Tests chip away at passport security
Uncloneable passports cloned in hours
MICROCHIPPED PASSPORTS designed to have watertight security can actually be cloned in a matter of minutes.
Tests carried out for The Times by Jeroen Van Beek, a security researcher at the University of Amsterdam, exposed flaws in the super-duper microchips designed to stamp-out terrorism and organised crime.
A computer researcher was able to clone the chips on two British passports. They then implanted digital images of Osama bin Laden and a suicide bomber. The tampered chips were then passed as real by passport reader software used by the United Nations agency that sets standards for the e-passports.
Only ten of the 45 countries with e-passports have signed up for a Public Key Directory (PKD) code system, however only five are using it.
Britain and some of the other 45 swap codes manually, however criminals could use fake e-passports from countries that do not share key codes, this would then enable them to go unnoticed through passport control.
Van Beek has apparently developed a method of reading, cloning and altering microchips so that they are accepted as genuine by the standard software used by the International Civil Aviation Organisation, Golden Reader, this process took less than an hour for the two passports.
The Home Office claims contrary to this that “no one has yet been able to demonstrate that they are able to modify, change or alter data within the chip. If any data were to be changed, modified or altered it would be immediately obvious to the electronic reader.”
Van Beek replied that “we’re not claiming that terrorists are able to do this to all passports today or that they will be able to do it tomorrow, but it does raise concerns over security that need to be addressed in a more public and open way.”
These tests flag up several interesting and somewhat alarming points: They undermine claims that 3,000 blank passports stolen last week are useless as they can’t be cloned, they also raise questions on the £4 billion spent by the government on ID cards which use the same technology.
The International Civil Aviation Organisation furthers that, “the PKD ensures that e-passports used at border control points... are genuine and unaltered. In effect it renders the passport fool-proof. However, all states issuing e-passports must join the PKD, otherwise that assurance cannot be given.”
Britain produced e-passports in 2006 after 9/11 demonstrated the danger of fake passports. The US then demanded that other countries adopt biometric passports. Britain won’t be using the system until next year – or perhaps not at all after these findings. µ
L'Inq
The
Times
Going biometric
1999 International Civil Aviation Organisation begins study
into possibility of worldwide use of travel documents carrying biometric data
2002 After 9/11 US announces all passports issued from 2006 and
used to enter the country must contain biometric information or holder will
require a visa
2006 Britain and many EU countries introduce biometric
passports
2008 45 countries have introduced biometric passports. 100
million have been issued globally
Sources: Identity and Passport Service, US Government
Comments
It's not just the terrorists you have to worry about
We need to worry about certain countries (ahem, Iran) getting into the mix and forging this stuff. Then passing it on the individual terrorists (ahem, Hamas) and acting like they had nothing to do with it while their proxy terrorists do their dirty work and desires. This will happen with a nuke one day, mark my words.Dropped
If you drop the numbers 9/11 you might have also mentioned that all those involved in that attack had perfectly legal passport, and would have RFID's in them if they were widespread enough at that time.RFID's are not about anti-terrorism, they are a means of power-hungry selfcentered government idiots to control the common man whom they do not respect.
Security, schmurity...
You know, one might think that the folks responsible for the security of a nation might actually be thankful that a security loophole had been discovered...for free...before it was abused. That way, they can work extra hard to fix it.Instead, they get embarrassed, act stupid and deny there are any problems. Then they can go ahead with it anyway, do nothing about the problem and spend billions when real bad guys decide to take advantage.
Feel safe yet...?
Manifest Predestination
From the rogitstr:"Validation of the [passport holder's unique] signatures on e-passports requires the exchange of PKI certificates between countries' issuing authorities, *OR* the use of ICAO's PKD (Public Key Directory) system. Logically the ICAO PKD system ought to be used to provide a standard level of validation for what is intended to be a glabal [sic], secure document standard. Currently, however, use of the PKD is far from universal, and many countries (the UK included) rely on bilateral exchange of certificates with other countries."
These chips are shown to be re-writable. The biometric collection burden is placed on the country of epassport issue. To do so, should require centralised PKI registration resulting in the holder's global unique key. PKI ledger should be distributed to all ports routinely. Every destination port is both a verification and a collection modifier to both the epassport and any subsequent destination port's manifest. The manifest in itself must be knowable to only the immediately prior port and the destination. So at least some bilateral exchange of certificates for manifests should be required. Any deficiency should be flagged.
Validation, privacy, and confidentiality must be safeguarded for verifications concerning distributed PKI ledgers.
Signatures should be matched via two routes. Only unique signatures should be possible. The encoded media should also carry the encoding machine's expiring/shifting licence certificate identifiers in an undisclosed manner.
All transactions should be recorded with CCTV, etc..
Oh well...
putting a chip into an identity document is another security feature, besides holographic images, guilloche patterns, microprint, etc. etc. - and yes, it makes it easier to collect data electronically (but not more than that).It keeps puzzling me that people keep demanding (or claiming, for that matter) that this chip feature be 100% secure against tampering or falsifying, when none of the other security features has ever been 100% secure. What's the news? It has always been possible to falsify a passport and it always will. Just that with an ePassport, the falsifier needs to manage yet another quite complex technology - IT - in addition to all the other skills.
The chip inside the ePassport costs governments a single-digit number of bucks (or quid, yuan, whatever) - so no one should expect any miracles for that.
Just relax and sit back, all this is really nothing new. Just because the new technology is IT related (which we all believe we know something about) rather than security printing related, the world is not ending.
I have
I have marked your words dear reader, and I weep for a bear of such little brain. As to OP, thank god they are not trying to control the common man who they DO respect, that would be truly awful.Fish n' chips
I wonder whose chip they managed to open?