Home Office dismisses passport RFID hack claims

The Home Office has dismissed claims by a security expert that he can crack the UK’s new biometric passports as unimportant.

Share

The Home Office has dismissed claims by a security expert that he can crack the UK’s new biometric passports as unimportant.

It claimed the hack, by Adam Laurie, a security consultant who has worked with RFID and Bluetooth technology, did not make the passports any less secure.

The attack, which uses a common RFID (radio frequency identification) reader and customized code, siphoned data off an RFID chip from a passport in a sealed envelope, said. The attack would be invisible to victims, he said.

"That's the really scary thing," said Laurie, whose work was initially detailed in the Sunday edition of the Mail on Sunday last weekend. "There's no evidence of tampering. They're not going to report something has happened because they don't know."

The government, which began issuing RFID passports a year ago, eventually wants to incorporate fingerprints and other biometric data on the chips, although privacy activists are concerned over how data will be stored and handled.

Currently, the chip contains the printed details on the passport, the person's photograph and security technology to detect if those files have been altered.

The attack was executed while the passport was still in the original envelope used to send it from the passport service, Laurie said. He used a passport ordered by a woman affiliated with No2ID, a group that opposes the biometric passport and ID card programmes.

The data on the passport's chip is locked until an RFID reader provides the encryption key, Laurie said. The encryption key is calculated using a combination of the person's personal data, such as date of birth, and is contained in the "machine-readable zone" (MZR) -- the string of characters and digits on the bottom of the passport's first page.

At an immigration desk, the optical character reader scans the MZR and gets the key. The RFID chip is unlocked, and the information on the chip is matched with that on the passport.

However, Laurie was able to do this process himself. He analyzed ICAO 9303, the standard from the International Civil Aviation Organization that been adopted worldwide for machine-readable passports, to see how the MZR is organized.

Laurie also knew some of the woman's personal details -- used to calculate her passport's key -- and found out more through Internet research.

He then wrote a "brute force" programme, cracked the key after 40,000 attempts.

To scan the chip, he used a common RFID reader from ACG ID, now part of Assa Abloy Identification Technology of Germany.

The attack could let Laurie begin making an exact copy of the woman's passport. However, the Home Office defended the passports on 6 March, stating "The information on the chip cannot by changed, rendering the procedure described by Adam Laurie pretty pointless."

A cloned chip would have to be inserted into a forged passport, and new security measures in the passports make that "virtually impossible," the Home Office said, quoting a report released last month by the National Audit Office.

But Laurie said the new passports were marketed as enhancing security, "but so far I don't see anything about it that increases my security."

The greatest weakness with the passports is using relatively easy-to-find data to compose the encrypted key, Laurie said. It would be better to include more random elements that would render brute-force style programs almost useless, he said.

Find your next job with computerworld UK jobs