Slashdot Mirror

← Back to Stories (view on slashdot.org)

British "Secure" Passports Cracked

Posted by CowboyNeal on from the trust-us dept.

hard-to-get-a-nickna writes "The Guardian has cracked the so-trumpeted secure British passports after 48 hours of work: 'Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?'"

3 of 305 comments (clear)

  1. Easy to clone by SomethingOrOther · · Score: 5, Interesting

    Home Office spokesman.
    "If you were a criminal, you might as well just steal a passport."

     Missing the point dude.
    If my passport gets stolen, I report it. It gets cloned, I've no idea somebody is impersonating me, screwing up my life (and others).
    Please people, support NO2ID and tell Blair where to shove his flawed ID cards and CCTV cameras.

    --
    Anyone quoted by a reporter knows how little they understand
    Don't believe what you read is the truth.
  2. Re:Nothing to see here... by archeopterix · · Score: 4, Interesting
    "If you can read the chip, then you can clone it," he says.
    Don't see how you can... but anyway an exploit would be a problem with the reading software, not with the passports.
    The "read -> clone" implication might be a bit of an overstatement, but if the chip identifies itself (and the passport) to the reader by revealing _all_ of its contents, then the only barrier to cloning is the availability of programmable RFID chips. Cryptographically speaking (*), they could have done better. There exists something called zero knowledge protocols which makes it possible to identify a party without revealing the secret information used for identification, i.e. without helping the potential cloner.


    (*)I don't know whether RFID chips are capable of implementing zero knowledge protocols (they require some computing power), but if they can handle 3DES, then the answer is probably yes.

  3. Re:Another DRM? by itsdapead · · Score: 3, Interesting
    I don't know why a simple thing as desgining a security algorithm can be so hard.

    True - provided you're trying to get Alice to talk to Bob! Those two know a thing or two about cryptography by know and can deal with keeping keys secret, using strong passwords etc.

    It all gets rather harder if you're dealing with a huge messy system composed of hoardes of busy people who neither understand nor wish to understand the system. And that's just the immigration officers, never mind joe public!

    The system that they cracked seems entirely fit for the (obviously intended) purpose of preventing casual sniffing of the RFID information. It makes the perfectly pragmatic assumption that, if the bad hats get physical posession of the passport you're screwed anyway.

    They could have used a "secret" key (or something more sophisticated) because every immigration desk in every participating country then needs a secret key to "unlock" the info - and as soon as one of those (inevitably) leaks every passport in a dozen countries would have to be updated or replaced.

    The problem is that all any technological change like this can achieve is to make counterfieters work that little bit harder (the article didn't say if the info had been digitally signed - which would really help there and would be totally unrelated to anti-RFID-snooping measures).

    --
    In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.