Feeds

IPS explains plan to make copied biometric passports useful

Not deliberately or as such, of course...

Mobile application security vulnerability report

The Home Office has repeatedly disputed claims that the new biometric passport has been 'cracked', and spokespeople have argued that in any event, none of the exploits so far reported has compromised security. Last week, however, Identity & Passport Service executive director Bernard Herdan inadvertently revealed that the UK was planning to implement a border control system that could make entry on a copied biometric passport easier.

This is most certainly not what Herdan thought he was saying to last Thursday's session of the Commons Public Administration Committee, and not what the Committee will have thought it heard, but bear with us and we'll explain. So far it's been demonstrated that the data on the passport chip can be surreptitiously read and the security cracked, allowing a copy of the chip to be made. It has not as yet been shown that the security protecting the integrity of this data can be cracked, so you can currently produce a copy of an individual's passport data, but you can't change the data in order to cover a new individual. So because the chip data remains tied to a particular individual, IPS argues that the exploit has no value. In addition, in order to create a duplicate biometric passport you would obviously need to copy the passport book as well as the chip.

There is however a potential value to a copied chip, just a copied chip, if the authorities are prepared to cooperate a little. Lukas Grunwald outlined circumstances where this might be the case when he demonstrated chip-cloning at Black Hat, and page two of our report explains how it could work. An individual could carry a passport book that would be likely to pass a human checker, but that mightn't clear automated systems, or might even be certain to set them off. But if that individual was also carrying a copied chip, then they would be able to pass automated barriers where no humans were around to observe the chip being palmed, or to match chip data with passport book data and the individual's appearance.

Cue Bernard Hardan, then. Herdan was supposed to be talking to the Committee about something else entirely ("Responsive Public Services") but was engaged by one of the MPs on the subject of diabolically long immigration queues at Heathrow Terminal 4. This is of course a job for the Immigration & Nationality Directorate and not IPS, but rather than point this out Herdan jumped into the hole and started digging. "The solution is not to stop looking at passports," said Herdan, allowing the next hundred or so to pass through uninspected. This "used to happen in the past," he confirmed, but didn't happen any more. Seasoned travellers will be aware that this happened regularly in the past, but it's nice to have someone from the machinery confirming it, and effectively explaining that the system just isn't capable of dealing with all incoming passports without vast snarl-ups being created.

Herdan then added that "more data is being checked behind each person", by which one presumes he means the checks are more stringent and detailed, and that "the new type of passport" has added to the checking delays - because, one again presumes, the chip data is being matched against the individual and the book data by the immigration officer.

Obviously the bottom line at the moment is that more stringent checking, the use of the new passport technology and a commitment to 100 per cent inspection mean that there aren't anywhere near enough staff on border control duty. So hire more staff? Don't be silly.

The delays can be tackled, Herdan told the Committee, via "automated clearance, so that people with the right documents would be able to go through a channel which reads the document automatically and matches them to it."

The size of the security hole this opens up depends to some extent on how determined the Government is not to relax current checks, and how desperate it will become to deal with the length of the queues. Actually matching the individual to the document will with the current generation of passport require more efficient facial recognition software than currently exists, and although the matching problem may become a little easier when passports carry fingerprints, that won't be for some years, will apply mainly to EU passport holders, and unattended readers may well be vulnerable to spoofing.

In The Register's considered opinion, the Government doesn't have time to wait until an effective automated matching system exists and can be deployed, and will implement automated channels in advance of this happening. The intended effect will be to route the kinds of documentation that are less likely to be a problem but more likely to be carried by regular, outrage-prone travellers (including MPs) through the automated channel, while leaving border control to concentrate its efforts on the tired, poor and huddled masses yearning to breathe free. But as the automated channel will simply be checking the existence of a chip, not matching at all, the well-informed huddled mass will be able to furnish itself with a cloned EU chip and trot through the blue lane, as it were. ®

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
Adam Afriyie MP: Smart meters are NOT so smart
Mega-costly gas 'n' 'leccy totting-up tech not worth it - Tory MP
Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
'Greenhouse effect is real, but as for the rest of it ...'
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.