Friday, November 17, 2006

In response to the Guardian's "Cracked It" story

While I'm putting together my list of benefits, I was interrupted by this article in the Guardian.

Cracked it!
- The new hi-tech biometric passport is protected by military-level encryption. We cracked it in just 48 hours.

I wanted to make a quick point clarifying the differences between the way the ID card is intended to work and the RFID passport.

The cloning method suggested in the article for creating a biometric passport is a viable technique. The idea being that you read the data off the passport decrypt it, alter the biometric data to your own and make a new clone of the chip, width someone elses, or for that matter some completely imaginary details.

The ID card would not necessarily be vunerable in the same way.

What all this hinges on is whether there is access to the National ID Register (NIR) where the biometric passport is being scanned. When scanning takes place, a biometric sample is taken (finger print or iris probably). If there is access to NIR, the sample can be checked against the biometrics held on the NIR. If not, the sample will have to be checked against the biometrics held on the passport itself, in this case, a cloned passport would be valid.

The point is that although biometric passports can be forged, it does not necessarily follow that the same will be true for ID cards, provided that in situations where the card is used the check is made against the NIR and not information held on the card itself.

On the other subject covered, that of RFID tags I would suggest that these are a case of technology for technology's sake, it seems like it has left these passports uncessarily exposed. I would hope that they are not used in any potential ID card scheme.

1 comment:

gordon armitage said...

Passports have numbers. It isn't easy - it might even be impossible - to create a fake passport with an unused number.

Criminals use established ways - and I won't give them away here - to get genuine passports in the name of someone else.

The Cracked it! article was just a few thousand words of advertising for a 'security expert' not an analysis of the security features of the new passport.