Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Security

Another Setback for Biometric Passports 70

trydk writes "The Register has an article on the lack of security in biometric passports. This time, according to Dutch TV program Nieuwslicht (Newslight), the Dutch biometric passports have been cracked, potentially revealing all biometric information stored in them." From the article: "[...] an attack can be executed from around 10 meters and the security broken, revealing date of birth, facial image and fingerprint, in around two hours. Riscure notes that that the speed of the crack is aided by the Dutch passport numbering scheme being sequential."
This discussion has been archived. No new comments can be posted.

Another Setback for Biometric Passports

Comments Filter:
  • Precision & Recall (Score:5, Insightful)

    by eldavojohn ( 898314 ) * <eldavojohnNO@SPAMgmail.com> on Monday January 30, 2006 @10:48AM (#14598671) Journal
    The biggest setback to biometric security is that few companies post the actual numbers concerning their precision and recall.

    Before I ever buy into a biometric security device, I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

    Their sites should have a slider that goes between zero and one with the resulting number. That way, I would know how many times out of a hundred my guards are going to let Bin Laden Jr. through my security check points. But I also want to know how many times my guards are going to throw Grandma-down-the-street against the hood of a car and arrest her for being a dead hijacker from an infamous attack. Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative. Every white paper I've read on this issue makes certain that they include these figures at the end of their paper.

    Because if you hit the production line, these numbers are all that matter to your consumer.
    • Implementers of biometric security just don't seem to grasp the concept that a false positive can be a problem just like a true negative.

      Because it's not their problem...

      //nyuk nyuk nyuk
    • by Black Parrot ( 19622 ) * on Monday January 30, 2006 @10:54AM (#14598725)
      > I want to be able to sit down with the numbers and see what happens to the F-measure when I slide beta between zero and one.

      What page of the Kama Sutra are you referring to? I can't find any of that stuff in the index.
    • by Anonymous Coward
      Fingerprints are about 98% accurate for a single finger, 99.99% accurate for two fingers, and on upwards as you include the rest of the fingers and the palm.

      Iris scanning is slightly better than two fingerprints.

      Facial scanning claims range from 90% to 99% accuracy. In the 80% range is more likely from what I've seen, but hard data isn't available. With fingerprints and iris scans, a failure is much more likely to be a false negative than a false positive, while facial scanning results in both types of fail
      • The problem with false positivies is that even if the number of false positives is low, the absolute number of events is high.

        If the test is only wrong .001% of the time (99.999 correct) then you have 10 false positivies for each million people through the system. If you assume that the actual correct positive account is 1 in a million that are trying to bypass something, then given the huge number of people being run through this system this will mean that if you get a "hit" it is more likely a false po
      • > Fingerprints are about 98% accurate for a single finger, 99.99% accurate for two fingers, and on upwards as you include the rest of the fingers and the palm.

        Who cares about accuracy? Disney uses fingerprint based identification for their weekend-hopper passes (and maybe others, but it's been a while) so you can come and go as you please.

        Well, I was at SANS Orlando, and one of my classmates gave me his hopper, because he was leaving early.
        He was military. Fortunatly, i had my summertime buzz-cut inst
        • Where you able to get the gold booty after infiltrating the Pirates of the Caribbean?

          Seems from your story that the biometrics did their portion of securing the ride, but since you weren't after industry secrets or trying to access an airplane, no one gave two good fucks about you getting ahead of a family of four.
    • by dazedNconfuzed ( 154242 ) on Monday January 30, 2006 @11:24AM (#14599037)
      Another angle:

      Statistics mean nothing when they happen to YOU.

    • http://news.bbc.co.uk/1/hi/world/middle_east/15591 51.stm [bbc.co.uk]

      (How long will people continue to believe the official version of events?)

      (Also: Where are the pentagon plane parts, the two 5-ton titaniam jet engines which cannot vaporize in a fire because burning jet fuel is what they are designed to do? Where'd they go? Why are there no pictures? Why did the FBI only release five frames of video, none of which show what actually hit? Why are no photographs available despite the press being on site? Why

  • by Black Parrot ( 19622 ) * on Monday January 30, 2006 @10:51AM (#14598698)
    Data security scheme is cracked as soon as examples become available - whoda thought it?

    Haven't these people been watching the travails of the DRM industry? What kind of ignorance (or arrogance) leads someone to think they can build a portable data repository that won't get cracked?
    • Haven't these people been watching the travails of the DRM industry? What kind of ignorance (or arrogance) leads someone to think they can build a portable data repository that won't get cracked?

      In this case, they're right. The problem isn't the security of the repository, the problem is that they picked a horribly weak key.

      The underlying technology, 3DES authentication to a smart card chip, is extremely well-proven. It's not arrogance to assume that something that has been solid for a long time will

  • by IAAP ( 937607 ) on Monday January 30, 2006 @10:55AM (#14598731)
    These things will NEVER be completely secure. Someone will always figure a way to hack them.

    Eventually, folks will realize, that no matter how hard you try, you will never be completely safe: even if you become a shut-in. We just have to accept that life is terminal and it has inherit risks. Without those risks, life would be waaayy to fucking boring - for me anyway!

    • Keep your passport in an anti-static mylar bag left over from a recent electronics purchase... You'll be all set.

      Why they don't include a layer of this stuff in the cover of the passport is beyond me.
      • Radio can go through those things.

        What you want is a CONDUCTIVE bag, not just anti-static. They're the ones that typically have a grid of black lines, rather than the grey semi-transparent bags.
        • Radio can go through those things.

          Those grey bags *are* conductive. They're what you use to put a toll booth transponder in if you don't want the booth to read it, for example, and they work very well for that. Those things are much higher powered than passport RFIDs.
          • Okay, I'll concede the 'radio shielding' part :)

            However, the typical anti-static bag is only conducative to something like 10 megaohms per cm. Your SKIN is more conductive than that. Perfectly adequate for dissipating static charge, though.

            To me, "conductive" means mere OHMS per cm.
    • Er.... (Score:4, Insightful)

      by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Monday January 30, 2006 @11:14AM (#14598915)
      I think you missed the point.

      The point is not that people who crack it can make fake cards (which they *can*, but anyways...), it is that people can read the info off my "secure" biometric ID card from a relativly long distance and use it to steal my identity, for any reason whatsoever.

      I mean, 10m? Some guy could set up a listening post outside my office and read it all through the wall at 10m. The capacity for identity theft is very alarming.

      • I'm not sure about the "listening post outside my office and read it all through the wall at 10m". These passports must be passive, otherwise the passport office is going to have a bitch of a time when these batteries die. They are read by a "contactless" reader, which means the reader must be physically proximate to the passport. The reader emits a radio signal which gives enough energy to the passive data store to power it and transmit the data dump, which the reader then reads.

        The impression that I go
    • While there is some element of truth to that, it's far from the whole story. By that argument, why have speedlimits? Why restrict the sale of weapons to children? Why have any security at an airport whatsoever?

      Yes, we take risks, but we have to decide where to draw the line between mitigating them and inconveniencing ourselves. I don't believe it's an issue of whether to draw that line but actually where to draw it.
      • Yes, we take risks, but we have to decide where to draw the line between mitigating them and inconveniencing ourselves. I don't believe it's an issue of whether to draw that line but actually where to draw it.

        The thing is that we're, as a society, so concerned with risks that are quite rare and completely oblivious to risks that are not so rare - heart disease, lung disease, etc.... The odds are we'll die or, worse from my perspective, become disabled from one of those diseases; which can be mitigated wit

        • I agree. My seat belt law would be 'if you don't wear it, thats your choice, but if you don't, your medical insurance doesn't have to pay for your injuries.'

          Let people suffer the consequences of thier actions, instead of trying to protect them. I'd think people would smarten up pretty quick if we took that route.
        • They'd get their asses kicked? Yeah, got news for you buddy... people have downed planes before.

          Our security may not be 100 percent effective, but at least its almost impossible to get a bomb on a plane now. Can you imagine the consequences if someone did that 3 or 4 times? Air travel would grind to a halt, economies would crash, and our whole way of life would change.

          I agree that we as a society go overboard in many areas (warning labels because my coffee is hot? Well, DUH, that's why I ordered it!), b
    • by swillden ( 191260 ) <shawn-ds@willden.org> on Monday January 30, 2006 @11:39AM (#14599185) Journal

      These things will NEVER be completely secure. Someone will always figure a way to hack them.

      That depends on what you mean by "completely secure". In this case, the security design is basically very good, but contains a rather obvious flaw. Fix that flaw (and there are a number of fixes) and the result will be "completely secure", against certain forms of attack, anyway.

      The data on the chip is protected by a 3DES key. If you don't know that key, you cannot authenticate to the chip, and the chip will therefore refuse to talk to you. If you do know the key, then you're in. So, someone hit on the simple (and clever) idea of printing the key on the inside of the passport (since all of the data on the chip is also available in printed form on the inside of the passport anyway).

      The problem is that they decided that rather than printing a new, random, 112-bit key, they'd just use some data that already existed in the passport, the MRZ. This value consists of your passport number, birthdate and expiration date. That's actually not a whole lot of entropy, especially since passport numbers are pretty predictable, and ages and passport expiration years are pretty easy to guess. The result: the MRZ can be brute-forced, the key guessed and the passport data retrieved.

      There are a bunch of obvious solutions:

      • Shielded cover. The US is implementing this. The passport cover has an integral wire mesh so that when the cover is closed, the chip's antenna is shielded and the chip is isolated. This also addresses some other potential issues with attackers being able to tell remotely that you have a passport and perhaps even what country it's from, even if it won't actually give them any data about its contents.
      • Print a separate, random key inside the cover and use that instead of the MRZ. It doesn't really need to be 112 bits, either. A 50-bit value would work fine, as long as it doesn't have any guessable portions. The brute force search speed is limited to the speed of the passport chip, so you don't need huge keyspaces.
      • Configure the chip so that after a certain number of consective failed authentication attempts, it locks itself. This will prevent brute force searches, at the expense of perhaps creating a denial of service attack. However, these chips (if not shielded) are already at risk of denial of service attacks, so I don't think that's significant.

      It's popular on slashdot to say "nothing is ever completely secure", and while that statement is literally true, in fact many things can be and are sufficiently secure within the defined operational parameters.

    • These things will NEVER be completely secure. Someone will always figure a way to hack them.

      Eventually, folks will realize, that no matter how hard you try, you will never be completely safe: even if you become a shut-in. We just have to accept that life is terminal and it has inherit risks. Without those risks, life would be waaayy to fucking boring - for me anyway!

      I have a solution... why don't we not try to track every human being on the planet. There's no possibility of the info being leaked

  • by master_p ( 608214 ) on Monday January 30, 2006 @11:08AM (#14598860)
    *Tinfoil hat on*

    Since biometric passports failed, are they gonna request us to get chipped? after all, it is for our own good.
  • by statemachine ( 840641 ) on Monday January 30, 2006 @11:11AM (#14598889)
    The "crack" involved reading the chip wirelessly.

    FYI: *ALL* passports are biometric, unless yours for some reason doesn't have a photograph and a description.
  • by Anonymous Coward on Monday January 30, 2006 @11:14AM (#14598913)
    Although others are right saying it can never be completely secure, in the case of "e-passports", it's because of stupid design.

    In order to be able to read the card, the reader needs to know some information in the "Machine readable zone", the two lines of letters/numbers and signs below the first page of the passport

    Because there is quite a bit of entropy in the information in the machine readable zone, it could be made reasonably secure -- but the disigners decided _only_ to use the holder's birthdate, passport expiry date and passport number. As the holder's birthdate can be guessed to some degree (to about 1000 days), and the passport number and expiry date are linked (I presume), that leaves rather few possibilities to be tested.

    Stupid designers. They should have added a few (say 20) free chars in the Machine readable zone, to ensure guessing becomes impossible

    (posting anonymously as I don't want my empolyer to become angry)
  • 10 meters in 2 hours (Score:4, Interesting)

    by HTH NE1 ( 675604 ) on Monday January 30, 2006 @11:18AM (#14598972)
    an attack can be executed from around 10 meters and the security broken... in around two hours.

    But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?

    In either case, you might want to shield your passport at the movie theater.
    • But is it that someone would have to be within 10 feet of you for 2 hours to break it,

      10 meters is about 33 feet, not 10 feet.

      Even if it does take 2 hours within that range (vs scan now and crack later), somebody set up in, say, a hotel room could read data from adjacent rooms on either side, above and below.

      Depending on how easy it is to get the equipment through airport security, one could set up in various waiting areas and scan away. (Depending on how discriminating the sensors are.)
    • 10 meters? 2 hours? (Score:3, Informative)

      by Fnord666 ( 889225 )
      But is it that someone would have to be within 10 feet of you for 2 hours to break it, or is it 10 feet to get the data and 2 hours at any distance to break it at leisure?

      According to one of the followup articles [riscure.com], The attacker must first be within 10 meters of the passport while it is in active use. This means standing fairly close to the customs counter. The attacker intercepts the communications, then can take that information offline and brute force the key. YMMV on the distance estimate since it is

    • Ever sat in an airport?
  • My card reeks data (Score:5, Insightful)

    by spyrochaete ( 707033 ) on Monday January 30, 2006 @11:27AM (#14599075) Homepage Journal
    No private information should be made available over RFID. If that information has to be transmitted or broadcasted in any way, it should be from a patchable computer system that can change to reflect up-to-date security fixes. Otherwise, as soon as the encryption scheme is cracked, you could just walk down the halls of an airport for 10 minutes and record thousands of IDs.

    Everything gets cracked. In this day and age even "security" is "security through obscurity". RFID is a fantastic technology but it shouldn't be a transmission vector for information of value. That's like visiting a bank in China and yelling your PIN in German, hoping nobody will understand. RFID should only be used for asset tracking, broadcasting otherwise useless data like serial numbers.

    Why do we need RFID for passports anyway? Is it so hard to swipe a card? I wager it's just to give citizens the illusion of privacy while they are scanned from afar. I hope the decision to incorporate RFID - for passports, clothing, or anything people carry - will be debated profusely by governments before being adopted. I think many countries' constitutions are in conflict with technologies of such invasive potential.
    • "Why do we need RFID for passports anyway?"

      Because it's shiny. Shiny new technology. Why wouldn't you want to have the most technologically advanced passport possible? Don't you know that all thoroughly modern, untested tech is inherently more attractive to tech obsessed governments than older, more reliable stuff.
    • by slavemowgli ( 585321 ) on Monday January 30, 2006 @11:58AM (#14599353) Homepage

      I wager it's just to give citizens the illusion of privacy while they are scanned from afar.

      You probably hit the nail on the head there. Many (most?) people seem to have a gut reaction of saying "hey, up yours!" when somebody proposes something that would, in essence, lead to a "papers please!" scenario (real or perceived), but they're too naive and/or stupid to realise that it's not being *asked* for papers that's the problem, but the fact that you're being identified, probably against your will, and with drawbacks/sanctions/repercussions if you do not agree to it.

      In other words, people are complaining about the symptoms rather than the underlying problem, and RFID arguably makes the symptoms go away; nobody will ask you for your papers after all, but that's not because they don't want to identify you - it's because it's not necessary to ask anymore. Rather, your data will just be read from afar, without you even being aware of it.

      Those politicians pushing for these things are probably drooling over the possibilities. It's even trivially possible to automate the entire process; you could scan entire crowds without them ever noticing, you could track people and build movement databases, and do just about everything that shouldn't be possible (or at least allowed) in a free society.

      Considering that there is absolutely zero advantage in RFID passports for those who'll be required to carry them, it's hard for me to believe that these things are not the reason why there's a push for these.

    • "Why do we need RFID for passports anyway?"

      Otherwise the biometrics and RFID scammers couldnt sell billions of dollars worth of useless equipment to governments who want to appear to be doing something.

      It's simply a good way to separate the taxpayers from their money.
    • There should be one thing on the card - a key. That's all that should ever be on a card - the unique data that can be queried from a system.

      If government wants to read my passport details, they can ask first. If the UK government suggests RFID in passports, I'll be storing it in a foil lined passport holder. They can read it when I take it out.

  • So normally when your password is compromised, you change it and try and be more careful next time. What happens when it is possible to duplicate a rubber finger from a fingerprint - done in films, but is it possible now? I don't know. You can't change your fingerprint, so do you just leave it as it is and let whoever it is keep their access?
    • by SeekerDarksteel ( 896422 ) on Monday January 30, 2006 @11:39AM (#14599182)
      And this is why I think that ALL machine readable biometric measures will eventually fail. The inherent problem with all biometrics is there is NO method to resecure your authentication method once a compromise has occurred. If someone steals your password you can change it easily. If someone steals a physical key, the lock can be replaced. (A bit costly, but doable). If someone steals your fingerprint, from that point on for the rest of your life you cannot be guaranteed security in a process that uses your fingerprint as authentication. Worse yet, you leave your fingerprints EVERYWHERE. I don't know about you, but I don't leave hundreds of copies of my passwords lying around every day. There's also the argument that it isn't feasable to create fake fingers to pass fingerprint authentication with someone else's prints, but the data has to get digitized somewhere. Once it's all ones and zeros someone doesn't need to create a fake finger. They just need to figure out the right place to put their ones and zeros.
      • Just to play a little bit of Devil's Advocate here, I want to point out that with the continuing advancements in surgical and genetic science, changing certain biometric....keys is possible in the future.

        In fact, changing fingerprints, at least in a rudimentary way, is possible now, what with skin grafts and whatnot.
        DNA as a key may present slightly more of a problem, without causing some major physiological changes ;)

        However, I do agree that biometrics presents something of a sticky wicket in that arena, s
      • I'd modify your assertion to say that a compromise of your raw biometric info is impossible to undo. I read an article recently in IEEE Spectrum about methods for hashing the stored information.

        I don't have a citation handy, and I'm not even sure it's publicly available. As I recall, the particular method involved applying a programmable distortion to the image (e.g. fingerprint). Store the distorted pattern as the biometric, and then apply the same transform at the reader to check for a match.

        Then, in th

    • by AJWM ( 19027 ) on Monday January 30, 2006 @12:05PM (#14599407) Homepage
      Yes, it is possible to duplicate a fingerprint -- story made Slashdot about two years ago.

      Essentially just take a photocopy of a fingerprint, make a mask for a printed circuit board from that, etch to give you a mould, and use gelatin or similar to make a cast. The advantage of gelatin over latex is that you can eat the evidence ;-)

      The details can be found in this paper [cryptome.org].

      They were getting aanywhere from 70% to 100% success rate on typical fingerprint scanners, depending on the scanner.

      A google search for "fingerprint scanner mould gelatin" (no quotes) turns up a ton of other articles.
  • More info in English (Score:4, Informative)

    by Ubi_NL ( 313657 ) <joris.benschopNO@SPAMgmail.com> on Monday January 30, 2006 @11:56AM (#14599325) Journal
    As the link to the good stuff is hidden in dutch text here it is:
    https://events.ccc.de/congress/2005/wiki/RFID-Zapp er(EN) [events.ccc.de]
  • ... so will biometric passports.

    Whether it's Labour or Conservatives who win the next election, these are going to get dropped. It's a really half-baked idea, and the evidence is mounting that they will be expensive, inaccurate and fail to deal with terrorism.

    If Blair had any ability at getting things done, he would get it implemented and it would be his poll tax.

    • Is Blair really responsible for dutch biometric passports ? As I understand it, the only reason for europe to implement biometric passports is because they will be required for travel to the USA.
    • If only that were true. I suspect the National Identity Register will die a well-deserved death when Blair goes. However, the basic idea of biometric passports has been carefully woven into all sorts of international agreements. Now every government can just say "Well, you'll need biometrics or nowhere else will respect your passport" as a convenient excuse for not defending the ability of their citizens to move freely and legitimately across national borders without such measures.

      If some combination of t

  • One thing that should be made clear: this eavesdropping at 10 meters distance, while troubling, is only while the passport is being read at an official station. Passports in people's pockets or desks cannot be read at this distance. It's only when you are displaying the passport and having the chip read by an authorized reader that an eavesdropper with proper equipment can listen in on the data exchange and then decrypt it as described in the article.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...