Guardian hacks new UK passports

Already three million UK citizens have been issued with the new ultra-secure passports, which incorporate microchips to store the holder's details and biometrics.

The passports were created using standards set by the International Civil Aviation Organisation (ICAO) in 2003 and the outfit's website has kindly published all the specifications of the passports.

Using Adam Laurie from security outfit Bunker Secure Hosting, the Guardian got its paws on one of the new biometric chipped passports with the idea of seeing if he could hack it.

Laurie visited the ICAO site and discovered that the chip was not encrypted but to get to it you had to start up an encrypted conversation between the reader and the RFID chip in the passport. To do that all you need is the numbers which are printed on the passport. Then it took Laurie 48 hours write some code to make some sense of the data.

Laurie said that although the Home Office adopted 3DES, which is military-level data-encryption standard times three to stop conversations between the passport and the reader being eavesdropped, but it used non-secret information to build the secret key.

The newspaper reckons that it is a doddle to make a perfect clone of a passport.

The Home Office cheerfully points out that you are getting the same data out of the chip that you can read in the passport anyway and you also need to have gotten your paws on the real McCoy to get the details to unlock the key.

It reasons that a biometric image is fairly useless to a counterfeiter who would have to create the new passport with the new security features. It would be easier just to nick the passport. However other security boffins point out that, if you can read the chip, you can also clone it. µ

L'INQ
The Guardian