delusionofgrandeur

The Times online has news that Dutch security researcher Jeroen van Beek has demonstrated a method to digitally clone, copy and alter a British biometric passport.

The first revelation is that the ’strong encryption’ of the British biometric passport has been cracked. Perhaps it’s not such a huge revelation as I recall hearing the Dutch chip passports had been cracked and those would presumably have to use the same internationally-accepted standard for encryption.

He was then able to take a chipped passport, copy the data from it (in this case the biometric data for a child), change the digitally stored photograph for one of Osama bin Laden and then upload the data again, even generating a new key signature to match the data stored.

The vulnerability of the ‘chipped’ passports seems exceptionally serious when combined with work by Peter Gutmann, from Auckland University, New Zealand. Normally, the changed data on the chipped passport along with it’s new signing key would fail to match with the key found on a centralised database. Mr Gutmann’s work allowed a second, correct key to be stored on the passport thereby allowing the passport to be authenticated.

The only final way in which this method of creating a counterfeit passport can be avoided is if the security agent actually checks the full biometric data as downloaded from the chip against the full data retrieved from the centralised database (We’ll assume the centralised database isn’t being compromised as part of a concerted effort for the purposes of this discussion). The problem here is that of the 45 countries to sign-up for the public key directory, only 5 have implemented it. Naturally, the Gutmann work neatly circumvents the PKD and the final backstop of manual comparison relies on access to the database holding the original.

The Times article points out that a prospective criminal would need fake passport material to implant the chips on (a fairly trivial matter with modern technology). This, however, should be no problem in the short term as 3,000 blank British biometric passports were stolen last week.

In a world where it is alleged that airport security personelle aren’t even checking signatures, it looks like identity fraud has just become both easier and far more complete.

Tags: altered, biometric passport, british, cloned, copied, Dutch, fraud, identity theft, Jeroen van Beek, peter gutmann, security

This entry was posted on Thursday, August 7th, 2008 at 1:11 pm and is filed under News.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.