Feeds

IPS explains plan to make copied biometric passports useful

Not deliberately or as such, of course...

High performance access to file storage

The Home Office has repeatedly disputed claims that the new biometric passport has been 'cracked', and spokespeople have argued that in any event, none of the exploits so far reported has compromised security. Last week, however, Identity & Passport Service executive director Bernard Herdan inadvertently revealed that the UK was planning to implement a border control system that could make entry on a copied biometric passport easier.

This is most certainly not what Herdan thought he was saying to last Thursday's session of the Commons Public Administration Committee, and not what the Committee will have thought it heard, but bear with us and we'll explain. So far it's been demonstrated that the data on the passport chip can be surreptitiously read and the security cracked, allowing a copy of the chip to be made. It has not as yet been shown that the security protecting the integrity of this data can be cracked, so you can currently produce a copy of an individual's passport data, but you can't change the data in order to cover a new individual. So because the chip data remains tied to a particular individual, IPS argues that the exploit has no value. In addition, in order to create a duplicate biometric passport you would obviously need to copy the passport book as well as the chip.

There is however a potential value to a copied chip, just a copied chip, if the authorities are prepared to cooperate a little. Lukas Grunwald outlined circumstances where this might be the case when he demonstrated chip-cloning at Black Hat, and page two of our report explains how it could work. An individual could carry a passport book that would be likely to pass a human checker, but that mightn't clear automated systems, or might even be certain to set them off. But if that individual was also carrying a copied chip, then they would be able to pass automated barriers where no humans were around to observe the chip being palmed, or to match chip data with passport book data and the individual's appearance.

Cue Bernard Hardan, then. Herdan was supposed to be talking to the Committee about something else entirely ("Responsive Public Services") but was engaged by one of the MPs on the subject of diabolically long immigration queues at Heathrow Terminal 4. This is of course a job for the Immigration & Nationality Directorate and not IPS, but rather than point this out Herdan jumped into the hole and started digging. "The solution is not to stop looking at passports," said Herdan, allowing the next hundred or so to pass through uninspected. This "used to happen in the past," he confirmed, but didn't happen any more. Seasoned travellers will be aware that this happened regularly in the past, but it's nice to have someone from the machinery confirming it, and effectively explaining that the system just isn't capable of dealing with all incoming passports without vast snarl-ups being created.

Herdan then added that "more data is being checked behind each person", by which one presumes he means the checks are more stringent and detailed, and that "the new type of passport" has added to the checking delays - because, one again presumes, the chip data is being matched against the individual and the book data by the immigration officer.

Obviously the bottom line at the moment is that more stringent checking, the use of the new passport technology and a commitment to 100 per cent inspection mean that there aren't anywhere near enough staff on border control duty. So hire more staff? Don't be silly.

The delays can be tackled, Herdan told the Committee, via "automated clearance, so that people with the right documents would be able to go through a channel which reads the document automatically and matches them to it."

The size of the security hole this opens up depends to some extent on how determined the Government is not to relax current checks, and how desperate it will become to deal with the length of the queues. Actually matching the individual to the document will with the current generation of passport require more efficient facial recognition software than currently exists, and although the matching problem may become a little easier when passports carry fingerprints, that won't be for some years, will apply mainly to EU passport holders, and unattended readers may well be vulnerable to spoofing.

In The Register's considered opinion, the Government doesn't have time to wait until an effective automated matching system exists and can be deployed, and will implement automated channels in advance of this happening. The intended effect will be to route the kinds of documentation that are less likely to be a problem but more likely to be carried by regular, outrage-prone travellers (including MPs) through the automated channel, while leaving border control to concentrate its efforts on the tired, poor and huddled masses yearning to breathe free. But as the automated channel will simply be checking the existence of a chip, not matching at all, the well-informed huddled mass will be able to furnish itself with a cloned EU chip and trot through the blue lane, as it were. ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.