Slashdot Mirror
British "Secure" Passports Cracked
hard-to-get-a-nickna writes "The Guardian has cracked the so-trumpeted secure British passports after 48 hours of work:
'Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?'"
We don't have a democracy, in either the pure form (which is an unworkable ideal anyway) or the popular interpretation (which is much more sensible approach in practice).
Blair has an absolute majority of MPs in Parliament, which effectively means he can force through almost anything. That doesn't mean an absolute majority of the electorate support him. Remember, Labour lost the popular vote in England at the last general election, and even with the support of MPs from our neighbour countries to prop them up, they still only received around 1/3 of the overall popular vote.
Blair and co have gone about forcing laws through and creating legacies, but the simple fact is that they have no mandate to bring in the kinds of sweeping change they are championing, unless at the very least they also have support from the other main parties who brought in other people's votes. Clearly in many of these so-called anti-terrorism matters, they do not.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
If you read the TFA you'll find that it doesn't make any claims about being able to modify the data. It does however go on to list the ways an attacker might retrieve the data and make use of it.
To be fair to the system designers it does make the whole system a little more secure in that the data on the chip has to be matched with the paper information. But only a little: if I found someone who looked sufficiently like me AND I could gain access to their passport the system is just a compromised. Arguably moreso as the claimed extra security will lead to an unjustifiable rise in trust.
Considering the following scenario: a crooked hotel clerk (in Europe you usually have to show your passport when checking in) takes your passport "to be photocopied". Using the key information on the passport they clone every passport that comes their way. This way they can build up a stock of passports matching all conceivable faces to be resold. This actually becomes more useful the longer the system is in operation as the ten years of a usual passport's lifespan can make your face change dramatically.
The end result is a system only marginally more secure than before.
But that's exactly the point of this 'cracked' encryption: you *can't* clone the passport just by reading the RFID in someone's coat pocket.
Well this is so, but if you read the FA then you'll see a more plausible attack involving someone who knows your name and address (the postman in that case). Nevertheless it seems the fundamental problem here is that the key on the chip can be brute-forced. A simple change ought to fix that - either have the chip shut down after three incorrect keys have been tried, or (better) have it implement an exponential back-off for each failed attempt.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
No, the 24 hours the article gives is if you can't see the password but you know some information about the target. If you have access to the actual passport access is instantaneous. Effectively a cloner just does exactly the same as an immigration control officer.
Have we learned nothing?
The article states that if you can see the human-readable part of the passport, or even just take a good guess at the details, you can extract the rest of the data from the RFID chip -- and clone it. Encryption is used to ensure that nobody can eavesdrop on a transaction once initiated, but that doesn't help the fact that every transaction is presumed legitimate -- and the very nature of RFID means that you aren't always able to know that a transaction is taking place. If there isn't a human being checking passports, just a machine -- and one day, that is exactly how it will be -- one of those cloned RFID chips will be enough to get you past it.
Attempting to automate people out of the loop is asking for trouble, because we can always know what tests a machine is performing and falsify the results. Criminals are not stupid -- and smart people can often be bought. If the anticipated returns are high enough, you can be sure that someone will put up the stake. Security through obscurity is worse than no security, because it leads people to believe that their details are safe when they are not.
By the way, if you want to see how easy it is to commit identity theft, start here.
Je fume. Tu fumes. Nous fûmes!
They should have called in the experts, Microsoft!
Okay I know you're joking, but Microsoft have been one of the biggest critics of the UK government's ID card system as providing the ideal conduit for ID theft; so perhaps the Home Office really should have called them in.