Shock, horror, outrage - biometric passport data snooped, again

Insecurity as a design feature...

5 things you didn’t know about cloud backup

The biometric passport has been 'cracked' again - but it's the same crack as the old crack (which is not exactly a crack). This time it's the new UK passport, and Liberal Home Affairs spokesman Nick Clegg is calling for the urgent recall of all the 3 million that have already been issued.

No2ID national coordinator Phil Booth, whose digitised image gazes out from the centre of the print edition of the Guardian screamer on the subject, is staggered.

"This is simply not supposed to happen," Phil tells us. But, erm, Phil, you know better than that, don't you? This is exactly what's supposed to happen, the point at issue being whether or not it's a good and sensible idea for what's supposed to happen to happen.

The exploit described by the Guardian's investigation to all intents and purposes repeats previous demonstrations at Black Hat and the University of Nijmegen, and relies on what the defenders of biometric passports, specifically the Home Office and the Identity & Passport Service in this case, pitch as a design feature rather than a flaw. The basic principle set down by ICAO is that the digitised information in a passport should be readable in the same way as the printed information in earlier generations of passports, the logic here being that you traditionally hand over your passport at border control and somebody looks at it.

That, UK passport holders may have noted, doesn't happen as much as it used to these days, many of the people previously employed to look at it being far too busy scouring the countryside for illegal immigrants. Follow this notion through to the digital age however, as the ICAO standards do, and you get the principle that a passport handed over is voluntarily offered for reading, therefore whoever's got it is allowed to read it, and therefore proof that it has been offered counts as permission to read the digitised data.

The data communication between the passport chip and the reader is encrypted, but the key is printed in the passport. Thus, the machine reads the key, passes it to the chip, and the data comes over and is displayed on the screen in front of the immigration officer, if that is the reader has a screen, which need not necessarily be the case.

The key itself is held in the passport's machine readable strip, and in the case of the UK passport this key consists of (in this order) passport number, holder's date of birth, and passport expiry date. There is no specific need for the key to be produced in this way, and it could be argued that the system would be slightly more secure if it were randomly generated, but this wouldn't provide massively better protection against brute force remote attacks on random subjects, and there doesn't seem a particularly strong argument for recalling all passports already issued and replacing them with ones with less predictable keys. ICAO standards also require that it is possible for the key to be entered manually, so whatever it is, it needs to be readable by mere mortals.

The Guardian exploit simply took the key from the printed/machine readable data of three passports, and read them. This is not new, not clever, not a blockbuster cover feature for today's G2 supplement. Oh wait, it seems to be anyway...

Demonstrations of this sort should however be seen as an awful warning, and to understand why this is, we need to consider the Home Office's and ICAO's arguments in defence of this level of security, and the recommendations about the use of the technology from ICAO itself, and more recently from FIDIS. The defence is that the information in a passport is fairly limited, and is freely available - it's printed in the passport, so by definition cannot be particularly secret (ICAO doesn't regard fingerprints as 'public' in the same way as face, so inclusion of fingerprint biometrics will take us into more dangerous and less straightforward territory - but skip that for now). The defence against remote reading is the encryption, which ensures that reading without direct access to the passport itself is at least difficult, requiring a brute force attack.

If you can get access to the data either via brute force or by surreptitiously copying the printed data, then you have the data necessary to clone the chip, but in order to clone the passport you still need to forge the document itself, and the fake bearer would need to have some resemblance to the real one, because you can't readily change the picture in the chip. You can argue the relative cost-benefits of such a procedure for criminals until the cows come home, but from the villain's perspective it surely makes a lot more sense to temporarily borrow/wheedle a passport from a mark than to lurk around airports with caseloads of concealed electronic snooping gear. And even if/when this kind of copying starts to happen the security of the passport will still be better than it was previously.

But the security of the individual identity is a different matter. ICAO specifically cautions against the widespread use of biometric passports as general ID documents, and envisages their being used for border control purposes, i.e. as passports. ICAO also specifically pitches the biometric passport standards as a defence of the integrity of the document, and not as proof of the identity of the bearer. We've pointed this out before, it's very important, and it's tragic how practically nobody in government grasps why.

FIDIS' warning last week puts it fairly well. The information you can pick up from a passport alone doesn't consist of great secrets and does not in itself provide a particularly handy route for stealing the bearer's identity, money etc. It does get you some way towards forging passports, but for full-on identity theft you need more context - home address, credit card numbers, that kind of stuff. Hotels, travel agents, ticketing desks, banks and postal services are just some examples of organisations which do have ready access to this wider data context. And it's worth noting that increased demand for use of strong ID (usually at the behest of the government) means that opportunities for passport-related identity theft are proliferating.

Why, the Identity & Passport Service is even pouring its own petrol on the blaze, in the shape of its identity verification service, the point here being that the UK government thinks it can make money out of making the passport, and subsequently the ID card with the National Identity Register, a ubiquitous proof of identity. Which is precisely what ICAO, and FIDIS say not to do. The more of your life that depends on the ID card, then the more value the information that can be taken from the card has for criminals. Go figure. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.