The Guardian newspaper reports that it took a tame security advisor just 48 hours to write software that can pull off information remotely from the latest 'ultra-secure" UK passports.
All that was required was the passport spec published on the web site of the International Civil Aviation Organisation (ICAO) - to know how to access the chip - and a £250 chip reader.
Explaining the background, the paper reports that in 2003, The International Civil Aviation Organisation (ICAO), recommended that passports should contain facial biometrics stored on a radio-frequency identification (RFID) chip that can be accessed from a short distance using radio waves. Similar chips, it says, are commonly found in retail, where they are used for stock control.
The specs that the ICAO provides tell you how to calculate the chip's access key using the passport number, the holder's date of birth and the passport expiry date.
Adam Laurie - technical director of Bunker Secure Hosting, a Kent-based company specialising in business-continuity data hosting- and the man who devised the cracking technique, is quoted as saying,
The Home Office has
adopted a very high encryption technology called
3DES - that is, to a military-level data-encryption standard times
three. So they are using strong cryptography to prevent conversations
between the passport and the reader being eavesdropped, but they are
then breaking one of the fundamental principles of encryption by using
non-secret information actually published in the passport to create a
'secret key'. That is the equivalent of installing a solid steel front
door to your house and then putting the key under the mat.
Laurie also says,
There isn't even a defence
against the brute-force attack. In much the
same way as you are only allowed three attempts to feed in your PIN
number at an ATM, the passport chip could have been made to stop
allowing repeated incorrect attempts to contact it. As things stand, a
computer can keep trying until it gets the numbers right.
The newspaper also points out that the problems it has identified with RFID chips in passports raise a lot of worrying questions about the use of such chips in the UK's proposed ID card scheme.
It also highlights a recent report from a EU-funded body - FIDIS (Future of Identity in the Information Society) that says,
European governments
have effectively forced citizens to adopt new ... documents which
dramatically decrease their security and privacy and increase risk of
identity theft.
Oh dear, oh dear.
Check out The Guardian's story and share your thoughts with us in this thread in the HEXUS.community.
