturbing reminder that the best security system in the world is only useful if it's actually put into practice.