|
 Few months ago Zone-H dealt with the problems conveyed by new e-passports and the conclusion was that they were not as safe as they were presented to be.
Now, a new research by the magazine The Guardian focuses on the limits standing behind this technology and it highlights the risks that a common person could run: after showing how easy it is to steal precious information starting from a “British Airways frequent-flayer number” printed on a old boarding pass stub, a team of experts working at The Guardian , tested the new ultra-secure electronic passports, and proved that actually they are not that safe.
According to the UK identity and passport Service website , “the use of biometric information to link a person to a passport can help to counter identify fraud” because they are granted by "an advanced digital encryption technique". Actually, in new passports holder's details and a digital description of their physical features (known as biometrics) are stored in a tiny microchip that is believed to make identity frauds far more difficult. But is it really so?
After 9/11 attacks, the need to more accurate controls made it necessary to work out a new passport that would allow not only to verify the identity of the holder but also to check more details about the traveller. On this basis, the International Civil Aviation Organization (ICAO) set a number of standards that had to be respected when developing this new passport. Specifically, the ICAO recommended that passports should contain facial biometrics and possibly fingerprints. All data are recorded on a Radio frequency Identification microchip that can be accessed by short-distance microwaves.
Moreover, they suggested that the key to enter the chip should be comprised of the passport number, the holder's date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a "machine readable zone”. The chip contained in the reader machine can decode this information and display it on a screen where the official in charge can verify data.
The first weak points of this procedure is in the way ICAO website itself spread out information, winded on the official website are published documents about new e-passports reporting that “the key to opening up the secure chip was contained in the passports themselves - passport number, date of birth and expiry date.”
To access the information contained in the chip, you need a reader (that can be bought for about 250 US$)
That will start a communication with the RFID chip in the passport using the passport number, date of birth and expiry date as a key. The following data exchange will be encrypted but an expert coder would took no more that two days to develop a software to make sense of it.
Once the reader has started the communication with the RFID chip in the passport, and the encryption software has started decoding the data, the information takes a few minutes to be available.
According to Adam Laurie, one of the coder who collaborated with The Guardian to carry out this study, "The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."
The British Home Office anyway, grants that even admitting that data could be accessed, they cannot be added or changed, so for example it isn’t possible to change the picture or the date of birth, or anything else.
But as it was demonstrated during last HOPE by Mr. Grunvwald once the RFID chip is accessed, it can also be cloned: quite an useful characteristic for terrorists who aim to enter a foreign country illegally!
Biometrics as well, aren’t a guarantee for safety, since it is not hard to reproduce some physical characteristics (or hide them).
But how is it possible for a cracker to read a RFID chip and clone it?
According to British government, the new biometric passport can be read over a distance of just 2 cm, but researchers all over the world don’t think so and they claim that it is possible to read the chip at a distance up to 30 cm.
We haven’t verified this last statement but the Guardian’s researchers managed in reading a chip 7.5 cm far from the reader machine , that is more or less the same distance that there could be between the passport that you are carrying in your pocket and the bag of the traveller siting next to you in the airport’s waiting room.
The point now is not about “when terrorists and cyber criminal will go so far” because considering what is happening every day on the digital ground they already have all the necessary instruments to carry out a similar action.
The real question is:
"How can we protect ourselves and prevent them from threatening our safety?"
Not so much, since institutions still firmly believe in the safety of this technology, and they will make us adopt it very soon.
..And it is quite discomforting that, as ever, the only protection is “paying attention” , maybe keeping the digital passport in a plastic envelope that would represent an obstacle for microwaves..
Powered by a Zone-H(ified) version of AkoComment 3.0!
DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice. |
