Feeds

Shock, horror, outrage - biometric passport data snooped, again

Insecurity as a design feature...

The Power of One eBook: Top reasons to choose HP BladeSystem

The biometric passport has been 'cracked' again - but it's the same crack as the old crack (which is not exactly a crack). This time it's the new UK passport, and Liberal Home Affairs spokesman Nick Clegg is calling for the urgent recall of all the 3 million that have already been issued.

No2ID national coordinator Phil Booth, whose digitised image gazes out from the centre of the print edition of the Guardian screamer on the subject, is staggered.

"This is simply not supposed to happen," Phil tells us. But, erm, Phil, you know better than that, don't you? This is exactly what's supposed to happen, the point at issue being whether or not it's a good and sensible idea for what's supposed to happen to happen.

The exploit described by the Guardian's investigation to all intents and purposes repeats previous demonstrations at Black Hat and the University of Nijmegen, and relies on what the defenders of biometric passports, specifically the Home Office and the Identity & Passport Service in this case, pitch as a design feature rather than a flaw. The basic principle set down by ICAO is that the digitised information in a passport should be readable in the same way as the printed information in earlier generations of passports, the logic here being that you traditionally hand over your passport at border control and somebody looks at it.

That, UK passport holders may have noted, doesn't happen as much as it used to these days, many of the people previously employed to look at it being far too busy scouring the countryside for illegal immigrants. Follow this notion through to the digital age however, as the ICAO standards do, and you get the principle that a passport handed over is voluntarily offered for reading, therefore whoever's got it is allowed to read it, and therefore proof that it has been offered counts as permission to read the digitised data.

The data communication between the passport chip and the reader is encrypted, but the key is printed in the passport. Thus, the machine reads the key, passes it to the chip, and the data comes over and is displayed on the screen in front of the immigration officer, if that is the reader has a screen, which need not necessarily be the case.

The key itself is held in the passport's machine readable strip, and in the case of the UK passport this key consists of (in this order) passport number, holder's date of birth, and passport expiry date. There is no specific need for the key to be produced in this way, and it could be argued that the system would be slightly more secure if it were randomly generated, but this wouldn't provide massively better protection against brute force remote attacks on random subjects, and there doesn't seem a particularly strong argument for recalling all passports already issued and replacing them with ones with less predictable keys. ICAO standards also require that it is possible for the key to be entered manually, so whatever it is, it needs to be readable by mere mortals.

The Guardian exploit simply took the key from the printed/machine readable data of three passports, and read them. This is not new, not clever, not a blockbuster cover feature for today's G2 supplement. Oh wait, it seems to be anyway...

Demonstrations of this sort should however be seen as an awful warning, and to understand why this is, we need to consider the Home Office's and ICAO's arguments in defence of this level of security, and the recommendations about the use of the technology from ICAO itself, and more recently from FIDIS. The defence is that the information in a passport is fairly limited, and is freely available - it's printed in the passport, so by definition cannot be particularly secret (ICAO doesn't regard fingerprints as 'public' in the same way as face, so inclusion of fingerprint biometrics will take us into more dangerous and less straightforward territory - but skip that for now). The defence against remote reading is the encryption, which ensures that reading without direct access to the passport itself is at least difficult, requiring a brute force attack.

If you can get access to the data either via brute force or by surreptitiously copying the printed data, then you have the data necessary to clone the chip, but in order to clone the passport you still need to forge the document itself, and the fake bearer would need to have some resemblance to the real one, because you can't readily change the picture in the chip. You can argue the relative cost-benefits of such a procedure for criminals until the cows come home, but from the villain's perspective it surely makes a lot more sense to temporarily borrow/wheedle a passport from a mark than to lurk around airports with caseloads of concealed electronic snooping gear. And even if/when this kind of copying starts to happen the security of the passport will still be better than it was previously.

But the security of the individual identity is a different matter. ICAO specifically cautions against the widespread use of biometric passports as general ID documents, and envisages their being used for border control purposes, i.e. as passports. ICAO also specifically pitches the biometric passport standards as a defence of the integrity of the document, and not as proof of the identity of the bearer. We've pointed this out before, it's very important, and it's tragic how practically nobody in government grasps why.

FIDIS' warning last week puts it fairly well. The information you can pick up from a passport alone doesn't consist of great secrets and does not in itself provide a particularly handy route for stealing the bearer's identity, money etc. It does get you some way towards forging passports, but for full-on identity theft you need more context - home address, credit card numbers, that kind of stuff. Hotels, travel agents, ticketing desks, banks and postal services are just some examples of organisations which do have ready access to this wider data context. And it's worth noting that increased demand for use of strong ID (usually at the behest of the government) means that opportunities for passport-related identity theft are proliferating.

Why, the Identity & Passport Service is even pouring its own petrol on the blaze, in the shape of its identity verification service, the point here being that the UK government thinks it can make money out of making the passport, and subsequently the ID card with the National Identity Register, a ubiquitous proof of identity. Which is precisely what ICAO, and FIDIS say not to do. The more of your life that depends on the ID card, then the more value the information that can be taken from the card has for criminals. Go figure. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.