[LINK] RFID Passports again

Kim Holburn kim at holburn.net
Sat Nov 18 12:52:52 AEDT 2006 

Interesting discussion of the security of RFID passports.  Further to  
our recent discussions.  It does seem that they are readable from a  
much greater distance than is said to be officially possible.  Also  
brings up the fact that while the digital data can't currently be  
altered, it may not need to be to make fake passports as neither  
humans nor machines can match the photo and the human all that well!!!

http://www.guardian.co.uk/idcards/story/0,,1950226,00.html
> Cracked it!
>
> Three million Britons have been issued with the new hi-tech  
> passport, designed to frustrate terrorists and fraudsters. So why  
> did Steve Boggan and a friendly computer expert find it so easy to  
> break the security codes?
>
> Friday November 17, 2006
>
> Six months ago, with the help of a rather scary computer expert, I  
> deconstructed the life of an airline passenger simply by using  
> information garnered from a boarding-pass stub he had thrown into a  
> dustbin on the Heathrow Express. By using his British Airways  
> frequent-flyer number and buying a ticket in his name on the  
> airline's website, we were able to access his personal data,  
> passport number, date of birth and nationality. Based on this  
> information, using publicly available databases, we found out where  
> he lived, his profession, all his academic qualifications and even  
> how much his house was worth.


> Fatally, however, the ICAO suggested that the key needed to access  
> the data on the chips should be comprised of, in the following  
> order, the passport number, the holder's date of birth and the  
> passport expiry date, all of which are contained on the printed  
> page of the passport on a "machine readable zone." When an  
> immigration official swipes the passport through a reader, this  
> feeds in the key, which allows a microchip reader to communicate  
> with the RFID chip. The data this contains, including the holder's  
> picture, is then displayed on the official's screen. The assumption  
> at this stage is that this document is as authentic as it is super- 
> secure. And, as we shall see later, this could be highly significant.

> "The Home Office has adopted a very high encryption technology  
> called 3DES - that is, to a military-level data-encryption standard  
> times three. So they are using strong cryptography to prevent  
> conversations between the passport and the reader being  
> eavesdropped, but they are then breaking one of the fundamental  
> principles of encryption by using non-secret information actually  
> published in the passport to create a 'secret key'. That is the  
> equivalent of installing a solid steel front door to your house and  
> then putting the key under the mat."

> Within minutes of applying the three passports to the reader, the  
> information from all of them has been copied and the holders'  
> images appear on the screen of Laurie's laptop. The passports  
> belong to Booth, and to Laurie's son, Max, and my partner, who have  
> all given their permission.
>
> Booth is staggered. He has undercut Laurie by finding an RFID  
> reader for £174, which also works. "This is simply not supposed to  
> happen," Booth says. "This could provide a bonanza for  
> counterfeiters because drawing the information from the chip,  
> complete with the digital signature it contains, could result in a  
> passport being passed off as the real article. You could make a  
> perfect clone of the passport."
>
> But could you - and what use would my passport be to you? A  
> security feature of the chip ensures that information cannot be  
> added or altered, so you couldn't put your picture on my chip. So  
> is our attack really so impressive?
>
> The Home Office thinks not. It correctly points out that the  
> information sucked out of the chip is only the same as that which  
> appears on the page, readable with the human eye. And to obtain the  
> key in the first place, you would need to have access to the  
> passport to read (with the naked eye) its number, expiry date and  
> the date of birth of its holder.
>
> "This doesn't matter," says a Home Office spokesman. "By the time  
> you have accessed the information on the chip, you have already  
> seen it on the passport. What use would my biometric image be to  
> you? And even if you had the information, you would still have to  
> counterfeit the new passport - and it has lots of new security  
> features. If you were a criminal, you might as well just steal a  
> passport."

> "If you can read the chip, then you can clone it," he says. "You  
> could use this to clone a passport that would exploit the system to  
> illegally enter another country." (We did not clone any of our  
> passport chips on the assumption that to do so would be illegal.)
>
> Grunwald adds: "The problems could get worse when they put  
> fingerprint biometrics on to the passports. There are established  
> ways of making forged fingerprints. In the future, the authorities  
> would like to have automated border controls, and such forged  
> fingerprints [stuck on to fingers] would probably fool them."
>
> But what about facial recognition systems (your biometric passport  
> contains precise measurements of key points on your face and head)?  
> "Yes," says Grunwald, "but they are not yet in operation at  
> airports and the technology throws up between 20 and 25% false  
> negatives or false positives. It isn't reliable."
>
> Neither is the human eye, according to research conducted by a team  
> of psychologists from the University of Westminster in 1996.  
> Remember, information - such as a new picture - cannot be added to  
> a cloned chip, so anyone using it to make a counterfeit passport  
> would have to use one that bore a reasonable resemblance to  
> themselves.
>
> But during Westminster University's study, which examined whether  
> putting people's images on credit cards might reduce fraud,  
> supermarket staff drafted in for tests had great difficulty  
> matching faces to pictures. The conclusion was that pictures would  
> not improve security and they were never introduced on credit  
> cards. This means that each time you hand over your passport at,  
> say, a hotel reception or car-rental office abroad to be  
> "photocopied", it could be cloned with equipment like ours. This  
> could have been done with an old passport, but since the new  
> biometric passports are supposed to be secure they are more likely  
> to be accepted without question at borders.


> What about the technical difficulties? The government claims the  
> new biometric passport chips can be read over a distance of just  
> 2cm, but researchers all over the world claim to have read them  
> from further. The physics governing those in British passports says  
> they could be read over a metre, but no one has yet done that. A  
> Dutch team claims to have contacted chips at 30cm.
>
> Laurie has, however, rigged up a piece of equipment that can  
> connect to a passport over 7.5cm. That isn't as far as the Dutch  
> 30cm, but it is enough if your target subject is sitting next to  
> you on the London Underground or crushed up against you on the  
> Gatwick Airport monorail, his pocketed passport next to the reader  
> you have hidden in a bag.
>
> It takes around four seconds to suck out the information with a  
> reader; then it can be relayed and unscrambled by an accomplice  
> with a laptop up to 1km away. With a Heath Robinson device we built  
> on Tuesday using a Bluetooth antenna connected to an RFID reader,  
> Laurie relayed details of his son's passport over a distance of 10  
> metres and through two walls to a laptop.

> "There isn't even a defence against the brute-force attack. In much  
> the same way as you are only allowed three attempts to feed in your  
> PIN number at an ATM, the passport chip could have been made to  
> stop allowing repeated incorrect attempts to contact it. As things  
> stand, a computer can keep trying until it gets the numbers right.  
> To say this doesn't matter displays a cavalier lack of concern."


--
Kim Holburn
IT Network & Security Consultant
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list