Sunday, November 19, 2006

Hacking your identity made easy.

Guardian writer Steve Boggan and a friendly 'cracker' had some fun with the new british biometric passports.
Six months ago, with the help of a rather scary computer expert, I deconstructed the life of an airline passenger simply by using information garnered from a boarding-pass stub he had thrown into a dustbin on the Heathrow Express. By using his British Airways frequent-flyer number and buying a ticket in his name on the airline's website, we were able to access his personal data, passport number, date of birth and nationality. Based on this information, using publicly available databases, we found out where he lived, his profession, all his academic qualifications and even how much his house was worth.

This is pretty scary news but the full article gets even scarier. He was able to very simply crack the chip in the new biometric passports and pull out all sorts of data.
"I was amazed that they made it so easy," Laurie says. "The information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport.

"The reader - I bought one for £250 - has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.

"The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."

Within minutes of applying the three passports to the reader, the information from all of them has been copied and the holders' images appear on the screen of Laurie's laptop. The passports belong to Booth, and to Laurie's son, Max, and my partner, who have all given their permission.

Booth is staggered. He has undercut Laurie by finding an RFID reader for £174, which also works. "This is simply not supposed to happen," Booth says. "This could provide a bonanza for counterfeiters because drawing the information from the chip, complete with the digital signature it contains, could result in a passport being passed off as the real article. You could make a perfect clone of the passport."

Airport security is a bad joke. It's 100% consumer inconvenience with 0% actual safety.

No comments: