[IP] Guardian Unlimited: Cracked it!

To: ip@xxxxxxxxxxxxxx
Subject: [IP] Guardian Unlimited: Cracked it!
From: David Farber <dave@xxxxxxxxxx>
Date: Fri, 17 Nov 2006 05:19:13 -0500
List-help: <http://v2.listbox.com/doc/help_sub>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?list_id=247>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?list_id=247>
References: <2538.71.211.100.1.1163746637.squirrel@xxxxxxxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx

Begin forwarded message:

From: bobr@xxxxxxxxxxxxxxxxxxxxxxxxxx
Date: November 17, 2006 1:57:17 AM EST
To: dave@xxxxxxxxxx
Subject: Guardian Unlimited: Cracked it!

Dave

Anybody on IP wanna buy a Passport -- or a new identity?

Bob Rosenberg
P.O. Box 33023
Phoenix, AZ  85067-3023
Mobile:  602-206-2856
LandLine:  602-274-3012
bob@xxxxxxxxxxxxxxxxxxxxxxxxxx

Cracked it!

Three million Britons have been issued with the new hi-tech passport,designed tofrustrate terrorists and fraudsters. So why did Steve Boggan and afriendly computer

expert find it so easy to break the security codes?
Steve Boggan
Friday November 17, 2006

Guardian
http://www.guardian.co.uk/idcards/story/0,,1950226,00.html

Six months ago, with the help of a rather scary computer expert, Ideconstructed the

life of an airline passenger simply by using information garnered from a

boarding-pass stub he had thrown into a dustbin on the HeathrowExpress. By usinghis British Airways frequent-flyer number and buying a ticket in hisname on theairline's website, we were able to access his personal data, passportnumber, dateof birth and nationality. Based on this information, using publiclyavailable

databases, we found out where he lived, his profession, all his academic
qualifications and even how much his house was worth.

It would have been only a short hop to stealing his identity,committing fraud in

his name and generally ruining his life.

Great news then, we thought, that the UK had just begun to issue new,ultra-securepassports, incorporating tiny microchips to store the holder'sdetails and a digitaldescription of their physical features (known in the jargon asbiometrics). These,the argument went, would make identity theft much more difficult andpave the way

for the government's proposed ID cards in 2008 or 2009.

Today, some three million such passports have been issued, and theydon't look sosecure. I am sitting with my scary computer man and we have justsucked out all thesupposedly secure data and biometric information from three newpassports and

displayed it all on a laptop computer.

The UK Identity and Passport Service website says the new documentsare protected by"an advanced digital encryption technique". So how come we have theinformation?What could criminals or terrorists do with it? And what could it meanfor the

passports and the ID cards that are meant to follow?

First it is necessary to explain why the new passports wereintroduced, and how theywork.After the 9/11 attack on the World Trade Centre, in which fakepassports wereused, the US decided it wanted foreign citizens who presentedthemselves at itsborders to have more secure "machine-readable" identity documents. Ittold 27countries that participated in a visa waiver programme that citizenswith passportsissued after the 26th of last month must have micro-chipped biometricpassports orwould have to apply for a US visa. Among those 27 countries are themajor EUmembers, and other friendly nations ranging from Andorra and Icelandto Singapore,

Japan and Brunei. The UK, of course, is also included.

Standards for the new passports were set by the International CivilAviationOrganisation (ICAO) in 2003 and adopted by the waiver countries andthe US. The ICAOrecommended that passports should contain facial biometrics, thoughcountries couldintroduce fingerprints at a later date. All these would be stored ona RadioFrequency Identification (RFID) microchip, which can be accessed froma shortdistance using radio waves. Similar chips are commonly found inretail, where they

are used for stock control.

Fatally, however, the ICAO suggested that the key needed to accessthe data on thechips should be comprised of, in the following order, the passportnumber, theholder's date of birth and the passport expiry date, all of which arecontained onthe printed page of the passport on a "machine readable zone." Whenan immigrationofficial swipes the passport through a reader, this feeds in the key,which allows amicrochip reader to communicate with the RFID chip. The data thiscontains,including the holder's picture, is then displayed on the official'sscreen. The

assumption at this stage is that this document is as authentic as it is

super-secure. And, as we shall see later, this could be highlysignificant.

Once the passports began to be issued in the UK in March, we beganlaying thefoundations for examining them. Phil Booth, national coordinator ofthe campaigngroup NO2ID, suggested to his members that they apply for a newpassport. Anyone whogets one before ID cards are rolled out will not have to register fora card until

their passports expire in 10 years' time, and this appealed to Booth.

At the same time, Adam Laurie, my computer expert and technicaldirector of theBunker Secure Hosting, a Kent-based computer security company, and Ibegan layingplans to examine the new passports. Laurie is actually not a scaryindividual - heis regarded in the industry as a technical wizard who cares aboutprivacy and civilrights - but much of the electronic information he uncovers is. Twoyears ago, herevealed that Bluetooth mobile phones could be accessed remotely,drained of theircontact details, diary entries and pictures, and manipulated to actas buggingdevices. The cellphone industry spent millions of pounds plugging thegaps he

exposed.

By last month, Booth, Laurie and I each had access to a new biometricchippedpassport and were ready to begin testing them. Laurie's first port ofcall was theICAO's website, where the organisation had published specificationsfor the newtravel documents. This is where he learned that the key to opening upthe securechip was contained in the passports themselves - passport number,date of birth and

expiry date.

"I was amazed that they made it so easy," Laurie says. "Theinformation contained inthe chip is not encrypted, but to access it you have to start up anencrypted

conversation between the reader and the RFID chip in the passport.

"The reader - I bought one for £250 - has to say hello to the chipand tell it thatit is authorised to make contact. The key to that is in the date ofbirth, etc. Oncethey communicate, the conversation is encrypted, but I wrote somesoftware in about

48 hours that made sense of it.

"The Home Office has adopted a very high encryption technology called3DES - thatis, to a military-level data-encryption standard times three. So theyare usingstrong cryptography to prevent conversations between the passport andthe readerbeing eavesdropped, but they are then breaking one of the fundamentalprinciples ofencryption by using non-secret information actually published in thepassport tocreate a 'secret key'. That is the equivalent of installing a solidsteel front door

to your house and then putting the key under the mat."

Within minutes of applying the three passports to the reader, theinformation fromall of them has been copied and the holders' images appear on thescreen of Laurie'slaptop. The passports belong to Booth, and to Laurie's son, Max, andmy partner, who

have all given their permission.

Booth is staggered. He has undercut Laurie by finding an RFID readerfor £174, whichalso works. "This is simply not supposed to happen," Booth says."This could providea bonanza for counterfeiters because drawing the information from thechip, completewith the digital signature it contains, could result in a passportbeing passed off

as the real article. You could make a perfect clone of the passport."

But could you - and what use would my passport be to you? A securityfeature of thechip ensures that information cannot be added or altered, so youcouldn't put your

picture on my chip. So is our attack really so impressive?

The Home Office thinks not. It correctly points out that theinformation sucked outof the chip is only the same as that which appears on the page,readable with thehuman eye. And to obtain the key in the first place, you would needto have accessto the passport to read (with the naked eye) its number, expiry dateand the date of

birth of its holder.

"This doesn't matter," says a Home Office spokesman. "By the time youhave accessedthe information on the chip, you have already seen it on thepassport. What usewould my biometric image be to you? And even if you had theinformation, you wouldstill have to counterfeit the new passport - and it has lots of newsecurityfeatures. If you were a criminal, you might as well just steal apassport."

However, some computer experts believe the Home Office is beingdangerously naive.Several months ago, Lukas Grunwald, founder of DN-Systems EnterpriseSolutions inGermany, conducted a similar attack to ours on a German biometricpassport andsucceeded in cloning its RFID chip. He believes unscrupulouscriminals or terrorists

would find this technology very useful.

"If you can read the chip, then you can clone it," he says. "Youcould use this toclone a passport that would exploit the system to illegally enteranother country."(We did not clone any of our passport chips on the assumption that todo so would be

illegal.)

Grunwald adds: "The problems could get worse when they putfingerprint biometrics onto the passports. There are established ways of making forgedfingerprints. In thefuture, the authorities would like to have automated border controls,and such

forged fingerprints [stuck on to fingers] would probably fool them."

But what about facial recognition systems (your biometric passportcontains precisemeasurements of key points on your face and head)? "Yes," saysGrunwald, "but theyare not yet in operation at airports and the technology throws upbetween 20 and 25%

false negatives or false positives. It isn't reliable."

Neither is the human eye, according to research conducted by a teamof psychologistsfrom the University of Westminster in 1996. Remember, information -such as a newpicture - cannot be added to a cloned chip, so anyone using it tomake a counterfeitpassport would have to use one that bore a reasonable resemblance tothemselves.

But during Westminster University's study, which examined whetherputting people'simages on credit cards might reduce fraud, supermarket staff draftedin for testshad great difficulty matching faces to pictures. The conclusion wasthat pictureswould not improve security and they were never introduced on creditcards. Thismeans that each time you hand over your passport at, say, a hotelreception orcar-rental office abroad to be "photocopied", it could be cloned withequipment likeours. This could have been done with an old passport, but since thenew biometricpassports are supposed to be secure they are more likely to beaccepted without

question at borders.

Given the results of the Westminster study, if a terrorist bore aslight resemblanceto you - and grew a beard, perhaps - he would have a good chance ofgetting througha border. Because his chip is cloned, with the necessary digitalsignatures, andbecause you have not reported your passport stolen - you still haveit! - hismachine-readable travel document will get him wherever he wants togo, using your

identity.

What about the technical difficulties? The government claims the newbiometricpassport chips can be read over a distance of just 2cm, butresearchers all over theworld claim to have read them from further. The physics governingthose in Britishpassports says they could be read over a metre, but no one has yetdone that. A

Dutch team claims to have contacted chips at 30cm.

Laurie has, however, rigged up a piece of equipment that can connectto a passportover 7.5cm. That isn't as far as the Dutch 30cm, but it is enough ifyour targetsubject is sitting next to you on the London Underground or crushedup against youon the Gatwick Airport monorail, his pocketed passport next to thereader you have

hidden in a bag.

It takes around four seconds to suck out the information with areader; then it canbe relayed and unscrambled by an accomplice with a laptop up to 1kmaway. With aHeath Robinson device we built on Tuesday using a Bluetooth antennaconnected to anRFID reader, Laurie relayed details of his son's passport over adistance of 10

metres and through two walls to a laptop.

Ah, the Home Office will say, but you still need to see theinformation in thepassport that will form the key needed for connection. Well, notnecessarily.Consider this scenario: A postman involved with organised crime knowshe has apassport to deliver to your home. He already knows your name andaddress from theenvelope. He can get your date of birth by several means, includingcredit-referenceagencies or from the register of births, marriages and deaths (and,let's face it,

he delivers all your birthday cards anyway).

He knows the expiry date - 10 years from yesterday, give or take aday, when thepassport was mailed to you. That leaves the nine-digit passportnumber. NO2ID saysreports from its 30,000 members up and down the country are throwingup a number ofsimilarities in the first four digits of the passport number, so thatreduces thenumber of permutations, potentially leaving five purely randomnumbers to establish.

"If the rogue postman were to take your passport home, withoutopening the envelopehe could put it against a reader and begin a 'brute force' attack inwhich yourcomputer tries 12 different permutations every second until it hasthe right accesscodes," says Laurie. "A five-digit number would take 23 hours tocrack at the most.Once all those numbers were established, you could communicate withthe RFID chipand steal all the information. And your passport could be deliveredto you, unopened

and just a day late."

But is this really credible? Would criminals or terrorists really goto suchlengths? Ross Anderson, professor of security engineering at theUniversity ofCambridge computer laboratory, believes they would. "The point isthat once you haveextracted the data from the chip you can have a forged passport thatcontains notjust forged physical stuff," he says. "You also have the digital bit-stream so thedigital signature of the passport checks out. That makes it possibleto travel

through borders with it.

"What concerns me is that this demonstrates bad design on the part ofthe HomeOffice, and we know that government IT projects have a habit of goingterriblywrong. There is a lack of security in what we can see - so what aboutthe 90% of the

iceberg in the system that we can't see?

"There isn't even a defence against the brute-force attack. In muchthe same way asyou are only allowed three attempts to feed in your PIN number at anATM, thepassport chip could have been made to stop allowing repeatedincorrect attempts tocontact it. As things stand, a computer can keep trying until it getsthe numbers

right. To say this doesn't matter displays a cavalier lack of concern."

The problems we have identified with RFID chips in passports raiseall sorts ofquestions about the UK's proposed ID card scheme, which will use thesametechnology. The government has not said exactly what will becontained in the IDcard's chip, but there will be a National Identity Register thatcould containaround 50 pieces of information about you, ranging from your name,age, and all youraddresses, to your national insurance number and biometric details.Eventually, you

may need one to access healthcare. It could even replace the passport.

Already, then, criminals and terrorists will have identified just howuseful clonedID cards might be. It would be folly to think their best minds arenot on the case.

The Home Office insists that UK passports are secure and among thebest in theworld, but not everyone agrees. Last week, an EU-funded body entitledthe Future ofIdentity in the Information Society (Fidis) issued a declaration onmachine-readabletravel documents such as RFID-chipped passports and ID cards. It saidthe technologywas "poorly conceived" and added: "European governments haveeffectively forcedcitizens to adopt new ... documents which dramatically decrease theirsecurity and

privacy and increase risk of identity theft."

The government is now facing demands from the Liberal Democrats andanti-ID cardgroups for a recall of the passports so that simple devices such asfoil covers canbe installed - at enormous cost. Such covers would at least stopchips being scannedremotely, though they wouldn't prevent an unscrupulous hotelreceptionist from

opening the passport and sucking out its contents the way we did.

It may be that at some point in the future the government will acceptthat puttingRFID chips in to passports is ill-conceived and unnecessary. Untilthen, the onlypeople likely to embrace this kind of technology are those withmischief in mind.


Guardian Unlimited © Guardian News and Media Limited 2006



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Student shot with Taser by UCPD officers in UCLA library TWICE on 11/14
Next by Date: [IP] more on Tazer at UCLA
Previous by thread: [IP] Student shot with Taser by UCPD officers in UCLA library TWICE on 11/14
Next by thread: [IP] more on Tazer at UCLA
Index(es):
- Date
- Thread