mailing list archives
Guardian Unlimited: Cracked it!
From: David Farber <dave () farber net>
Date: Fri, 17 Nov 2006 05:19:13 -0500
Begin forwarded message:
From: bobr () bobrosenberg phoenix az us
Date: November 17, 2006 1:57:17 AM EST
To: dave () farber net
Subject: Guardian Unlimited: Cracked it!
Anybody on IP wanna buy a Passport -- or a new identity?
P.O. Box 33023
Phoenix, AZ 85067-3023
bob () bobrosenberg phoenix az us
Three million Britons have been issued with the new hi-tech passport,
frustrate terrorists and fraudsters. So why did Steve Boggan and a
expert find it so easy to break the security codes?
Friday November 17, 2006
Six months ago, with the help of a rather scary computer expert, I
life of an airline passenger simply by using information garnered from a
boarding-pass stub he had thrown into a dustbin on the Heathrow
Express. By using
his British Airways frequent-flyer number and buying a ticket in his
name on the
airline's website, we were able to access his personal data, passport
of birth and nationality. Based on this information, using publicly
databases, we found out where he lived, his profession, all his academic
qualifications and even how much his house was worth.
It would have been only a short hop to stealing his identity,
committing fraud in
his name and generally ruining his life.
Great news then, we thought, that the UK had just begun to issue new,
passports, incorporating tiny microchips to store the holder's
details and a digital
description of their physical features (known in the jargon as
the argument went, would make identity theft much more difficult and
pave the way
for the government's proposed ID cards in 2008 or 2009.
Today, some three million such passports have been issued, and they
don't look so
secure. I am sitting with my scary computer man and we have just
sucked out all the
supposedly secure data and biometric information from three new
displayed it all on a laptop computer.
The UK Identity and Passport Service website says the new documents
are protected by
"an advanced digital encryption technique". So how come we have the
What could criminals or terrorists do with it? And what could it mean
passports and the ID cards that are meant to follow?
First it is necessary to explain why the new passports were
introduced, and how they
work.After the 9/11 attack on the World Trade Centre, in which fake
used, the US decided it wanted foreign citizens who presented
themselves at its
borders to have more secure "machine-readable" identity documents. It
countries that participated in a visa waiver programme that citizens
issued after the 26th of last month must have micro-chipped biometric
would have to apply for a US visa. Among those 27 countries are the
members, and other friendly nations ranging from Andorra and Iceland
Japan and Brunei. The UK, of course, is also included.
Standards for the new passports were set by the International Civil
Organisation (ICAO) in 2003 and adopted by the waiver countries and
the US. The ICAO
recommended that passports should contain facial biometrics, though
introduce fingerprints at a later date. All these would be stored on
Frequency Identification (RFID) microchip, which can be accessed from
distance using radio waves. Similar chips are commonly found in
retail, where they
are used for stock control.
Fatally, however, the ICAO suggested that the key needed to access
the data on the
chips should be comprised of, in the following order, the passport
holder's date of birth and the passport expiry date, all of which are
the printed page of the passport on a "machine readable zone." When
official swipes the passport through a reader, this feeds in the key,
which allows a
microchip reader to communicate with the RFID chip. The data this
including the holder's picture, is then displayed on the official's
assumption at this stage is that this document is as authentic as it is
super-secure. And, as we shall see later, this could be highly
Once the passports began to be issued in the UK in March, we began
foundations for examining them. Phil Booth, national coordinator of
group NO2ID, suggested to his members that they apply for a new
passport. Anyone who
gets one before ID cards are rolled out will not have to register for
a card until
their passports expire in 10 years' time, and this appealed to Booth.
At the same time, Adam Laurie, my computer expert and technical
director of the
Bunker Secure Hosting, a Kent-based computer security company, and I
plans to examine the new passports. Laurie is actually not a scary
individual - he
is regarded in the industry as a technical wizard who cares about
privacy and civil
rights - but much of the electronic information he uncovers is. Two
years ago, he
revealed that Bluetooth mobile phones could be accessed remotely,
drained of their
contact details, diary entries and pictures, and manipulated to act
devices. The cellphone industry spent millions of pounds plugging the
By last month, Booth, Laurie and I each had access to a new biometric
passport and were ready to begin testing them. Laurie's first port of
call was the
ICAO's website, where the organisation had published specifications
for the new
travel documents. This is where he learned that the key to opening up
chip was contained in the passports themselves - passport number,
date of birth and
"I was amazed that they made it so easy," Laurie says. "The
information contained in
the chip is not encrypted, but to access it you have to start up an
conversation between the reader and the RFID chip in the passport.
"The reader - I bought one for £250 - has to say hello to the chip
and tell it that
it is authorised to make contact. The key to that is in the date of
birth, etc. Once
they communicate, the conversation is encrypted, but I wrote some
software in about
48 hours that made sense of it.
"The Home Office has adopted a very high encryption technology called
3DES - that
is, to a military-level data-encryption standard times three. So they
strong cryptography to prevent conversations between the passport and
being eavesdropped, but they are then breaking one of the fundamental
encryption by using non-secret information actually published in the
create a 'secret key'. That is the equivalent of installing a solid
steel front door
to your house and then putting the key under the mat."
Within minutes of applying the three passports to the reader, the
all of them has been copied and the holders' images appear on the
screen of Laurie's
laptop. The passports belong to Booth, and to Laurie's son, Max, and
my partner, who
have all given their permission.
Booth is staggered. He has undercut Laurie by finding an RFID reader
for £174, which
also works. "This is simply not supposed to happen," Booth says.
"This could provide
a bonanza for counterfeiters because drawing the information from the
with the digital signature it contains, could result in a passport
being passed off
as the real article. You could make a perfect clone of the passport."
But could you - and what use would my passport be to you? A security
feature of the
chip ensures that information cannot be added or altered, so you
couldn't put your
picture on my chip. So is our attack really so impressive?
The Home Office thinks not. It correctly points out that the
information sucked out
of the chip is only the same as that which appears on the page,
readable with the
human eye. And to obtain the key in the first place, you would need
to have access
to the passport to read (with the naked eye) its number, expiry date
and the date of
birth of its holder.
"This doesn't matter," says a Home Office spokesman. "By the time you
the information on the chip, you have already seen it on the
passport. What use
would my biometric image be to you? And even if you had the
information, you would
still have to counterfeit the new passport - and it has lots of new
features. If you were a criminal, you might as well just steal a
However, some computer experts believe the Home Office is being
Several months ago, Lukas Grunwald, founder of DN-Systems Enterprise
Germany, conducted a similar attack to ours on a German biometric
succeeded in cloning its RFID chip. He believes unscrupulous
criminals or terrorists
would find this technology very useful.
"If you can read the chip, then you can clone it," he says. "You
could use this to
clone a passport that would exploit the system to illegally enter
(We did not clone any of our passport chips on the assumption that to
do so would be
Grunwald adds: "The problems could get worse when they put
fingerprint biometrics on
to the passports. There are established ways of making forged
fingerprints. In the
future, the authorities would like to have automated border controls,
forged fingerprints [stuck on to fingers] would probably fool them."
But what about facial recognition systems (your biometric passport
measurements of key points on your face and head)? "Yes," says
Grunwald, "but they
are not yet in operation at airports and the technology throws up
between 20 and 25%
false negatives or false positives. It isn't reliable."
Neither is the human eye, according to research conducted by a team
from the University of Westminster in 1996. Remember, information -
such as a new
picture - cannot be added to a cloned chip, so anyone using it to
make a counterfeit
passport would have to use one that bore a reasonable resemblance to
But during Westminster University's study, which examined whether
images on credit cards might reduce fraud, supermarket staff drafted
in for tests
had great difficulty matching faces to pictures. The conclusion was
would not improve security and they were never introduced on credit
means that each time you hand over your passport at, say, a hotel
car-rental office abroad to be "photocopied", it could be cloned with
ours. This could have been done with an old passport, but since the
passports are supposed to be secure they are more likely to be
question at borders.
Given the results of the Westminster study, if a terrorist bore a
to you - and grew a beard, perhaps - he would have a good chance of
a border. Because his chip is cloned, with the necessary digital
because you have not reported your passport stolen - you still have
it! - his
machine-readable travel document will get him wherever he wants to
go, using your
What about the technical difficulties? The government claims the new
passport chips can be read over a distance of just 2cm, but
researchers all over the
world claim to have read them from further. The physics governing
those in British
passports says they could be read over a metre, but no one has yet
done that. A
Dutch team claims to have contacted chips at 30cm.
Laurie has, however, rigged up a piece of equipment that can connect
to a passport
over 7.5cm. That isn't as far as the Dutch 30cm, but it is enough if
subject is sitting next to you on the London Underground or crushed
up against you
on the Gatwick Airport monorail, his pocketed passport next to the
reader you have
hidden in a bag.
It takes around four seconds to suck out the information with a
reader; then it can
be relayed and unscrambled by an accomplice with a laptop up to 1km
away. With a
Heath Robinson device we built on Tuesday using a Bluetooth antenna
connected to an
RFID reader, Laurie relayed details of his son's passport over a
distance of 10
metres and through two walls to a laptop.
Ah, the Home Office will say, but you still need to see the
information in the
passport that will form the key needed for connection. Well, not
Consider this scenario: A postman involved with organised crime knows
he has a
passport to deliver to your home. He already knows your name and
address from the
envelope. He can get your date of birth by several means, including
agencies or from the register of births, marriages and deaths (and,
let's face it,
he delivers all your birthday cards anyway).
He knows the expiry date - 10 years from yesterday, give or take a
day, when the
passport was mailed to you. That leaves the nine-digit passport
number. NO2ID says
reports from its 30,000 members up and down the country are throwing
up a number of
similarities in the first four digits of the passport number, so that
number of permutations, potentially leaving five purely random
numbers to establish.
"If the rogue postman were to take your passport home, without
opening the envelope
he could put it against a reader and begin a 'brute force' attack in
computer tries 12 different permutations every second until it has
the right access
codes," says Laurie. "A five-digit number would take 23 hours to
crack at the most.
Once all those numbers were established, you could communicate with
the RFID chip
and steal all the information. And your passport could be delivered
to you, unopened
and just a day late."
But is this really credible? Would criminals or terrorists really go
lengths? Ross Anderson, professor of security engineering at the
Cambridge computer laboratory, believes they would. "The point is
that once you have
extracted the data from the chip you can have a forged passport that
just forged physical stuff," he says. "You also have the digital bit-
stream so the
digital signature of the passport checks out. That makes it possible
through borders with it.
"What concerns me is that this demonstrates bad design on the part of
Office, and we know that government IT projects have a habit of going
wrong. There is a lack of security in what we can see - so what about
the 90% of the
iceberg in the system that we can't see?
"There isn't even a defence against the brute-force attack. In much
the same way as
you are only allowed three attempts to feed in your PIN number at an
passport chip could have been made to stop allowing repeated
incorrect attempts to
contact it. As things stand, a computer can keep trying until it gets
right. To say this doesn't matter displays a cavalier lack of concern."
The problems we have identified with RFID chips in passports raise
all sorts of
questions about the UK's proposed ID card scheme, which will use the
technology. The government has not said exactly what will be
contained in the ID
card's chip, but there will be a National Identity Register that
around 50 pieces of information about you, ranging from your name,
age, and all your
addresses, to your national insurance number and biometric details.
may need one to access healthcare. It could even replace the passport.
Already, then, criminals and terrorists will have identified just how
ID cards might be. It would be folly to think their best minds are
not on the case.
The Home Office insists that UK passports are secure and among the
best in the
world, but not everyone agrees. Last week, an EU-funded body entitled
the Future of
Identity in the Information Society (Fidis) issued a declaration on
travel documents such as RFID-chipped passports and ID cards. It said
was "poorly conceived" and added: "European governments have
citizens to adopt new ... documents which dramatically decrease their
privacy and increase risk of identity theft."
The government is now facing demands from the Liberal Democrats and
groups for a recall of the passports so that simple devices such as
foil covers can
be installed - at enormous cost. Such covers would at least stop
chips being scanned
remotely, though they wouldn't prevent an unscrupulous hotel
opening the passport and sucking out its contents the way we did.
It may be that at some point in the future the government will accept
RFID chips in to passports is ill-conceived and unnecessary. Until
then, the only
people likely to embrace this kind of technology are those with
mischief in mind.
Guardian Unlimited © Guardian News and Media Limited 2006
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
Archives at: http://www.interesting-people.org/archives/interesting-people/
- Guardian Unlimited: Cracked it! David Farber (Nov 17)