Today vonJeek/THC released his tool and a video how to duplicate (clone) and modify a Passport with RFID chip.
The weakness is in the way the system has been rolled out. The terminal accepts self-signed data.
This attack is different to the grunwald attack. VonJeek's attack makes it possible to copy, forge and modify the data so that it is still accepted as a genuine valid passport by the terminal.
Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:
1. The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.
Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.
2. The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.
3. Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.
This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.
Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.
So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.
Never let a computer do a job that can be done by a human.