Tuesday, July 29, 2008

Passports stolen but are "unusable"?

The report on the BBC this morning is that the Foreign Office have had 3000 passports and visa stolen. I did enjoy the bit that said
However, the passport service said the stolen documents could not be used by thieves because of their hi-tech embedded chip security features.... The passports were the new electronic variety which contain a chip replicating the data printed on the document itself. The Identity and Passport Service said the security features would make them unusable on the black market.
Would those be the security features that German security expert, Lukas Grunwald manage to hack some time ago by any chance?

9 comments:

Lola said...

Yep, those are the ones.

Anonymous said...

The claim that the passports are 'unusable' is clearly nonsense.

They might not be usable for travel, but there are loads of uses for a dodgy passport as a false government-issued ID at places that almost certainly don't check the electronic chips. Like buying mobile phones on contract. Or obtaining other identity documents. Or passing through a security check.

Old BE said...

The ones with the RFID bit which is only guaranteed for two years when the passport has a lifespan of ten? The chips which use a similar technology to London's crappy Oyster system?

I feel safe.

silas said...

And it's not compulsory for every border check point to actually have the e-passport reader, is it?

I was greatly amused by Grunwald's hack that sabotages any attempts to read it by code injection.

See here for details.

RobW said...

Of course not. Our government are full proof -- don't you know...

Anonymous said...

Quis custodiet ipsos custodes?

marksany said...

There are lots of uses a passport can be put to that don't need the security chip. Banks, for example, use passports as ID for opening accounts and moving large amounts of money, but they can't read the chip.

Typically, our home office only thinks of a passport how they use it.

Anonymous said...

I assume that these passports will have to have some sort of digital signature on a hash of the personal details before the electronic parts function properly, and that the government believes that the signature key is still secure.

How long the key will remain secure is a very interesting question. The current hack is not relevant as that should not reveal the key (unless they have really ******* up the implementation), but it's hard to believe it's all that secure.

dreamingspire said...

First, passports don't use the same technology as the Oyster system. Oyster uses Mifare memory cards, now well and truly compromised, so system level security measures have to be relied on. Passports use a microprocessor chip capable of strong security functions, but unfortunately govt overdid it again by telling us all about the security before they had managed to implement more than a little bit of it (on the chip and in the systems). They are still not going to implement the system level functions needed to allow us to electronically verify a passport.