Shock, horror, outrage - biometric passport data snooped, again

Insecurity as a design feature...

Website security in corporate America

The biometric passport has been 'cracked' again - but it's the same crack as the old crack (which is not exactly a crack). This time it's the new UK passport, and Liberal Home Affairs spokesman Nick Clegg is calling for the urgent recall of all the 3 million that have already been issued.

No2ID national coordinator Phil Booth, whose digitised image gazes out from the centre of the print edition of the Guardian screamer on the subject, is staggered.

"This is simply not supposed to happen," Phil tells us. But, erm, Phil, you know better than that, don't you? This is exactly what's supposed to happen, the point at issue being whether or not it's a good and sensible idea for what's supposed to happen to happen.

The exploit described by the Guardian's investigation to all intents and purposes repeats previous demonstrations at Black Hat and the University of Nijmegen, and relies on what the defenders of biometric passports, specifically the Home Office and the Identity & Passport Service in this case, pitch as a design feature rather than a flaw. The basic principle set down by ICAO is that the digitised information in a passport should be readable in the same way as the printed information in earlier generations of passports, the logic here being that you traditionally hand over your passport at border control and somebody looks at it.

That, UK passport holders may have noted, doesn't happen as much as it used to these days, many of the people previously employed to look at it being far too busy scouring the countryside for illegal immigrants. Follow this notion through to the digital age however, as the ICAO standards do, and you get the principle that a passport handed over is voluntarily offered for reading, therefore whoever's got it is allowed to read it, and therefore proof that it has been offered counts as permission to read the digitised data.

The data communication between the passport chip and the reader is encrypted, but the key is printed in the passport. Thus, the machine reads the key, passes it to the chip, and the data comes over and is displayed on the screen in front of the immigration officer, if that is the reader has a screen, which need not necessarily be the case.

The key itself is held in the passport's machine readable strip, and in the case of the UK passport this key consists of (in this order) passport number, holder's date of birth, and passport expiry date. There is no specific need for the key to be produced in this way, and it could be argued that the system would be slightly more secure if it were randomly generated, but this wouldn't provide massively better protection against brute force remote attacks on random subjects, and there doesn't seem a particularly strong argument for recalling all passports already issued and replacing them with ones with less predictable keys. ICAO standards also require that it is possible for the key to be entered manually, so whatever it is, it needs to be readable by mere mortals.

The Guardian exploit simply took the key from the printed/machine readable data of three passports, and read them. This is not new, not clever, not a blockbuster cover feature for today's G2 supplement. Oh wait, it seems to be anyway...

Demonstrations of this sort should however be seen as an awful warning, and to understand why this is, we need to consider the Home Office's and ICAO's arguments in defence of this level of security, and the recommendations about the use of the technology from ICAO itself, and more recently from FIDIS. The defence is that the information in a passport is fairly limited, and is freely available - it's printed in the passport, so by definition cannot be particularly secret (ICAO doesn't regard fingerprints as 'public' in the same way as face, so inclusion of fingerprint biometrics will take us into more dangerous and less straightforward territory - but skip that for now). The defence against remote reading is the encryption, which ensures that reading without direct access to the passport itself is at least difficult, requiring a brute force attack.

If you can get access to the data either via brute force or by surreptitiously copying the printed data, then you have the data necessary to clone the chip, but in order to clone the passport you still need to forge the document itself, and the fake bearer would need to have some resemblance to the real one, because you can't readily change the picture in the chip. You can argue the relative cost-benefits of such a procedure for criminals until the cows come home, but from the villain's perspective it surely makes a lot more sense to temporarily borrow/wheedle a passport from a mark than to lurk around airports with caseloads of concealed electronic snooping gear. And even if/when this kind of copying starts to happen the security of the passport will still be better than it was previously.

But the security of the individual identity is a different matter. ICAO specifically cautions against the widespread use of biometric passports as general ID documents, and envisages their being used for border control purposes, i.e. as passports. ICAO also specifically pitches the biometric passport standards as a defence of the integrity of the document, and not as proof of the identity of the bearer. We've pointed this out before, it's very important, and it's tragic how practically nobody in government grasps why.

FIDIS' warning last week puts it fairly well. The information you can pick up from a passport alone doesn't consist of great secrets and does not in itself provide a particularly handy route for stealing the bearer's identity, money etc. It does get you some way towards forging passports, but for full-on identity theft you need more context - home address, credit card numbers, that kind of stuff. Hotels, travel agents, ticketing desks, banks and postal services are just some examples of organisations which do have ready access to this wider data context. And it's worth noting that increased demand for use of strong ID (usually at the behest of the government) means that opportunities for passport-related identity theft are proliferating.

Why, the Identity & Passport Service is even pouring its own petrol on the blaze, in the shape of its identity verification service, the point here being that the UK government thinks it can make money out of making the passport, and subsequently the ID card with the National Identity Register, a ubiquitous proof of identity. Which is precisely what ICAO, and FIDIS say not to do. The more of your life that depends on the ID card, then the more value the information that can be taken from the card has for criminals. Go figure. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.