John Lattrice reports on the Daily Mail’s investigation into the ability to clone the new UK biometric passport. A major security gap allows a would-be identity thief to obtain an individual’s personal information without even opening the envelope the passport is delivered in.
“The Mail exploit draws on previous work by security consultant Adam Laurie and others, and puts together vulnerabilities in the chip technology, and in the chip security and logistics systems used by the Identity & Passport Service”
Lattrice goes on to state that:
“The data in the chip is essentially a digital version of what is printed inside the passport itself. The printed data can be read if the passport is presented and opened, and the chip’s security system attempts to duplicate this process. The chip data can be read wirelessly, but it is encrypted, with the key printed inside the passport. So in theory, although the chip can be read without the passport (or indeed the delivery envelope) being opened, the data is meaningless without the key.”
“But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder’s date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder’s date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label.”
This report highlights the major technology gaps that must be addressed before any nation should issue these passports to its citizens. The ease in which Adam Laurie, only using parts that can be purchased on the Internet or a local electronics store, underscores the reason why so many individuals view this form of passport technology as a danger to the well being of individuals throughout the world.
As a security consultant, I believe that more research and development is needed before using this technology to store personal information. You can read Lattrice’s report by clicking on the link provided below:
How to clone a biometric passport while it’s still in the bag
As the article suggests, the universe of data that need to be tested to determine a passport key of known type similar to what’s described here is tiny by modern standards. Any person who is likely to be alive and traveling will have been born within the past 40,000 days, and any passport issued with a 10-year expiration date will have been issued within about the past 3650 days, give or take, so there are really only about 150,000,000 combinations of the two. The passport number sounds like it is probably within a fairly finite universe of maybe about a billion or so possibilities (I’m just pulling that number out of my ear). The number of combinations you would have to test for the key would be the product of those two numbers.
Now that sounds like a lot of possibilities, and in fact it is, but there are brute-force cracks in the wild for other encryption systems that have a similar level of complexity. I’m willing to bet that a determined cloner with sufficient computer programming skill could retrieve the information from a cloned passport over a weekend with sufficient resounces for the task. It might take a cluster of computers working in tandem, but that’s nothing these days, especially for someone determined enough.
I still don’t see why they don’t use some sort of optical technology coupled with a grocery-store style scanner to do what this is trying to accomplish. At least that way someone who wants to clone a passport would have to have the passport in their possession rather than just sniffing it from a distance.
Omir,
Thanks for the expansion of the article. I know it is not a hot topic at this time, but it is the type of thing that will hit us when we least expect it.