Shock, horror, outrage - biometric passport data snooped, again
Insecurity as a design feature...
The biometric passport has been 'cracked' again - but it's the same crack as the old crack (which is not exactly a crack). This time it's the new UK passport, and Liberal Home Affairs spokesman Nick Clegg is calling for the urgent recall of all the 3 million that have already been issued.
No2ID national coordinator Phil Booth, whose digitised image gazes out from the centre of the print edition of the Guardian screamer on the subject, is staggered.
"This is simply not supposed to happen," Phil tells us. But, erm, Phil, you know better than that, don't you? This is exactly what's supposed to happen, the point at issue being whether or not it's a good and sensible idea for what's supposed to happen to happen.
The exploit described by the Guardian's investigation to all intents and purposes repeats previous demonstrations at Black Hat and the University of Nijmegen, and relies on what the defenders of biometric passports, specifically the Home Office and the Identity & Passport Service in this case, pitch as a design feature rather than a flaw. The basic principle set down by ICAO is that the digitised information in a passport should be readable in the same way as the printed information in earlier generations of passports, the logic here being that you traditionally hand over your passport at border control and somebody looks at it.
That, UK passport holders may have noted, doesn't happen as much as it used to these days, many of the people previously employed to look at it being far too busy scouring the countryside for illegal immigrants. Follow this notion through to the digital age however, as the ICAO standards do, and you get the principle that a passport handed over is voluntarily offered for reading, therefore whoever's got it is allowed to read it, and therefore proof that it has been offered counts as permission to read the digitised data.
The data communication between the passport chip and the reader is encrypted, but the key is printed in the passport. Thus, the machine reads the key, passes it to the chip, and the data comes over and is displayed on the screen in front of the immigration officer, if that is the reader has a screen, which need not necessarily be the case.
The key itself is held in the passport's machine readable strip, and in the case of the UK passport this key consists of (in this order) passport number, holder's date of birth, and passport expiry date. There is no specific need for the key to be produced in this way, and it could be argued that the system would be slightly more secure if it were randomly generated, but this wouldn't provide massively better protection against brute force remote attacks on random subjects, and there doesn't seem a particularly strong argument for recalling all passports already issued and replacing them with ones with less predictable keys. ICAO standards also require that it is possible for the key to be entered manually, so whatever it is, it needs to be readable by mere mortals.
The Guardian exploit simply took the key from the printed/machine readable data of three passports, and read them. This is not new, not clever, not a blockbuster cover feature for today's G2 supplement. Oh wait, it seems to be anyway...
Demonstrations of this sort should however be seen as an awful warning, and to understand why this is, we need to consider the Home Office's and ICAO's arguments in defence of this level of security, and the recommendations about the use of the technology from ICAO itself, and more recently from FIDIS. The defence is that the information in a passport is fairly limited, and is freely available - it's printed in the passport, so by definition cannot be particularly secret (ICAO doesn't regard fingerprints as 'public' in the same way as face, so inclusion of fingerprint biometrics will take us into more dangerous and less straightforward territory - but skip that for now). The defence against remote reading is the encryption, which ensures that reading without direct access to the passport itself is at least difficult, requiring a brute force attack.
If you can get access to the data either via brute force or by surreptitiously copying the printed data, then you have the data necessary to clone the chip, but in order to clone the passport you still need to forge the document itself, and the fake bearer would need to have some resemblance to the real one, because you can't readily change the picture in the chip. You can argue the relative cost-benefits of such a procedure for criminals until the cows come home, but from the villain's perspective it surely makes a lot more sense to temporarily borrow/wheedle a passport from a mark than to lurk around airports with caseloads of concealed electronic snooping gear. And even if/when this kind of copying starts to happen the security of the passport will still be better than it was previously.
But the security of the individual identity is a different matter. ICAO specifically cautions against the widespread use of biometric passports as general ID documents, and envisages their being used for border control purposes, i.e. as passports. ICAO also specifically pitches the biometric passport standards as a defence of the integrity of the document, and not as proof of the identity of the bearer. We've pointed this out before, it's very important, and it's tragic how practically nobody in government grasps why.
FIDIS' warning last week puts it fairly well. The information you can pick up from a passport alone doesn't consist of great secrets and does not in itself provide a particularly handy route for stealing the bearer's identity, money etc. It does get you some way towards forging passports, but for full-on identity theft you need more context - home address, credit card numbers, that kind of stuff. Hotels, travel agents, ticketing desks, banks and postal services are just some examples of organisations which do have ready access to this wider data context. And it's worth noting that increased demand for use of strong ID (usually at the behest of the government) means that opportunities for passport-related identity theft are proliferating.
Why, the Identity & Passport Service is even pouring its own petrol on the blaze, in the shape of its identity verification service, the point here being that the UK government thinks it can make money out of making the passport, and subsequently the ID card with the National Identity Register, a ubiquitous proof of identity. Which is precisely what ICAO, and FIDIS say not to do. The more of your life that depends on the ID card, then the more value the information that can be taken from the card has for criminals. Go figure. ®
Sponsored: Becoming a Pragmatic Security Leader