New Biometric Passports Cracked

Britain and other countries have been putting biometric information on passports for security. After investing 415 million pounds the UK may now have a system that is not secure. Speaking at the security conference in Las Vegas a consultant said he has found a way to clone the information on the passport. The information found on the passports are finger prints, facial scans, and iris patterns. This will also cast doubt on a national ID card which was supposed to contain the same information.



The article does point out that the person who found the way to copy the information is a consultant for a security company. So it is his job to find ways to crack security devices. But more to the point it says that he found a way to copy the information. What good would it be to copy someone else's biometric information? It seems to me what you need to be able to do is forge another countries passport and put the correct biometric information on it for the agent infiltrating the country.

Related News Links:
www.mercurynews.com
www.itwire.com.au
www.businessweek.com

Related AboveTopSecret.com Discussion Threads:
My Biometric Passport
Biometrics Beyond Terrorism
US Electronic Passport now issued....Bio-data included! Other countries to follow

Considering that they decided not to implement the hardware encryption that the passport hardware includes, this isn't so surprising.

The most commonly used e-passport chips have outstanding hardware encryption and tamper proofing.

Of course, if you don't use it, it doesn't do a lot for you.

As I understand it, the consortium decided that the implementation of strong encryption between countries was too difficult to coordinate, so they didn't bother.

Tom,
Not useing the encryption would make it easier to copy the Info.
Presently I do exspect the use of the biometric pass ports and other ID systems will continue to grow. So at some point I do exspect the encryption will happen.

Yeah, it just seems sloppy to me.

I do think they have encrypted hash that keeps you from modifying it, say mixing a new photo with old information. So you can copy it, but I don't think you can modify it easily.

That at least means that they're not easily faked, you can look at the photo on the passport data and if it doesn't match the holder, you know it's a copy.

But still, the passport should be unreadable without a lot of trouble, and the hardware supports that.

you can only read the chip if a legitimate scanner is reading it at the same time and you will have to be relatively close. For example in a Airport or hotel lobby where passports are checked..

The only encoded data at the moment is the image and personal data such as date of birth etc. The fingerprints and iris recognition are not included yet although it is possible to generate the biometric data require for detailed image recognition from the photograph.

Mine arrived at the weekend.

Originally posted by northwolf
you can only read the chip if a legitimate scanner is reading it at the same time and you will have to be relatively close. For example in a Airport or hotel lobby where passports are checked..

That depends on whether or not the e-passport sw uses keys to start comm sequences; they may have turned that off too for all I know. Building an ISO14443 reader is not that hard, I've got a couple laying around here I tinkered up for other projects. If all they need to start swapping data is "ATR" then it would be pretty easy to copy. Even 'smart cards' typically require some sort of key exchange, though.

I guess I'm going to have to go dig up the spec and see what it is that they're doing. The ones we designed were pretty paranoid. The fact that this guy was able to get the data tells me the designers of this bletcherous kludge were not.

It's not particularly easy to "read the chip" while it's being scanned, it's using load variance signaling, not a radio broadcast. You'd have to be in the near field to see it, and to get the data on one read you'd have to be close enough to get the SNR down. Maybe no more than a few inches away.

Some Finnish "specialist" said something about max 2m, and the start keys should be in action atleast with Finnish version... so a 3m buffer zone around customs booths should be enough...

Originally posted by northwolf
Some Finnish "specialist" said something about max 2m, and the start keys should be in action atleast with Finnish version... so a 3m buffer zone around customs booths should be enough...

Really?

How do people clone credit cards? They pay off the waiter in the restaurant.
Security guards can be paid off just as easily and then all of a sudden, the ability to place that recorder is a lot easier.

Originally posted by northwolf
Some Finnish "specialist" said something about max 2m, and the start keys should be in action atleast with Finnish version... so a 3m buffer zone around customs booths should be enough...

That's probably not far from wrong. You couldn't interrogate from 2M, but if you had it in an interrogator that was real close, you might be able to snipe the return signal out of the noise up to 4 or 5 feet away. You'd have to be pretty good.

It's not possible to receive any return from the passport in the far field, so you would have to be closer than 3.5M at best case. Even then, there's diddley for signal until you're at about half that. So, yeah, within about 2M you're in the "knee" where the signal starts being high enough to read.

You know, we solved something sort of analogous to this by having the encryption keys stored in a main server. The readers had to use other keys to get the encrypted data from the tag but didn't inherently know how to unscramble it.

The reader sent encrypted reader bonafides to the server, along with encrypted tag bonafides (which the reader couldn't interpret either), the reader operator's biometrics (a pair of fingerprints and a day code) and a GPS address of the reader. If everything looked ok, and the operator and locale was valid, then the server would return the private half of a session key that unlocked the data from the tag. It happened a lot faster than it sounds. But fake readers, fake tags, bogus operators, no one reporting the reader theft, faking GPS coordinates, it would have been really really tough to get the unencrypted data. You could have intercepted it until you turned blue but you wouldn't have gotten the data, just jumble.

At the end of the session, the server would send the public half of the next random key to the tag. The tag never had the same encryption keys for more than one session so even if you caught the key during the read it wouldn't have done you any good.

When will people ever learn.....


"Time, the universe and god are infinite and therefore perfect, given infinite time humans will never create anything perfect!"


No man will ever create anything that another man can't duplicate and yet god created everyone with a different finger print and different blood vessels in their retina along with many other things.... As a race humans think they have the intelligence and yet they have none....

That's why the door to my SCIF doesn't say "impenetrable barrier". It has a list of estimated times to withstand different entry techniques from safecracking to shaped charges. All it has to do is hold long enough for the cavalry to show up.

The art of engineering is the art of "good enough". There is never "perfection", and to design for it is an act of insanity.

You could eventually decrypt even a good enough key. It might take longer than the remaining life of the universe, but you could do it.

But if it takes you so long to get the passport info that the user is dead, that's good enough.

The current system is definitely NOT good enough, although the hardware seems to be.

When you start turning 'good enough' off in order to make your administrative duties easier, that's where you start running into trouble.