Slashdot Mirror
Another Setback for Biometric Passports
trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."
Data security scheme is cracked as soon as examples become available - whoda thought it?
Haven't these people been watching the travails of the DRM industry? What kind of ignorance (or arrogance) leads someone to think they can build a portable data repository that won't get cracked?
Sheesh, evil *and* a jerk. -- Jade
eh and then shortly after we all get chipped someone walks by us with a small handheld device and changes our identity. Now we are some wanted bank robber.
but on the plus side depending on where they put the chips the tinfoil hats might work.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
Although others are right saying it can never be completely secure, in the case of "e-passports", it's because of stupid design.
In order to be able to read the card, the reader needs to know some information in the "Machine readable zone", the two lines of letters/numbers and signs below the first page of the passport
Because there is quite a bit of entropy in the information in the machine readable zone, it could be made reasonably secure -- but the disigners decided _only_ to use the holder's birthdate, passport expiry date and passport number. As the holder's birthdate can be guessed to some degree (to about 1000 days), and the passport number and expiry date are linked (I presume), that leaves rather few possibilities to be tested.
Stupid designers. They should have added a few (say 20) free chars in the Machine readable zone, to ensure guessing becomes impossible
(posting anonymously as I don't want my empolyer to become angry)
an attack can be executed from around 10 meters and the security broken... in around two hours.
But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?
In either case, you might want to shield your passport at the movie theater.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
You probably hit the nail on the head there. Many (most?) people seem to have a gut reaction of saying "hey, up yours!" when somebody proposes something that would, in essence, lead to a "papers please!" scenario (real or perceived), but they're too naive and/or stupid to realise that it's not being *asked* for papers that's the problem, but the fact that you're being identified, probably against your will, and with drawbacks/sanctions/repercussions if you do not agree to it.
In other words, people are complaining about the symptoms rather than the underlying problem, and RFID arguably makes the symptoms go away; nobody will ask you for your papers after all, but that's not because they don't want to identify you - it's because it's not necessary to ask anymore. Rather, your data will just be read from afar, without you even being aware of it.
Those politicians pushing for these things are probably drooling over the possibilities. It's even trivially possible to automate the entire process; you could scan entire crowds without them ever noticing, you could track people and build movement databases, and do just about everything that shouldn't be possible (or at least allowed) in a free society.
Considering that there is absolutely zero advantage in RFID passports for those who'll be required to carry them, it's hard for me to believe that these things are not the reason why there's a push for these.
quidquid latine dictum sit altum videtur.