Feeds

IPS explains plan to make copied biometric passports useful

Not deliberately or as such, of course...

5 things you didn’t know about cloud backup

The Home Office has repeatedly disputed claims that the new biometric passport has been 'cracked', and spokespeople have argued that in any event, none of the exploits so far reported has compromised security. Last week, however, Identity & Passport Service executive director Bernard Herdan inadvertently revealed that the UK was planning to implement a border control system that could make entry on a copied biometric passport easier.

This is most certainly not what Herdan thought he was saying to last Thursday's session of the Commons Public Administration Committee, and not what the Committee will have thought it heard, but bear with us and we'll explain. So far it's been demonstrated that the data on the passport chip can be surreptitiously read and the security cracked, allowing a copy of the chip to be made. It has not as yet been shown that the security protecting the integrity of this data can be cracked, so you can currently produce a copy of an individual's passport data, but you can't change the data in order to cover a new individual. So because the chip data remains tied to a particular individual, IPS argues that the exploit has no value. In addition, in order to create a duplicate biometric passport you would obviously need to copy the passport book as well as the chip.

There is however a potential value to a copied chip, just a copied chip, if the authorities are prepared to cooperate a little. Lukas Grunwald outlined circumstances where this might be the case when he demonstrated chip-cloning at Black Hat, and page two of our report explains how it could work. An individual could carry a passport book that would be likely to pass a human checker, but that mightn't clear automated systems, or might even be certain to set them off. But if that individual was also carrying a copied chip, then they would be able to pass automated barriers where no humans were around to observe the chip being palmed, or to match chip data with passport book data and the individual's appearance.

Cue Bernard Hardan, then. Herdan was supposed to be talking to the Committee about something else entirely ("Responsive Public Services") but was engaged by one of the MPs on the subject of diabolically long immigration queues at Heathrow Terminal 4. This is of course a job for the Immigration & Nationality Directorate and not IPS, but rather than point this out Herdan jumped into the hole and started digging. "The solution is not to stop looking at passports," said Herdan, allowing the next hundred or so to pass through uninspected. This "used to happen in the past," he confirmed, but didn't happen any more. Seasoned travellers will be aware that this happened regularly in the past, but it's nice to have someone from the machinery confirming it, and effectively explaining that the system just isn't capable of dealing with all incoming passports without vast snarl-ups being created.

Herdan then added that "more data is being checked behind each person", by which one presumes he means the checks are more stringent and detailed, and that "the new type of passport" has added to the checking delays - because, one again presumes, the chip data is being matched against the individual and the book data by the immigration officer.

Obviously the bottom line at the moment is that more stringent checking, the use of the new passport technology and a commitment to 100 per cent inspection mean that there aren't anywhere near enough staff on border control duty. So hire more staff? Don't be silly.

The delays can be tackled, Herdan told the Committee, via "automated clearance, so that people with the right documents would be able to go through a channel which reads the document automatically and matches them to it."

The size of the security hole this opens up depends to some extent on how determined the Government is not to relax current checks, and how desperate it will become to deal with the length of the queues. Actually matching the individual to the document will with the current generation of passport require more efficient facial recognition software than currently exists, and although the matching problem may become a little easier when passports carry fingerprints, that won't be for some years, will apply mainly to EU passport holders, and unattended readers may well be vulnerable to spoofing.

In The Register's considered opinion, the Government doesn't have time to wait until an effective automated matching system exists and can be deployed, and will implement automated channels in advance of this happening. The intended effect will be to route the kinds of documentation that are less likely to be a problem but more likely to be carried by regular, outrage-prone travellers (including MPs) through the automated channel, while leaving border control to concentrate its efforts on the tired, poor and huddled masses yearning to breathe free. But as the automated channel will simply be checking the existence of a chip, not matching at all, the well-informed huddled mass will be able to furnish itself with a cloned EU chip and trot through the blue lane, as it were. ®

The essential guide to IT transformation

More from The Register

next story
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
GCHQ protesters stick it to British spooks ... by drinking urine
Activists told NOT to snap pics of staff at the concrete doughnut
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
What do you mean, I have to POST a PHYSICAL CHEQUE to get my gun licence?
Stop bitching about firearms fees - we need computerisation
Redmond resists order to hand over overseas email
Court wanted peek as related to US investigation
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.