John Lattrice reports on the Daily Mail’s investigation into the ability to clone the new UK biometric passport. A major security gap allows a would-be identity thief to obtain an individual’s personal information without even opening the envelope the passport is delivered in.
“The Mail exploit draws on previous work by security consultant Adam Laurie and others, and puts together vulnerabilities in the chip technology, and in the chip security and logistics systems used by the Identity & Passport Service”
Lattrice goes on to state that:
“The data in the chip is essentially a digital version of what is printed inside the passport itself. The printed data can be read if the passport is presented and opened, and the chip’s security system attempts to duplicate this process. The chip data can be read wirelessly, but it is encrypted, with the key printed inside the passport. So in theory, although the chip can be read without the passport (or indeed the delivery envelope) being opened, the data is meaningless without the key.”
“But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder’s date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder’s date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label.”
This report highlights the major technology gaps that must be addressed before any nation should issue these passports to its citizens. The ease in which Adam Laurie, only using parts that can be purchased on the Internet or a local electronics store, underscores the reason why so many individuals view this form of passport technology as a danger to the well being of individuals throughout the world.
As a security consultant, I believe that more research and development is needed before using this technology to store personal information. You can read Lattrice’s report by clicking on the link provided below:
How to clone a biometric passport while it’s still in the bag