Monday, August 07, 2006

The clones are coming

Various predictions have been given for when the biometric chip in ID cards/passports would finally be cracked - the Government was saying 5-10 years, the industry analysts (bidding for the work) were saying 2-5 years. The real answer:- 5 months.

Yes, the facial recognition chip was introduced in the UK in March. Hacker and employee of DN Systems, Lukas Grunwald, demonstrated an exploit to clone biometric chip data at the Black Hat conference on Thursday last week. In an exploit that took less than two weeks to perfect, Grunwald successfully figured out how to read, copy and burn the data on the International Civil Aviation Organisation (ICAO) standard passport chip.

At the moment, the data can't be changed. So is a cloned chip totally useless? After all - if it's not my face on the chip, what good will it do me? This report from The Register goes in to some detail, but the position as I see it is as follows:

1) The RFID chip crucially contains a serial number - a unique passport number - which currently appears on the passport itself in machine readable font. In future, the printed number will be ignored in favour of the number on the chip. Lists of the passport numbers of banned travelers or "persons of note" (for example, those convicted of football related violence trying to travel during the World Cup) will be checked by comparing the number on the chip against the passport numbers on the list.

2) A cloned chip with a "clean" passport's number, i.e. a passport that is not on any blacklist, won't trigger an alert. So if you can get the cloned chip to be read instead of your own then you can pass through security without triggering an alarm.

3) There are two ways that you can use a cloned chip: Firstly - by inserting it into a forged passport; secondly by "overlaying" the chip in the passport by disabling or shielding the original chip and attaching a new chip to your passport holder for example.

4) Of course the chip also contains facial recognition details. However, there will be prone to a number false negatives (deciding you aren't you because you've not shaved this morning). With false negative results of between 12% and 94% in the Biometrics Trial (See page 58 of the official report, how long before passport checking staff adjust their behaviour to let through the (conservatively) one in eight travelers who don't match their chip. The usual strategy to reduce false negatives is to relax the accuracy of the system. Simply put, to reduce the false negatives you raise the number of false positives: e.g. deciding you look enough like your brother to let you through on his passport. So clone the chip of someone who looks a lot like you and who either won't notice or won't mind that you've borrowed their passport to do so and you might just get through anyway.

5) So we're back to the "good old, bad old days" (pre March 2006), where trying to blag your way through customs on someone else's passport is possible as long as there's a fairly acceptable resemblance, right? Wrong - we could be could actually be worse off, from a security point of view. As The Register's report puts it:

"The mere presence of the reader, the chip and the general ePassport security pixie dust will - no matter what the circulars say - have a psychological effect on border control staff. They will tend, because the machine says the passport's clean, to drop their guard, not really inspect either picture or bearer properly. This kind of effect is well documented, and it's the same kind of thing as people walking in and out of companies unchallenged despite wearing a security tag in the name of 'Michael Mouse'."

No offence, but your facial biometric doesn't look so good...


See the latest news via Google on this story.

No comments: