Discovering Vulnerabilities in ePassports using Bisimilarity

by Dr. Ross Horne

• When: Friday, 12/03/2022, between 1pm and 2pm EST (6pm-7pm UTC)
• Where: Zoom; Outside guests please RSVP by emailing Harley Eades
• Stream/Recording: https://www.youtube.com/channel/UCk3G8P4NMeIdj1roMoCEi0Q

Abstract

I explain how we methodologically uncovered privacy vulnerabilities in the ICAO 9303 standard implemented by ePassports worldwide. These vulnerabilities, confirmed by ICAO, the UN agency responsible for ePassport standards, enable an ePassport holder who recently passed through a checkpoint to be reidentified without opening their ePassport. I explain how bisimilarity was used to discover these vulnerabilities, which exploit the BAC protocol - the original ICAO 9303 standard ePassport authentication protocol - and remains valid for the PACE protocol, which improves on the security of BAC in the latest ICAO 9303 standards.

This talk is based on my recent paper.