Slashdot Mirror
Another Setback for Biometric Passports
trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."
The biggest setback to biometric security is that few companies post the actual numbers concerning their precision and recall.
Before I ever buy into a biometric security device, I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.
Their sites should have a slider that goes between zero and one with the resulting number. That way, I would know how many times out of a hundred my guards are going to let Bin Laden Jr. through my security check points. But I also want to know how many times my guards are going to throw Grandma-down-the-street against the hood of a car and arrest her for being a dead hijacker from an infamous attack. Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative. Every white paper I've read on this issue makes certain that they include these figures at the end of their paper.
Because if you hit the production line, these numbers are all that matter to your consumer.
My work here is dung.
Data security scheme is cracked as soon as examples become available - whoda thought it?
Haven't these people been watching the travails of the DRM industry? What kind of ignorance (or arrogance) leads someone to think they can build a portable data repository that won't get cracked?
Sheesh, evil *and* a jerk. -- Jade
Eventually, folks will realize, that no matter how hard you try, you will never be completely safe: even if you become a shut-in. We just have to accept that life is terminal and it has inherit risks. Without those risks, life would be waaayy to fucking boring - for me anyway!
*Tinfoil hat on*
Since biometric passports failed, are they gonna request us to get chipped? after all, it is for our own good.
The "crack" involved reading the chip wirelessly.
FYI: *ALL* passports are biometric, unless yours for some reason doesn't have a photograph and a description.
eh and then shortly after we all get chipped someone walks by us with a small handheld device and changes our identity. Now we are some wanted bank robber.
but on the plus side depending on where they put the chips the tinfoil hats might work.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
Although others are right saying it can never be completely secure, in the case of "e-passports", it's because of stupid design.
In order to be able to read the card, the reader needs to know some information in the "Machine readable zone", the two lines of letters/numbers and signs below the first page of the passport
Because there is quite a bit of entropy in the information in the machine readable zone, it could be made reasonably secure -- but the disigners decided _only_ to use the holder's birthdate, passport expiry date and passport number. As the holder's birthdate can be guessed to some degree (to about 1000 days), and the passport number and expiry date are linked (I presume), that leaves rather few possibilities to be tested.
Stupid designers. They should have added a few (say 20) free chars in the Machine readable zone, to ensure guessing becomes impossible
(posting anonymously as I don't want my empolyer to become angry)
I think you missed the point.
The point is not that people who crack it can make fake cards (which they *can*, but anyways...), it is that people can read the info off my "secure" biometric ID card from a relativly long distance and use it to steal my identity, for any reason whatsoever.
I mean, 10m? Some guy could set up a listening post outside my office and read it all through the wall at 10m. The capacity for identity theft is very alarming.
an attack can be executed from around 10 meters and the security broken... in around two hours.
But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?
In either case, you might want to shield your passport at the movie theater.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
It's not only for our own good, but it's cool! After all, if you're going to get something new going, it has to be appealing in as many ways as possible.
"It is a miracle that curiosity survives formal education." -Albert Einstein
What do you think those measles and smallpox "vaccinations" were when you were a kid?
No private information should be made available over RFID. If that information has to be transmitted or broadcasted in any way, it should be from a patchable computer system that can change to reflect up-to-date security fixes. Otherwise, as soon as the encryption scheme is cracked, you could just walk down the halls of an airport for 10 minutes and record thousands of IDs.
Everything gets cracked. In this day and age even "security" is "security through obscurity". RFID is a fantastic technology but it shouldn't be a transmission vector for information of value. That's like visiting a bank in China and yelling your PIN in German, hoping nobody will understand. RFID should only be used for asset tracking, broadcasting otherwise useless data like serial numbers.
Why do we need RFID for passports anyway? Is it so hard to swipe a card? I wager it's just to give citizens the illusion of privacy while they are scanned from afar. I hope the decision to incorporate RFID - for passports, clothing, or anything people carry - will be debated profusely by governments before being adopted. I think many countries' constitutions are in conflict with technologies of such invasive potential.
So normally when your password is compromised, you change it and try and be more careful next time. What happens when it is possible to duplicate a rubber finger from a fingerprint - done in films, but is it possible now? I don't know. You can't change your fingerprint, so do you just leave it as it is and let whoever it is keep their access?
Maybe the chip could be stored in a crystal that glows with a different colour depending on your age. And when you reach 30 it could blink. Hey, mine's blinking now. Wait...who are you? Stop, don't shoot! It's a mistake! Really, I'm only 29!
Some of what I say is fact, some is conjecture, the rest I'm just blowing out my ass...you guess.
rather old news in fact ...
r s_defeat_fingerprint_sensors/
http://www.theregister.co.uk/2002/05/16/gummi_bea
According to one of the followup articles, The attacker must first be within 10 meters of the passport while it is in active use. This means standing fairly close to the customs counter. The attacker intercepts the communications, then can take that information offline and brute force the key. YMMV on the distance estimate since it is a radio intercept.
One would hope that a person sitting in the waiting area with a laptop connected to a pringles can that is aimed at the customs desk would draw some sort of attention, but with what is passing for security these days...
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
As the link to the good stuff is hidden in dutch text here it is:p er(EN)
https://events.ccc.de/congress/2005/wiki/RFID-Zap
If an experiment works, something has gone wrong.
Whether it's Labour or Conservatives who win the next election, these are going to get dropped. It's a really half-baked idea, and the evidence is mounting that they will be expensive, inaccurate and fail to deal with terrorism.
If Blair had any ability at getting things done, he would get it implemented and it would be his poll tax.
One thing that should be made clear: this eavesdropping at 10 meters distance, while troubling, is only while the passport is being read at an official station. Passports in people's pockets or desks cannot be read at this distance. It's only when you are displaying the passport and having the chip read by an authorized reader that an eavesdropper with proper equipment can listen in on the data exchange and then decrypt it as described in the article.
What makes you think they're going to request it? :-/
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
If only that were true. I suspect the National Identity Register will die a well-deserved death when Blair goes. However, the basic idea of biometric passports has been carefully woven into all sorts of international agreements. Now every government can just say "Well, you'll need biometrics or nowhere else will respect your passport" as a convenient excuse for not defending the ability of their citizens to move freely and legitimately across national borders without such measures.
If some combination of the US and the larger European nations turned round and set "we won't issue them" tomorrow, the whole scheme would die by the day after tomorrow. But it won't happen until we get rid of the current political mindset in (among other places) the US, the UK, Germany and Australia. That requires a fundamental regime change -- not just getting rid of Blair, but getting rid of the entire New Labour club, and anyone from any other political party who has sympathies with them.
Fortunately, opinion seems to be turning overwhelmingly against all these draconian measures: hardly a day has gone by in the past fortnight without a major defeat in the Lords for some "anti-terror" or ID-related proposal by the New Labour government, or some report reminding everyone that they wouldn't have helped prevent the 7 July bombings, Spain had them when Madrid was bombed, the US was already collecting more information than it could understand before 11 September, etc. I suspect this means that any other parties will be coming down against the ID card proposals even if they'd really like them; David Cameron is certainly establishing his party as pretty clearly anti-ID-card under his leadership.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Where you able to get the gold booty after infiltrating the Pirates of the Caribbean?
Seems from your story that the biometrics did their portion of securing the ride, but since you weren't after industry secrets or trying to access an airplane, no one gave two good fucks about you getting ahead of a family of four.
I really hate Dan Patrick.
(How long will people continue to believe the official version of events?)
(Also: Where are the pentagon plane parts, the two 5-ton titaniam jet engines which cannot vaporize in a fire because burning jet fuel is what they are designed to do? Where'd they go? Why are there no pictures? Why did the FBI only release five frames of video, none of which show what actually hit? Why are no photographs available despite the press being on site? Why was a CNN correspondent on site at the time saying he saw nothing looking like a plane? Why did CNN stop airing that?)
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com