Feeds

IPS explains plan to make copied biometric passports useful

Not deliberately or as such, of course...

Combat fraud and increase customer satisfaction

The Home Office has repeatedly disputed claims that the new biometric passport has been 'cracked', and spokespeople have argued that in any event, none of the exploits so far reported has compromised security. Last week, however, Identity & Passport Service executive director Bernard Herdan inadvertently revealed that the UK was planning to implement a border control system that could make entry on a copied biometric passport easier.

This is most certainly not what Herdan thought he was saying to last Thursday's session of the Commons Public Administration Committee, and not what the Committee will have thought it heard, but bear with us and we'll explain. So far it's been demonstrated that the data on the passport chip can be surreptitiously read and the security cracked, allowing a copy of the chip to be made. It has not as yet been shown that the security protecting the integrity of this data can be cracked, so you can currently produce a copy of an individual's passport data, but you can't change the data in order to cover a new individual. So because the chip data remains tied to a particular individual, IPS argues that the exploit has no value. In addition, in order to create a duplicate biometric passport you would obviously need to copy the passport book as well as the chip.

There is however a potential value to a copied chip, just a copied chip, if the authorities are prepared to cooperate a little. Lukas Grunwald outlined circumstances where this might be the case when he demonstrated chip-cloning at Black Hat, and page two of our report explains how it could work. An individual could carry a passport book that would be likely to pass a human checker, but that mightn't clear automated systems, or might even be certain to set them off. But if that individual was also carrying a copied chip, then they would be able to pass automated barriers where no humans were around to observe the chip being palmed, or to match chip data with passport book data and the individual's appearance.

Cue Bernard Hardan, then. Herdan was supposed to be talking to the Committee about something else entirely ("Responsive Public Services") but was engaged by one of the MPs on the subject of diabolically long immigration queues at Heathrow Terminal 4. This is of course a job for the Immigration & Nationality Directorate and not IPS, but rather than point this out Herdan jumped into the hole and started digging. "The solution is not to stop looking at passports," said Herdan, allowing the next hundred or so to pass through uninspected. This "used to happen in the past," he confirmed, but didn't happen any more. Seasoned travellers will be aware that this happened regularly in the past, but it's nice to have someone from the machinery confirming it, and effectively explaining that the system just isn't capable of dealing with all incoming passports without vast snarl-ups being created.

Herdan then added that "more data is being checked behind each person", by which one presumes he means the checks are more stringent and detailed, and that "the new type of passport" has added to the checking delays - because, one again presumes, the chip data is being matched against the individual and the book data by the immigration officer.

Obviously the bottom line at the moment is that more stringent checking, the use of the new passport technology and a commitment to 100 per cent inspection mean that there aren't anywhere near enough staff on border control duty. So hire more staff? Don't be silly.

The delays can be tackled, Herdan told the Committee, via "automated clearance, so that people with the right documents would be able to go through a channel which reads the document automatically and matches them to it."

The size of the security hole this opens up depends to some extent on how determined the Government is not to relax current checks, and how desperate it will become to deal with the length of the queues. Actually matching the individual to the document will with the current generation of passport require more efficient facial recognition software than currently exists, and although the matching problem may become a little easier when passports carry fingerprints, that won't be for some years, will apply mainly to EU passport holders, and unattended readers may well be vulnerable to spoofing.

In The Register's considered opinion, the Government doesn't have time to wait until an effective automated matching system exists and can be deployed, and will implement automated channels in advance of this happening. The intended effect will be to route the kinds of documentation that are less likely to be a problem but more likely to be carried by regular, outrage-prone travellers (including MPs) through the automated channel, while leaving border control to concentrate its efforts on the tired, poor and huddled masses yearning to breathe free. But as the automated channel will simply be checking the existence of a chip, not matching at all, the well-informed huddled mass will be able to furnish itself with a cloned EU chip and trot through the blue lane, as it were. ®

Top three mobile application threats

More from The Register

next story
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
APPLE FAILS to ditch class action suit over ebook PRICE-FIX fiasco
Do not pass go, do cough (up to) $840m in damages
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.