Another Setback for Biometric Passports

trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."

Precision & Recall

The biggest setback to biometric security is that few companies post the actual numbers concerning their precision and recall.

Before I ever buy into a biometric security device, I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

Their sites should have a slider that goes between zero and one with the resulting number. That way, I would know how many times out of a hundred my guards are going to let Bin Laden Jr. through my security check points. But I also want to know how many times my guards are going to throw Grandma-down-the-street against the hood of a car and arrest her for being a dead hijacker from an infamous attack. Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative. Every white paper I've read on this issue makes certain that they include these figures at the end of their paper.

Because if you hit the production line, these numbers are all that matter to your consumer.

Re: Precision & Recall

> I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

What page of the Kama Sutra are you referring to? I can't find any of that stuff in the index.

Re:Precision & Recall

The grandma-slamming type is called 'false positive', the building detonation type is called 'false negative'.
False positive are supposed to happen much more often, because many more regular people are checked than really dangerous people. Lets calculate some wild guesses: If the identification is 99.99% correct, and you are checking 1 mio people, of which 10 people are really dangerous, you get 100 false positives and about all dangerous ones (the risk to let one of them slip is only at 1:1000). That means only every tenth person you are slamming on the hood of the police car is really a terrorist.
So biometric identification doesn't really need to be that good to perfectly identify one. It should be perfectionated the other way: To really dismiss the data of a not searched person.
Back to the example numbers: If the system was able to identify a person 99% for sure, but would be also able to not misidentify a person to 99.9999% (for a tradeoff we basically allow for only a 1:100 chance to identify a person, but make sure that it doesn't falsely identify one by 1:1mio), we would only have 1 person falsely slammed on the car hood, but still were 10:1 sure to not let a suspected terrorist slip.

Re:Precision & Recall

Another angle:

Statistics mean nothing when they happen to YOU.

I'm shocked, shocked -

Data security scheme is cracked as soon as examples become available - whoda thought it?

Haven't these people been watching the travails of the DRM industry? What kind of ignorance (or arrogance) leads someone to think they can build a portable data repository that won't get cracked?

It will never be safe.

These things will NEVER be completely secure. Someone will always figure a way to hack them.

Eventually, folks will realize, that no matter how hard you try, you will never be completely safe: even if you become a shut-in. We just have to accept that life is terminal and it has inherit risks. Without those risks, life would be waaayy to fucking boring - for me anyway!

Er....

I think you missed the point.

The point is not that people who crack it can make fake cards (which they *can*, but anyways...), it is that people can read the info off my "secure" biometric ID card from a relativly long distance and use it to steal my identity, for any reason whatsoever.

I mean, 10m? Some guy could set up a listening post outside my office and read it all through the wall at 10m. The capacity for identity theft is very alarming.

Re:It will never be safe.

These things will NEVER be completely secure. Someone will always figure a way to hack them.

That depends on what you mean by "completely secure". In this case, the security design is basically very good, but contains a rather obvious flaw. Fix that flaw (and there are a number of fixes) and the result will be "completely secure", against certain forms of attack, anyway.

The data on the chip is protected by a 3DES key. If you don't know that key, you cannot authenticate to the chip, and the chip will therefore refuse to talk to you. If you do know the key, then you're in. So, someone hit on the simple (and clever) idea of printing the key on the inside of the passport (since all of the data on the chip is also available in printed form on the inside of the passport anyway).

The problem is that they decided that rather than printing a new, random, 112-bit key, they'd just use some data that already existed in the passport, the MRZ. This value consists of your passport number, birthdate and expiration date. That's actually not a whole lot of entropy, especially since passport numbers are pretty predictable, and ages and passport expiration years are pretty easy to guess. The result: the MRZ can be brute-forced, the key guessed and the passport data retrieved.

There are a bunch of obvious solutions:

• Shielded cover. The US is implementing this. The passport cover has an integral wire mesh so that when the cover is closed, the chip's antenna is shielded and the chip is isolated. This also addresses some other potential issues with attackers being able to tell remotely that you have a passport and perhaps even what country it's from, even if it won't actually give them any data about its contents.
• Print a separate, random key inside the cover and use that instead of the MRZ. It doesn't really need to be 112 bits, either. A 50-bit value would work fine, as long as it doesn't have any guessable portions. The brute force search speed is limited to the speed of the passport chip, so you don't need huge keyspaces.
• Configure the chip so that after a certain number of consective failed authentication attempts, it locks itself. This will prevent brute force searches, at the expense of perhaps creating a denial of service attack. However, these chips (if not shielded) are already at risk of denial of service attacks, so I don't think that's significant.

It's popular on slashdot to say "nothing is ever completely secure", and while that statement is literally true, in fact many things can be and are sufficiently secure within the defined operational parameters.

So now what will they propose us? to get chipped?

*Tinfoil hat on*

Since biometric passports failed, are they gonna request us to get chipped? after all, it is for our own good.

Nothing to do with biometrics

The "crack" involved reading the chip wirelessly.

FYI: *ALL* passports are biometric, unless yours for some reason doesn't have a photograph and a description.

Because of stupid designers

Although others are right saying it can never be completely secure, in the case of "e-passports", it's because of stupid design.

In order to be able to read the card, the reader needs to know some information in the "Machine readable zone", the two lines of letters/numbers and signs below the first page of the passport

Because there is quite a bit of entropy in the information in the machine readable zone, it could be made reasonably secure -- but the disigners decided _only_ to use the holder's birthdate, passport expiry date and passport number. As the holder's birthdate can be guessed to some degree (to about 1000 days), and the passport number and expiry date are linked (I presume), that leaves rather few possibilities to be tested.

Stupid designers. They should have added a few (say 20) free chars in the Machine readable zone, to ensure guessing becomes impossible

(posting anonymously as I don't want my empolyer to become angry)

10 meters in 2 hours

an attack can be executed from around 10 meters and the security broken... in around two hours.

But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?

In either case, you might want to shield your passport at the movie theater.

My card reeks data

No private information should be made available over RFID. If that information has to be transmitted or broadcasted in any way, it should be from a patchable computer system that can change to reflect up-to-date security fixes. Otherwise, as soon as the encryption scheme is cracked, you could just walk down the halls of an airport for 10 minutes and record thousands of IDs.

Everything gets cracked. In this day and age even "security" is "security through obscurity". RFID is a fantastic technology but it shouldn't be a transmission vector for information of value. That's like visiting a bank in China and yelling your PIN in German, hoping nobody will understand. RFID should only be used for asset tracking, broadcasting otherwise useless data like serial numbers.

Why do we need RFID for passports anyway? Is it so hard to swipe a card? I wager it's just to give citizens the illusion of privacy while they are scanned from afar. I hope the decision to incorporate RFID - for passports, clothing, or anything people carry - will be debated profusely by governments before being adopted. I think many countries' constitutions are in conflict with technologies of such invasive potential.

Re:My card reeks data

I wager it's just to give citizens the illusion of privacy while they are scanned from afar.

You probably hit the nail on the head there. Many (most?) people seem to have a gut reaction of saying "hey, up yours!" when somebody proposes something that would, in essence, lead to a "papers please!" scenario (real or perceived), but they're too naive and/or stupid to realise that it's not being *asked* for papers that's the problem, but the fact that you're being identified, probably against your will, and with drawbacks/sanctions/repercussions if you do not agree to it.

In other words, people are complaining about the symptoms rather than the underlying problem, and RFID arguably makes the symptoms go away; nobody will ask you for your papers after all, but that's not because they don't want to identify you - it's because it's not necessary to ask anymore. Rather, your data will just be read from afar, without you even being aware of it.

Those politicians pushing for these things are probably drooling over the possibilities. It's even trivially possible to automate the entire process; you could scan entire crowds without them ever noticing, you could track people and build movement databases, and do just about everything that shouldn't be possible (or at least allowed) in a free society.

Considering that there is absolutely zero advantage in RFID passports for those who'll be required to carry them, it's hard for me to believe that these things are not the reason why there's a push for these.

Fingerprint authentication is a bad idea

So normally when your password is compromised, you change it and try and be more careful next time. What happens when it is possible to duplicate a rubber finger from a fingerprint - done in films, but is it possible now? I don't know. You can't change your fingerprint, so do you just leave it as it is and let whoever it is keep their access?

Re:Fingerprint authentication is a bad idea

And this is why I think that ALL machine readable biometric measures will eventually fail. The inherent problem with all biometrics is there is NO method to resecure your authentication method once a compromise has occurred. If someone steals your password you can change it easily. If someone steals a physical key, the lock can be replaced. (A bit costly, but doable). If someone steals your fingerprint, from that point on for the rest of your life you cannot be guaranteed security in a process that uses your fingerprint as authentication. Worse yet, you leave your fingerprints EVERYWHERE. I don't know about you, but I don't leave hundreds of copies of my passwords lying around every day. There's also the argument that it isn't feasable to create fake fingers to pass fingerprint authentication with someone else's prints, but the data has to get digitized somewhere. Once it's all ones and zeros someone doesn't need to create a fake finger. They just need to figure out the right place to put their ones and zeros.

Re:Fingerprint authentication is a bad idea

Yes, it is possible to duplicate a fingerprint -- story made Slashdot about two years ago.

Essentially just take a photocopy of a fingerprint, make a mask for a printed circuit board from that, etch to give you a mould, and use gelatin or similar to make a cast. The advantage of gelatin over latex is that you can eat the evidence ;-)

The details can be found in this paper [cryptome.org].

They were getting aanywhere from 70% to 100% success rate on typical fingerprint scanners, depending on the scanner.

A google search for "fingerprint scanner mould gelatin" (no quotes) turns up a ton of other articles.

More info in English

As the link to the good stuff is hidden in dutch text here it is:
https://events.ccc.de/congress/2005/wiki/RFID-Zapp er(EN) [events.ccc.de]

When Blair goes...

... so will biometric passports.

Whether it's Labour or Conservatives who win the next election, these are going to get dropped. It's a really half-baked idea, and the evidence is mounting that they will be expensive, inaccurate and fail to deal with terrorism.

If Blair had any ability at getting things done, he would get it implemented and it would be his poll tax.

Only while being queried

One thing that should be made clear: this eavesdropping at 10 meters distance, while troubling, is only while the passport is being read at an official station. Passports in people's pockets or desks cannot be read at this distance. It's only when you are displaying the passport and having the chip read by an authorized reader that an eavesdropper with proper equipment can listen in on the data exchange and then decrypt it as described in the article.