Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Another Setback for Biometric Passports

Posted by ScuttleMonkey on Mon Jan 30, 2006 10:47 AM
from the tin-foil-bag-with-your-tin-foil-hat dept.
Privacy Security
trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."
+ -
story

Related Stories

[+] Identity Theft From Tossed Airline Boarding Pass? 297 comments
crush writes "The Guardian newspaper has a great story about how the gathering of information for 'anti-terrorist' passenger screening databases allowed a reporter and security guru Adam Laurie to lay the groundwork for stealing the identity of a business traveller by using his discarded boarding-pass stub." From the article: "We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information."
[+] IT: Biometrics Win Support From the Lazy 124 comments
judgecorp writes "We're used to discussions about privacy and security, but amongst users, the real issue is ease of use, according to a survey by Unisys. It's not a huge sample, but ten percent of the users in Asia were happy to be chipped and have done with it." From the article: "Frost & Sullivan security analyst James Turner said while speed of identity verification may be driving people's acceptance of biometrics, the key issue is that biometrics can be a security block, rather than an enabler. Turner added that what is more important in the smartcard debate is ratifying exactly where the identification data is stored. "
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Another Setback for Biometric Passports 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Precision & Recall (Score:5, Insightful)

    by eldavojohn (898314) * <my/.username@@@gmail.com> on Monday January 30 2006, @10:48AM (#14598671) Homepage Journal
    The biggest setback to biometric security is that few companies post the actual numbers concerning their precision and recall.

    Before I ever buy into a biometric security device, I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

    Their sites should have a slider that goes between zero and one with the resulting number. That way, I would know how many times out of a hundred my guards are going to let Bin Laden Jr. through my security check points. But I also want to know how many times my guards are going to throw Grandma-down-the-street against the hood of a car and arrest her for being a dead hijacker from an infamous attack. Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative. Every white paper I've read on this issue makes certain that they include these figures at the end of their paper.

    Because if you hit the production line, these numbers are all that matter to your consumer.
    • Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative.

      Because it's not their problem...

      //nyuk nyuk nyuk

    • Re: Precision & Recall (Score:5, Funny)

      by Black Parrot (19622) * on Monday January 30 2006, @10:54AM (#14598725)
      > I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

      What page of the Kama Sutra are you referring to? I can't find any of that stuff in the index.

    • Re:Precision & Recall (Score:4, Insightful)

      by dazedNconfuzed (154242) on Monday January 30 2006, @11:24AM (#14599037)
      Another angle:

      Statistics mean nothing when they happen to YOU.

        • Re:Precision & Recall (Score:4, Informative)

          by Sique (173459) on Monday January 30 2006, @12:38PM (#14599684) Homepage
          The grandma-slamming type is called 'false positive', the building detonation type is called 'false negative'.
          False positive are supposed to happen much more often, because many more regular people are checked than really dangerous people. Lets calculate some wild guesses: If the identification is 99.99% correct, and you are checking 1 mio people, of which 10 people are really dangerous, you get 100 false positives and about all dangerous ones (the risk to let one of them slip is only at 1:1000). That means only every tenth person you are slamming on the hood of the police car is really a terrorist.
          So biometric identification doesn't really need to be that good to perfectly identify one. It should be perfectionated the other way: To really dismiss the data of a not searched person.
          Back to the example numbers: If the system was able to identify a person 99% for sure, but would be also able to not misidentify a person to 99.9999% (for a tradeoff we basically allow for only a 1:100 chance to identify a person, but make sure that it doesn't falsely identify one by 1:1mio), we would only have 1 person falsely slammed on the car hood, but still were 10:1 sure to not let a suspected terrorist slip.
        • Where you able to get the gold booty after infiltrating the Pirates of the Caribbean?

          Seems from your story that the biometrics did their portion of securing the ride, but since you weren't after industry secrets or trying to access an airplane, no one gave two good fucks about you getting ahead of a family of four.

  • I'm shocked, shocked - (Score:5, Interesting)

    by Black Parrot (19622) * on Monday January 30 2006, @10:51AM (#14598698)
    Data security scheme is cracked as soon as examples become available - whoda thought it?

    Haven't these people been watching the travails of the DRM industry? What kind of ignorance (or arrogance) leads someone to think they can build a portable data repository that won't get cracked?

    • Haven't these people been watching the travails of the DRM industry? What kind of ignorance (or arrogance) leads someone to think they can build a portable data repository that won't get cracked?

      In this case, they're right. The problem isn't the security of the repository, the problem is that they picked a horribly weak key.

      The underlying technology, 3DES authentication to a smart card chip, is extremely well-proven. It's not arrogance to assume that something that has been solid for a long time will

  • It will never be safe. (Score:4, Insightful)

    by IAAP (937607) on Monday January 30 2006, @10:55AM (#14598731)
    These things will NEVER be completely secure. Someone will always figure a way to hack them.

    Eventually, folks will realize, that no matter how hard you try, you will never be completely safe: even if you become a shut-in. We just have to accept that life is terminal and it has inherit risks. Without those risks, life would be waaayy to fucking boring - for me anyway!

    • Keep your passport in an anti-static mylar bag left over from a recent electronics purchase... You'll be all set.

      Why they don't include a layer of this stuff in the cover of the passport is beyond me.
      • Radio can go through those things.

        What you want is a CONDUCTIVE bag, not just anti-static. They're the ones that typically have a grid of black lines, rather than the grey semi-transparent bags.
        • Radio can go through those things.

          Those grey bags *are* conductive. They're what you use to put a toll booth transponder in if you don't want the booth to read it, for example, and they work very well for that. Those things are much higher powered than passport RFIDs.

    • Er.... (Score:4, Insightful)

      by brunes69 (86786) <slashdot&keirstead,org> on Monday January 30 2006, @11:14AM (#14598915) Homepage
      I think you missed the point.

      The point is not that people who crack it can make fake cards (which they *can*, but anyways...), it is that people can read the info off my "secure" biometric ID card from a relativly long distance and use it to steal my identity, for any reason whatsoever.

      I mean, 10m? Some guy could set up a listening post outside my office and read it all through the wall at 10m. The capacity for identity theft is very alarming.

    • While there is some element of truth to that, it's far from the whole story. By that argument, why have speedlimits? Why restrict the sale of weapons to children? Why have any security at an airport whatsoever?

      Yes, we take risks, but we have to decide where to draw the line between mitigating them and inconveniencing ourselves. I don't believe it's an issue of whether to draw that line but actually where to draw it.
      • Yes, we take risks, but we have to decide where to draw the line between mitigating them and inconveniencing ourselves. I don't believe it's an issue of whether to draw that line but actually where to draw it.

        The thing is that we're, as a society, so concerned with risks that are quite rare and completely oblivious to risks that are not so rare - heart disease, lung disease, etc.... The odds are we'll die or, worse from my perspective, become disabled from one of those diseases; which can be mitigated wit

    • Re:It will never be safe. (Score:5, Informative)

      by swillden (191260) <shawn-ds@willden.org> on Monday January 30 2006, @11:39AM (#14599185) Homepage Journal

      These things will NEVER be completely secure. Someone will always figure a way to hack them.

      That depends on what you mean by "completely secure". In this case, the security design is basically very good, but contains a rather obvious flaw. Fix that flaw (and there are a number of fixes) and the result will be "completely secure", against certain forms of attack, anyway.

      The data on the chip is protected by a 3DES key. If you don't know that key, you cannot authenticate to the chip, and the chip will therefore refuse to talk to you. If you do know the key, then you're in. So, someone hit on the simple (and clever) idea of printing the key on the inside of the passport (since all of the data on the chip is also available in printed form on the inside of the passport anyway).

      The problem is that they decided that rather than printing a new, random, 112-bit key, they'd just use some data that already existed in the passport, the MRZ. This value consists of your passport number, birthdate and expiration date. That's actually not a whole lot of entropy, especially since passport numbers are pretty predictable, and ages and passport expiration years are pretty easy to guess. The result: the MRZ can be brute-forced, the key guessed and the passport data retrieved.

      There are a bunch of obvious solutions:

      • Shielded cover. The US is implementing this. The passport cover has an integral wire mesh so that when the cover is closed, the chip's antenna is shielded and the chip is isolated. This also addresses some other potential issues with attackers being able to tell remotely that you have a passport and perhaps even what country it's from, even if it won't actually give them any data about its contents.
      • Print a separate, random key inside the cover and use that instead of the MRZ. It doesn't really need to be 112 bits, either. A 50-bit value would work fine, as long as it doesn't have any guessable portions. The brute force search speed is limited to the speed of the passport chip, so you don't need huge keyspaces.
      • Configure the chip so that after a certain number of consective failed authentication attempts, it locks itself. This will prevent brute force searches, at the expense of perhaps creating a denial of service attack. However, these chips (if not shielded) are already at risk of denial of service attacks, so I don't think that's significant.

      It's popular on slashdot to say "nothing is ever completely secure", and while that statement is literally true, in fact many things can be and are sufficiently secure within the defined operational parameters.



        • I propose a 2D datagram that uses 256 values of greyshades that stores biometric information such as the distance between your eyes, the shape of your head, etc.

          I endeavor to make this datagram human readable.

          I shall call it.. the photograph.

          • I propose a 2D datagram that uses 256 values of greyshades that stores biometric information such as the distance between your eyes, the shape of your head, etc. I endeavor to make this datagram human readable. I shall call it.. the photograph.

            :-)

            The problem with photographs is that they're too easy to modify or replace. Modern passports (and other IDs) use all sorts of fancy tricks to make it hard to replace the photo, but someone with a few million dollars worth of high-end security printing techn

            • Why contactless?

              It can't take that much longer to put the edge of the passport against the stop, and press the button, now, can it?

              Besides, if it requires contact, it should be fairly obvious if someone is trying to steal your data...

              • It can't take that much longer to put the edge of the passport against the stop, and press the button, now, can it?

                Actually, it can. For two reasons which both basically boil down to a desire to be able to use cheap, off-the-shelf components.

                First, positioning the contact plate correctly every time requires that the chip be placed in a fairly rigid medium. Common passports are too soft and when their edges fray or whatever the contact alignment will be off. I suppose this could be addressed either b

                • Thank you for the technical reasons for using "contactless chips".

                  I guess then, that the only problem (or at least, a large one) is in using an easy-to-guess encryption key.

                  Perhaps a barcode (about 112 bits?) that does not have anything else to do with the passport (other than being printed in it) as the encryption key? The passport will need to be in "about the right place" rather than exactly, and the machine can grab the barcode, and decrypt the signal still in about 2-3 seconds (I'm guessing, based on

                  • It only needs to be sufficiently difficult to get the information.

                    Exactly. If the security is good enough that the attacker is more likely to crack you over the head and steal your passport than to mount an electronic attack, then it's done its job. Even with the somewhat-guessable key, it's really not too bad.

                    The need to guess 112 bits worth of encryption key, or actually read the key - much more time (or much more obvious).

                    And it doesn't really need to be 112 bits, either. In my experience, you

              • Wait a minute. Couldn't you use some form of visible watermarking on the photograph so a machine can tell if it was printed correctly?

                Perhaps. The digital signature watermark would have to carry quite a bit of data, though -- on the order of 2KB, at a minimum. You could put that in a 2D barcode, but only barely.

                That approach would also lose the flexibility of read/write data, and the ability to store other sorts of identification information if/when that becomes desirable.

                I'd be a bit worried about

        • Wait a sec...if you have to swipe a barcode or whatnot to decrypt, then why are they using rfid in the first place? You can put a lot of info in those fancy new 2-d barcodes....

          No, you can't. You can put a few hundred bytes, maybe a couple of KB if you make it big. These chips store 60+KB. The standard "test" profile for the ICAO specification contains about 30KB of data.

    • These things will NEVER be completely secure. Someone will always figure a way to hack them.

      Eventually, folks will realize, that no matter how hard you try, you will never be completely safe: even if you become a shut-in. We just have to accept that life is terminal and it has inherit risks. Without those risks, life would be waaayy to fucking boring - for me anyway!

      I have a solution... why don't we not try to track every human being on the planet. There's no possibility of the info being leaked

  • So now what will they propose us? to get chipped? (Score:3, Funny)

    by master_p (608214) on Monday January 30 2006, @11:08AM (#14598860)
    *Tinfoil hat on*

    Since biometric passports failed, are they gonna request us to get chipped? after all, it is for our own good.

  • Nothing to do with biometrics (Score:3, Informative)

    by statemachine (840641) on Monday January 30 2006, @11:11AM (#14598889)
    The "crack" involved reading the chip wirelessly.

    FYI: *ALL* passports are biometric, unless yours for some reason doesn't have a photograph and a description.

  • Because of stupid designers (Score:4, Interesting)

    by Anonymous Coward on Monday January 30 2006, @11:14AM (#14598913)
    Although others are right saying it can never be completely secure, in the case of "e-passports", it's because of stupid design.

    In order to be able to read the card, the reader needs to know some information in the "Machine readable zone", the two lines of letters/numbers and signs below the first page of the passport

    Because there is quite a bit of entropy in the information in the machine readable zone, it could be made reasonably secure -- but the disigners decided _only_ to use the holder's birthdate, passport expiry date and passport number. As the holder's birthdate can be guessed to some degree (to about 1000 days), and the passport number and expiry date are linked (I presume), that leaves rather few possibilities to be tested.

    Stupid designers. They should have added a few (say 20) free chars in the Machine readable zone, to ensure guessing becomes impossible

    (posting anonymously as I don't want my empolyer to become angry)

  • 10 meters in 2 hours (Score:4, Interesting)

    by HTH NE1 (675604) on Monday January 30 2006, @11:18AM (#14598972)
    an attack can be executed from around 10 meters and the security broken... in around two hours.

    But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?

    In either case, you might want to shield your passport at the movie theater.
    • But is it that someone would have to be within 10 feet of you for 2 hours to break it,

      10 meters is about 33 feet, not 10 feet.

      Even if it does take 2 hours within that range (vs scan now and crack later), somebody set up in, say, a hotel room could read data from adjacent rooms on either side, above and below.

      Depending on how easy it is to get the equipment through airport security, one could set up in various waiting areas and scan away. (Depending on how discriminating the sensors are.)
    • But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?

      According to one of the followup articles [riscure.com], The attacker must first be within 10 meters of the passport while it is in active use. This means standing fairly close to the customs counter. The attacker intercepts the communications, then can take that information offline and brute force the key. YMMV on the distance estimate since it is

  • My card reeks data (Score:5, Insightful)

    by spyrochaete (707033) <spyrochaete.hyppy@zapto@org> on Monday January 30 2006, @11:27AM (#14599075) Homepage Journal
    No private information should be made available over RFID. If that information has to be transmitted or broadcasted in any way, it should be from a patchable computer system that can change to reflect up-to-date security fixes. Otherwise, as soon as the encryption scheme is cracked, you could just walk down the halls of an airport for 10 minutes and record thousands of IDs.

    Everything gets cracked. In this day and age even "security" is "security through obscurity". RFID is a fantastic technology but it shouldn't be a transmission vector for information of value. That's like visiting a bank in China and yelling your PIN in German, hoping nobody will understand. RFID should only be used for asset tracking, broadcasting otherwise useless data like serial numbers.

    Why do we need RFID for passports anyway? Is it so hard to swipe a card? I wager it's just to give citizens the illusion of privacy while they are scanned from afar. I hope the decision to incorporate RFID - for passports, clothing, or anything people carry - will be debated profusely by governments before being adopted. I think many countries' constitutions are in conflict with technologies of such invasive potential.

    • Re:My card reeks data (Score:4, Interesting)

      by slavemowgli (585321) on Monday January 30 2006, @11:58AM (#14599353) Homepage

      I wager it's just to give citizens the illusion of privacy while they are scanned from afar.

      You probably hit the nail on the head there. Many (most?) people seem to have a gut reaction of saying "hey, up yours!" when somebody proposes something that would, in essence, lead to a "papers please!" scenario (real or perceived), but they're too naive and/or stupid to realise that it's not being *asked* for papers that's the problem, but the fact that you're being identified, probably against your will, and with drawbacks/sanctions/repercussions if you do not agree to it.

      In other words, people are complaining about the symptoms rather than the underlying problem, and RFID arguably makes the symptoms go away; nobody will ask you for your papers after all, but that's not because they don't want to identify you - it's because it's not necessary to ask anymore. Rather, your data will just be read from afar, without you even being aware of it.

      Those politicians pushing for these things are probably drooling over the possibilities. It's even trivially possible to automate the entire process; you could scan entire crowds without them ever noticing, you could track people and build movement databases, and do just about everything that shouldn't be possible (or at least allowed) in a free society.

      Considering that there is absolutely zero advantage in RFID passports for those who'll be required to carry them, it's hard for me to believe that these things are not the reason why there's a push for these.

    • "Why do we need RFID for passports anyway?"

      Otherwise the biometrics and RFID scammers couldnt sell billions of dollars worth of useless equipment to governments who want to appear to be doing something.

      It's simply a good way to separate the taxpayers from their money.
  • So normally when your password is compromised, you change it and try and be more careful next time. What happens when it is possible to duplicate a rubber finger from a fingerprint - done in films, but is it possible now? I don't know. You can't change your fingerprint, so do you just leave it as it is and let whoever it is keep their access?

    • Re:Fingerprint authentication is a bad idea (Score:5, Insightful)

      by SeekerDarksteel (896422) on Monday January 30 2006, @11:39AM (#14599182)
      And this is why I think that ALL machine readable biometric measures will eventually fail. The inherent problem with all biometrics is there is NO method to resecure your authentication method once a compromise has occurred. If someone steals your password you can change it easily. If someone steals a physical key, the lock can be replaced. (A bit costly, but doable). If someone steals your fingerprint, from that point on for the rest of your life you cannot be guaranteed security in a process that uses your fingerprint as authentication. Worse yet, you leave your fingerprints EVERYWHERE. I don't know about you, but I don't leave hundreds of copies of my passwords lying around every day. There's also the argument that it isn't feasable to create fake fingers to pass fingerprint authentication with someone else's prints, but the data has to get digitized somewhere. Once it's all ones and zeros someone doesn't need to create a fake finger. They just need to figure out the right place to put their ones and zeros.

    • Re:Fingerprint authentication is a bad idea (Score:4, Informative)

      by AJWM (19027) on Monday January 30 2006, @12:05PM (#14599407) Homepage
      Yes, it is possible to duplicate a fingerprint -- story made Slashdot about two years ago.

      Essentially just take a photocopy of a fingerprint, make a mask for a printed circuit board from that, etch to give you a mould, and use gelatin or similar to make a cast. The advantage of gelatin over latex is that you can eat the evidence ;-)

      The details can be found in this paper [cryptome.org].

      They were getting aanywhere from 70% to 100% success rate on typical fingerprint scanners, depending on the scanner.

      A google search for "fingerprint scanner mould gelatin" (no quotes) turns up a ton of other articles.

  • More info in English (Score:4, Informative)

    by Ubi_NL (313657) <joris&ideeel,nl> on Monday January 30 2006, @11:56AM (#14599325) Journal
    As the link to the good stuff is hidden in dutch text here it is:
    https://events.ccc.de/congress/2005/wiki/RFID-Zapp er(EN) [events.ccc.de]
  • One thing that should be made clear: this eavesdropping at 10 meters distance, while troubling, is only while the passport is being read at an official station. Passports in people's pockets or desks cannot be read at this distance. It's only when you are displaying the passport and having the chip read by an authorized reader that an eavesdropper with proper equipment can listen in on the data exchange and then decrypt it as described in the article.
    • Is Blair really responsible for dutch biometric passports ? As I understand it, the only reason for europe to implement biometric passports is because they will be required for travel to the USA.

    • If only that were true. I suspect the National Identity Register will die a well-deserved death when Blair goes. However, the basic idea of biometric passports has been carefully woven into all sorts of international agreements. Now every government can just say "Well, you'll need biometrics or nowhere else will respect your passport" as a convenient excuse for not defending the ability of their citizens to move freely and legitimately across national borders without such measures.

      If some combination of t

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.