Slashdot Mirror
Another Setback for Biometric Passports
trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."
Fingerprints are about 98% accurate for a single finger, 99.99% accurate for two fingers, and on upwards as you include the rest of the fingers and the palm.
Iris scanning is slightly better than two fingerprints.
Facial scanning claims range from 90% to 99% accuracy. In the 80% range is more likely from what I've seen, but hard data isn't available. With fingerprints and iris scans, a failure is much more likely to be a false negative than a false positive, while facial scanning results in both types of failures about equally.
The "crack" involved reading the chip wirelessly.
FYI: *ALL* passports are biometric, unless yours for some reason doesn't have a photograph and a description.
These things will NEVER be completely secure. Someone will always figure a way to hack them.
That depends on what you mean by "completely secure". In this case, the security design is basically very good, but contains a rather obvious flaw. Fix that flaw (and there are a number of fixes) and the result will be "completely secure", against certain forms of attack, anyway.
The data on the chip is protected by a 3DES key. If you don't know that key, you cannot authenticate to the chip, and the chip will therefore refuse to talk to you. If you do know the key, then you're in. So, someone hit on the simple (and clever) idea of printing the key on the inside of the passport (since all of the data on the chip is also available in printed form on the inside of the passport anyway).
The problem is that they decided that rather than printing a new, random, 112-bit key, they'd just use some data that already existed in the passport, the MRZ. This value consists of your passport number, birthdate and expiration date. That's actually not a whole lot of entropy, especially since passport numbers are pretty predictable, and ages and passport expiration years are pretty easy to guess. The result: the MRZ can be brute-forced, the key guessed and the passport data retrieved.
There are a bunch of obvious solutions:
It's popular on slashdot to say "nothing is ever completely secure", and while that statement is literally true, in fact many things can be and are sufficiently secure within the defined operational parameters.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
According to one of the followup articles, The attacker must first be within 10 meters of the passport while it is in active use. This means standing fairly close to the customs counter. The attacker intercepts the communications, then can take that information offline and brute force the key. YMMV on the distance estimate since it is a radio intercept.
One would hope that a person sitting in the waiting area with a laptop connected to a pringles can that is aimed at the customs desk would draw some sort of attention, but with what is passing for security these days...
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
As the link to the good stuff is hidden in dutch text here it is:p er(EN)
https://events.ccc.de/congress/2005/wiki/RFID-Zap
If an experiment works, something has gone wrong.
Yes, it is possible to duplicate a fingerprint -- story made Slashdot about two years ago.
;-)
Essentially just take a photocopy of a fingerprint, make a mask for a printed circuit board from that, etch to give you a mould, and use gelatin or similar to make a cast. The advantage of gelatin over latex is that you can eat the evidence
The details can be found in this paper.
They were getting aanywhere from 70% to 100% success rate on typical fingerprint scanners, depending on the scanner.
A google search for "fingerprint scanner mould gelatin" (no quotes) turns up a ton of other articles.
-- Alastair
The grandma-slamming type is called 'false positive', the building detonation type is called 'false negative'.
False positive are supposed to happen much more often, because many more regular people are checked than really dangerous people. Lets calculate some wild guesses: If the identification is 99.99% correct, and you are checking 1 mio people, of which 10 people are really dangerous, you get 100 false positives and about all dangerous ones (the risk to let one of them slip is only at 1:1000). That means only every tenth person you are slamming on the hood of the police car is really a terrorist.
So biometric identification doesn't really need to be that good to perfectly identify one. It should be perfectionated the other way: To really dismiss the data of a not searched person.
Back to the example numbers: If the system was able to identify a person 99% for sure, but would be also able to not misidentify a person to 99.9999% (for a tradeoff we basically allow for only a 1:100 chance to identify a person, but make sure that it doesn't falsely identify one by 1:1mio), we would only have 1 person falsely slammed on the car hood, but still were 10:1 sure to not let a suspected terrorist slip.
It can't take that much longer to put the edge of the passport against the stop, and press the button, now, can it?
Actually, it can. For two reasons which both basically boil down to a desire to be able to use cheap, off-the-shelf components.
First, positioning the contact plate correctly every time requires that the chip be placed in a fairly rigid medium. Common passports are too soft and when their edges fray or whatever the contact alignment will be off. I suppose this could be addressed either by making part of the passport out of rigid plastic, or else by using different contact plates than standard smart card chips (with larger, and therefore more forgiving, contact regions). But nobody really wants to change passports, and using non-standard contacts would require non-standard readers, which costs more.
The second reason is that contactless smart card communication is much, much faster than contact smart card communication. That's silly from a physical point of view, but it's true nonetheless. Contactless protocols, being newer, run at either 400Kbps or 800Kbps. Contact protocols run at between 9.9Kbps and 115Kbps, with lower values being far more common. Both contactless and contact smart card comm protocols are fairly inefficient, too. There's a lot of interframe and intercharacter overhead, as well as significant packet overhead (especially with encrypted and MACed APDUs, which are a very good idea whether you're doing contact or contactless).
So, contact chips move data as slow as about 700 bytes per second. The fastest ones move it at about 8KBps, and, in practice, it's not common to find cards and readers that can actually do that. The "slow" contactless chips move it at around 34KBps and the fast ones move it at around 70KBps. If you have 30KB of data to retrieve from the card, and you want to keep the line moving at the immigration desk, contactless is obviously much, much better. With contact chips, you can expect 30KB to take 10-15 seconds to transfer. With contactless chips you can get it to under 1s. That doesn't consider the time required to insert the passport into the reader, either. It's not huge, but it's a few seconds per passport, which adds up over the course of a day. It's much faster to flip open the passport and drop it face down on the optical scanner, which allows the system to grab the MRZ and simultaneously puts the chip's antenna in range of the contactless smart card reader.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.