Another Setback for Biometric Passports

trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."

Precision & Recall

[eldavojohn]

The biggest setback to biometric security is that few companies post the actual numbers concerning their precision and recall.

Before I ever buy into a biometric security device, I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

Their sites should have a slider that goes between zero and one with the resulting number. That way, I would know how many times out of a hundred my guards are going to let Bin Laden Jr. through my security check points. But I also want to know how many times my guards are going to throw Grandma-down-the-street against the hood of a car and arrest her for being a dead hijacker from an infamous attack. Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative. Every white paper I've read on this issue makes certain that they include these figures at the end of their paper.

Because if you hit the production line, these numbers are all that matter to your consumer.

Re: Precision & Recall

[Black+Parrot]

> I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

What page of the Kama Sutra are you referring to? I can't find any of that stuff in the index.

Re:Precision & Recall

[dazedNconfuzed]

Another angle:

Statistics mean nothing when they happen to YOU.

Re:Precision & Recall

[Sique]

The grandma-slamming type is called 'false positive', the building detonation type is called 'false negative'.
False positive are supposed to happen much more often, because many more regular people are checked than really dangerous people. Lets calculate some wild guesses: If the identification is 99.99% correct, and you are checking 1 mio people, of which 10 people are really dangerous, you get 100 false positives and about all dangerous ones (the risk to let one of them slip is only at 1:1000). That means only every tenth person you are slamming on the hood of the police car is really a terrorist.
So biometric identification doesn't really need to be that good to perfectly identify one. It should be perfectionated the other way: To really dismiss the data of a not searched person.
Back to the example numbers: If the system was able to identify a person 99% for sure, but would be also able to not misidentify a person to 99.9999% (for a tradeoff we basically allow for only a 1:100 chance to identify a person, but make sure that it doesn't falsely identify one by 1:1mio), we would only have 1 person falsely slammed on the car hood, but still were 10:1 sure to not let a suspected terrorist slip.

I'm shocked, shocked -

[Black+Parrot]

Data security scheme is cracked as soon as examples become available - whoda thought it?

Haven't these people been watching the travails of the DRM industry? What kind of ignorance (or arrogance) leads someone to think they can build a portable data repository that won't get cracked?

It will never be safe.

[IAAP]

These things will NEVER be completely secure. Someone will always figure a way to hack them.

Eventually, folks will realize, that no matter how hard you try, you will never be completely safe: even if you become a shut-in. We just have to accept that life is terminal and it has inherit risks. Without those risks, life would be waaayy to fucking boring - for me anyway!

Re:It will never be safe.

[Corbets]

While there is some element of truth to that, it's far from the whole story. By that argument, why have speedlimits? Why restrict the sale of weapons to children? Why have any security at an airport whatsoever?

Yes, we take risks, but we have to decide where to draw the line between mitigating them and inconveniencing ourselves. I don't believe it's an issue of whether to draw that line but actually where to draw it.

Re:It will never be safe.

[swillden]

These things will NEVER be completely secure. Someone will always figure a way to hack them.

That depends on what you mean by "completely secure". In this case, the security design is basically very good, but contains a rather obvious flaw. Fix that flaw (and there are a number of fixes) and the result will be "completely secure", against certain forms of attack, anyway.

The data on the chip is protected by a 3DES key. If you don't know that key, you cannot authenticate to the chip, and the chip will therefore refuse to talk to you. If you do know the key, then you're in. So, someone hit on the simple (and clever) idea of printing the key on the inside of the passport (since all of the data on the chip is also available in printed form on the inside of the passport anyway).

The problem is that they decided that rather than printing a new, random, 112-bit key, they'd just use some data that already existed in the passport, the MRZ. This value consists of your passport number, birthdate and expiration date. That's actually not a whole lot of entropy, especially since passport numbers are pretty predictable, and ages and passport expiration years are pretty easy to guess. The result: the MRZ can be brute-forced, the key guessed and the passport data retrieved.

There are a bunch of obvious solutions:

• Shielded cover. The US is implementing this. The passport cover has an integral wire mesh so that when the cover is closed, the chip's antenna is shielded and the chip is isolated. This also addresses some other potential issues with attackers being able to tell remotely that you have a passport and perhaps even what country it's from, even if it won't actually give them any data about its contents.
• Print a separate, random key inside the cover and use that instead of the MRZ. It doesn't really need to be 112 bits, either. A 50-bit value would work fine, as long as it doesn't have any guessable portions. The brute force search speed is limited to the speed of the passport chip, so you don't need huge keyspaces.
• Configure the chip so that after a certain number of consective failed authentication attempts, it locks itself. This will prevent brute force searches, at the expense of perhaps creating a denial of service attack. However, these chips (if not shielded) are already at risk of denial of service attacks, so I don't think that's significant.

It's popular on slashdot to say "nothing is ever completely secure", and while that statement is literally true, in fact many things can be and are sufficiently secure within the defined operational parameters.

Re:It will never be safe.

[IAAP]

Yes, we take risks, but we have to decide where to draw the line between mitigating them and inconveniencing ourselves. I don't believe it's an issue of whether to draw that line but actually where to draw it.

The thing is that we're, as a society, so concerned with risks that are quite rare and completely oblivious to risks that are not so rare - heart disease, lung disease, etc.... The odds are we'll die or, worse from my perspective, become disabled from one of those diseases; which can be mitigated with diet and exercise.

I actually know some folks in health who actually think that McDonald's, Coke, etcc.. should be restricted because of their impact on pulbic health. That's how overboard people are willing to go to keep us safe. I resent that I would get a $50 ticket for not having my seatbelt becuase "it's for my safety". That's true, but that's my problem and my families. Having laws and using police to act like my mommy is a complete waste.

As far a airport security, I'd rather have none. We don't need it. One, it's not that effective, and two, if anyone actually tried anything, they'd get their asses kicked - see Richard Reid. In the meantime, my civil liberties have had one more chip taken out of them.

I gues that's where you and I will disagree - I'd rather err on recklessness.

Re:It will never be safe.

[swillden]

It can't take that much longer to put the edge of the passport against the stop, and press the button, now, can it?

Actually, it can. For two reasons which both basically boil down to a desire to be able to use cheap, off-the-shelf components.

First, positioning the contact plate correctly every time requires that the chip be placed in a fairly rigid medium. Common passports are too soft and when their edges fray or whatever the contact alignment will be off. I suppose this could be addressed either by making part of the passport out of rigid plastic, or else by using different contact plates than standard smart card chips (with larger, and therefore more forgiving, contact regions). But nobody really wants to change passports, and using non-standard contacts would require non-standard readers, which costs more.

The second reason is that contactless smart card communication is much, much faster than contact smart card communication. That's silly from a physical point of view, but it's true nonetheless. Contactless protocols, being newer, run at either 400Kbps or 800Kbps. Contact protocols run at between 9.9Kbps and 115Kbps, with lower values being far more common. Both contactless and contact smart card comm protocols are fairly inefficient, too. There's a lot of interframe and intercharacter overhead, as well as significant packet overhead (especially with encrypted and MACed APDUs, which are a very good idea whether you're doing contact or contactless).

So, contact chips move data as slow as about 700 bytes per second. The fastest ones move it at about 8KBps, and, in practice, it's not common to find cards and readers that can actually do that. The "slow" contactless chips move it at around 34KBps and the fast ones move it at around 70KBps. If you have 30KB of data to retrieve from the card, and you want to keep the line moving at the immigration desk, contactless is obviously much, much better. With contact chips, you can expect 30KB to take 10-15 seconds to transfer. With contactless chips you can get it to under 1s. That doesn't consider the time required to insert the passport into the reader, either. It's not huge, but it's a few seconds per passport, which adds up over the course of a day. It's much faster to flip open the passport and drop it face down on the optical scanner, which allows the system to grab the MRZ and simultaneously puts the chip's antenna in range of the contactless smart card reader.

So now what will they propose us? to get chipped?

[master_p]

*Tinfoil hat on*

Since biometric passports failed, are they gonna request us to get chipped? after all, it is for our own good.

Nothing to do with biometrics

[statemachine]

The "crack" involved reading the chip wirelessly.

FYI: *ALL* passports are biometric, unless yours for some reason doesn't have a photograph and a description.

Re:So now what will they propose us? to get chippe

[pvt_medic]

eh and then shortly after we all get chipped someone walks by us with a small handheld device and changes our identity. Now we are some wanted bank robber.

but on the plus side depending on where they put the chips the tinfoil hats might work.

Because of stupid designers

Although others are right saying it can never be completely secure, in the case of "e-passports", it's because of stupid design.

In order to be able to read the card, the reader needs to know some information in the "Machine readable zone", the two lines of letters/numbers and signs below the first page of the passport

Because there is quite a bit of entropy in the information in the machine readable zone, it could be made reasonably secure -- but the disigners decided _only_ to use the holder's birthdate, passport expiry date and passport number. As the holder's birthdate can be guessed to some degree (to about 1000 days), and the passport number and expiry date are linked (I presume), that leaves rather few possibilities to be tested.

Stupid designers. They should have added a few (say 20) free chars in the Machine readable zone, to ensure guessing becomes impossible

(posting anonymously as I don't want my empolyer to become angry)

Er....

[brunes69]

I think you missed the point.

The point is not that people who crack it can make fake cards (which they *can*, but anyways...), it is that people can read the info off my "secure" biometric ID card from a relativly long distance and use it to steal my identity, for any reason whatsoever.

I mean, 10m? Some guy could set up a listening post outside my office and read it all through the wall at 10m. The capacity for identity theft is very alarming.

10 meters in 2 hours

[HTH+NE1]

an attack can be executed from around 10 meters and the security broken... in around two hours.

But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?

In either case, you might want to shield your passport at the movie theater.

Re:10 meters in 2 hours

[HTH+NE1]

10 meters is about 33 feet, not 10 feet.

I guess I'd better not get a job at NASA.

At least I got it right in the subject.

My card reeks data

[spyrochaete]

No private information should be made available over RFID. If that information has to be transmitted or broadcasted in any way, it should be from a patchable computer system that can change to reflect up-to-date security fixes. Otherwise, as soon as the encryption scheme is cracked, you could just walk down the halls of an airport for 10 minutes and record thousands of IDs.

Everything gets cracked. In this day and age even "security" is "security through obscurity". RFID is a fantastic technology but it shouldn't be a transmission vector for information of value. That's like visiting a bank in China and yelling your PIN in German, hoping nobody will understand. RFID should only be used for asset tracking, broadcasting otherwise useless data like serial numbers.

Why do we need RFID for passports anyway? Is it so hard to swipe a card? I wager it's just to give citizens the illusion of privacy while they are scanned from afar. I hope the decision to incorporate RFID - for passports, clothing, or anything people carry - will be debated profusely by governments before being adopted. I think many countries' constitutions are in conflict with technologies of such invasive potential.

Re:My card reeks data

[slavemowgli]

I wager it's just to give citizens the illusion of privacy while they are scanned from afar.

You probably hit the nail on the head there. Many (most?) people seem to have a gut reaction of saying "hey, up yours!" when somebody proposes something that would, in essence, lead to a "papers please!" scenario (real or perceived), but they're too naive and/or stupid to realise that it's not being *asked* for papers that's the problem, but the fact that you're being identified, probably against your will, and with drawbacks/sanctions/repercussions if you do not agree to it.

In other words, people are complaining about the symptoms rather than the underlying problem, and RFID arguably makes the symptoms go away; nobody will ask you for your papers after all, but that's not because they don't want to identify you - it's because it's not necessary to ask anymore. Rather, your data will just be read from afar, without you even being aware of it.

Those politicians pushing for these things are probably drooling over the possibilities. It's even trivially possible to automate the entire process; you could scan entire crowds without them ever noticing, you could track people and build movement databases, and do just about everything that shouldn't be possible (or at least allowed) in a free society.

Considering that there is absolutely zero advantage in RFID passports for those who'll be required to carry them, it's hard for me to believe that these things are not the reason why there's a push for these.

Fingerprint authentication is a bad idea

[Orange+Goblin]

So normally when your password is compromised, you change it and try and be more careful next time. What happens when it is possible to duplicate a rubber finger from a fingerprint - done in films, but is it possible now? I don't know. You can't change your fingerprint, so do you just leave it as it is and let whoever it is keep their access?

Re:Fingerprint authentication is a bad idea

[SeekerDarksteel]

And this is why I think that ALL machine readable biometric measures will eventually fail. The inherent problem with all biometrics is there is NO method to resecure your authentication method once a compromise has occurred. If someone steals your password you can change it easily. If someone steals a physical key, the lock can be replaced. (A bit costly, but doable). If someone steals your fingerprint, from that point on for the rest of your life you cannot be guaranteed security in a process that uses your fingerprint as authentication. Worse yet, you leave your fingerprints EVERYWHERE. I don't know about you, but I don't leave hundreds of copies of my passwords lying around every day. There's also the argument that it isn't feasable to create fake fingers to pass fingerprint authentication with someone else's prints, but the data has to get digitized somewhere. Once it's all ones and zeros someone doesn't need to create a fake finger. They just need to figure out the right place to put their ones and zeros.

Re:Fingerprint authentication is a bad idea

[AJWM]

Yes, it is possible to duplicate a fingerprint -- story made Slashdot about two years ago.

Essentially just take a photocopy of a fingerprint, make a mask for a printed circuit board from that, etch to give you a mould, and use gelatin or similar to make a cast. The advantage of gelatin over latex is that you can eat the evidence ;-)

The details can be found in this paper.

They were getting aanywhere from 70% to 100% success rate on typical fingerprint scanners, depending on the scanner.

A google search for "fingerprint scanner mould gelatin" (no quotes) turns up a ton of other articles.

10 meters? 2 hours?

[Fnord666]

But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?

According to one of the followup articles, The attacker must first be within 10 meters of the passport while it is in active use. This means standing fairly close to the customs counter. The attacker intercepts the communications, then can take that information offline and brute force the key. YMMV on the distance estimate since it is a radio intercept.

One would hope that a person sitting in the waiting area with a laptop connected to a pringles can that is aimed at the customs desk would draw some sort of attention, but with what is passing for security these days...

More info in English

[Ubi_NL]

As the link to the good stuff is hidden in dutch text here it is:
https://events.ccc.de/congress/2005/wiki/RFID-Zapp er(EN)