"The information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport.
"The reader - I bought one for £250 - has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.
"The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."
Within minutes of applying the three passports to the reader, the information from all of them has been copied and the holders' images appear on the screen of Laurie's laptop. The passports belong to Booth, and to Laurie's son, Max, and my partner, who have all given their permission.
Booth is staggered. He has undercut Laurie by finding an RFID reader for £174, which also works. "This is simply not supposed to happen," Booth says. "This could provide a bonanza for counterfeiters because drawing the information from the chip, complete with the digital signature it contains, could result in a passport being passed off as the real article. You could make a perfect clone of the passport."
"The problems could get worse when they put fingerprint biometrics on to the passports. There are established ways of making forged fingerprints. In the future, the authorities would like to have automated border controls, and such forged fingerprints [stuck on to fingers] would probably fool them.
"But what about facial recognition systems (your biometric passport contains precise measurements of key points on your face and head)? "Yes," says Grunwald, "but they are not yet in operation at airports and the technology throws up between 20 and 25% false negatives or false positives. It isn't reliable.
It takes around four seconds to suck out the information with a reader; then it can be relayed and unscrambled by an accomplice with a laptop up to 1km away. With a Heath Robinson device we built on Tuesday using a Bluetooth antenna connected to an RFID reader, Laurie relayed details of his son's passport over a distance of 10 metres and through two walls to a laptop.
There's more on Wired:
In other words, electronic passport theft is about as handy as regular, commercial identity theft. The real hell would come if the authorities didn't bother to stare at the passport but simply trusted the signal from the chip. Which was supposed to be the idea in the first place: these arphids are supposed to be making transit SAFER AND FASTER AND MORE CONVENIENT, not just introducing a new level of Rube Goldberg snafu.
If we simply returned to the security situation status quo ante on 9/10 instead of 9/11, it would be like the civilized world suddenly got over a massive, self-inflicted stupidity virus. Furthermore, we'd be a lot safer.
There's always hope...
No comments:
Post a Comment