ePassport: false security, higher fees
Special to MWAW: Your electronic passport is not safe from the person behind you at the ticket counter. Adam Laurie, a computer programmer from Kent, has released a programme that allows anyone with the book-sized electronic reader device to steal information contained in the passports. “The program will read and display the contents of the ePassport, including the facial image and the personal data printed in the passport,” Mr Laurie said.
Electronic passports now cost £66. Oyster cards, which use a similar — but better — security code, cost only £3. Cracking an Oyster card is “more difficult then winning the national lottery,” said Mr Laurie, who made the programme available for download (rfidiot.org/). Once downloaded, it allows anyone with the right device to read a passport in just 15 seconds.
Nevertheless, not everything is so easy as it seems. Mr Laurie, contacted via email, said: “The government that issues the documents have the private keys for signing the objects stored there (such as image, text etc.) The passport itself is also encrypted with it’s own private key, but that key is derived from data printed in the passport (Passport number, D.O.B. and Expiry date). In this way, anyone with the passport’s individual private key can read it, but only the government can produce a new passport with correctly signed objects.”
In other words, to write the data in the ePassport, a “key” (like a password) is needed, and only the government has that key. To read the data, however, a different key for every person is required. The last is derived using data stored in the passport itself (e.g. birth date, passport number). In a normal situation, the police optically read the data printed on the passport, then read the data on the chip using this key derived from the data. The formula to derive this key is well known (just go to www.highprogrammer.com/cgi-bin/uniqueid/mrzp and compute your own key!). In other words anybody, with Mr Laurie’s program, can insert the key of his/her own passport, put the ePassport on a reader, and read it.
That would not be a big deal — I could not electronically read your data before having optically read it. Problems arise, however, when you have computer powerful enough to guess your key. This has been pointed out by Riscure, a Security Test Lab based in the Netherlands. Considering that it is possible to guess the age of someone with an error of plus or minus five years, and that many countries use consecutive passport numbers, a good desk-top computer is able to guess the key in a day. The British Home Office says that UK passport numbers are randomly generated. Nevertheless the problem remains: sniffing the data of an ePassport is much easier than it should be. You can stay in a line, waiting for your check-in, and your neighbour can read the ePassport, go home, produce a key in about a month (or a week) and have all your data, picture included.
In this sense ePassports do not add any additional security — on the contrary, they seem to offer a backdoor for privacy intruders. Most probably the police will not need to ask you to show the ID card. If you wear it, they’ll read it without you even noticing it.
Traditional passports are not the main problem in fighting terrorism. For example, one month before the July 7 attacks were carried out, British authorities prevented U.S. authorities from arresting Haroon Rashid Aswat (CNN report), the mastermind of the attack. US and South African intelligence forces wanted Mr Aswat, but the UK refused. Why? Because he had no ePassport?
Price
Another issue is the price: how can the Home Office justify last year’s £50 increase in the price of a passport? The chip is cheap — about a pound. The reader is not that expensive — around a thousand pounds.
“The Passport Office is run as a private company. It does not receive any money from the government, and the fees have been increased following an improvement in security measures, such as interviews or investigations of citizens who ask for a passport,” the Home Office says. So why has this not been clearly announced?
In fact, everybody should have the right to have a passport and the expense should be proportional to your income, but in this country poor and rich people pay the same.
The ePassport is certainly not the primary cause of the increase in fees.
PS By the way, if you have already paid for your ePassport and got it, we have some good news: envelop it in some aluminium foil and nobody will be able to sniff anything — not even the police.
By Mario
This entry was posted on Tuesday, January 16th, 2007 at 12:09 pm and is filed under U.K.. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply