Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Setback for Biometric Passports

Posted by ScuttleMonkey on from the tin-foil-bag-with-your-tin-foil-hat dept.

trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."

6 of 70 comments (clear)

  1. Nothing to do with biometrics by statemachine · · Score: 3, Informative

    The "crack" involved reading the chip wirelessly.

    FYI: *ALL* passports are biometric, unless yours for some reason doesn't have a photograph and a description.

  2. Re:It will never be safe. by swillden · · Score: 4, Informative

    These things will NEVER be completely secure. Someone will always figure a way to hack them.

    That depends on what you mean by "completely secure". In this case, the security design is basically very good, but contains a rather obvious flaw. Fix that flaw (and there are a number of fixes) and the result will be "completely secure", against certain forms of attack, anyway.

    The data on the chip is protected by a 3DES key. If you don't know that key, you cannot authenticate to the chip, and the chip will therefore refuse to talk to you. If you do know the key, then you're in. So, someone hit on the simple (and clever) idea of printing the key on the inside of the passport (since all of the data on the chip is also available in printed form on the inside of the passport anyway).

    The problem is that they decided that rather than printing a new, random, 112-bit key, they'd just use some data that already existed in the passport, the MRZ. This value consists of your passport number, birthdate and expiration date. That's actually not a whole lot of entropy, especially since passport numbers are pretty predictable, and ages and passport expiration years are pretty easy to guess. The result: the MRZ can be brute-forced, the key guessed and the passport data retrieved.

    There are a bunch of obvious solutions:

    • Shielded cover. The US is implementing this. The passport cover has an integral wire mesh so that when the cover is closed, the chip's antenna is shielded and the chip is isolated. This also addresses some other potential issues with attackers being able to tell remotely that you have a passport and perhaps even what country it's from, even if it won't actually give them any data about its contents.
    • Print a separate, random key inside the cover and use that instead of the MRZ. It doesn't really need to be 112 bits, either. A 50-bit value would work fine, as long as it doesn't have any guessable portions. The brute force search speed is limited to the speed of the passport chip, so you don't need huge keyspaces.
    • Configure the chip so that after a certain number of consective failed authentication attempts, it locks itself. This will prevent brute force searches, at the expense of perhaps creating a denial of service attack. However, these chips (if not shielded) are already at risk of denial of service attacks, so I don't think that's significant.

    It's popular on slashdot to say "nothing is ever completely secure", and while that statement is literally true, in fact many things can be and are sufficiently secure within the defined operational parameters.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. 10 meters? 2 hours? by Fnord666 · · Score: 3, Informative
    But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?

    According to one of the followup articles, The attacker must first be within 10 meters of the passport while it is in active use. This means standing fairly close to the customs counter. The attacker intercepts the communications, then can take that information offline and brute force the key. YMMV on the distance estimate since it is a radio intercept.

    One would hope that a person sitting in the waiting area with a laptop connected to a pringles can that is aimed at the customs desk would draw some sort of attention, but with what is passing for security these days...

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  4. More info in English by Ubi_NL · · Score: 3, Informative

    As the link to the good stuff is hidden in dutch text here it is:
    https://events.ccc.de/congress/2005/wiki/RFID-Zapp er(EN)

    --

    If an experiment works, something has gone wrong.
  5. Re:Fingerprint authentication is a bad idea by AJWM · · Score: 3, Informative

    Yes, it is possible to duplicate a fingerprint -- story made Slashdot about two years ago.

    Essentially just take a photocopy of a fingerprint, make a mask for a printed circuit board from that, etch to give you a mould, and use gelatin or similar to make a cast. The advantage of gelatin over latex is that you can eat the evidence ;-)

    The details can be found in this paper.

    They were getting aanywhere from 70% to 100% success rate on typical fingerprint scanners, depending on the scanner.

    A google search for "fingerprint scanner mould gelatin" (no quotes) turns up a ton of other articles.

    --
    -- Alastair
  6. Re:Precision & Recall by Sique · · Score: 3, Informative

    The grandma-slamming type is called 'false positive', the building detonation type is called 'false negative'.
    False positive are supposed to happen much more often, because many more regular people are checked than really dangerous people. Lets calculate some wild guesses: If the identification is 99.99% correct, and you are checking 1 mio people, of which 10 people are really dangerous, you get 100 false positives and about all dangerous ones (the risk to let one of them slip is only at 1:1000). That means only every tenth person you are slamming on the hood of the police car is really a terrorist.
    So biometric identification doesn't really need to be that good to perfectly identify one. It should be perfectionated the other way: To really dismiss the data of a not searched person.
    Back to the example numbers: If the system was able to identify a person 99% for sure, but would be also able to not misidentify a person to 99.9999% (for a tradeoff we basically allow for only a 1:100 chance to identify a person, but make sure that it doesn't falsely identify one by 1:1mio), we would only have 1 person falsely slammed on the car hood, but still were 10:1 sure to not let a suspected terrorist slip.

    --
    .sig: Sique *sigh*