Biometric passport

Biometric Authentication (BA)

I highly recommend you read wikipedia: Biometric passport first as it covers the subject well.


Executive Summary

Pieces of paper or plastic are relatively easy to counterfeit, so most can be made more secure by adding a digital signature. This could in principle be included as scannable text or a bar code, but digitized photo IDs require several kilobytes, and the most convenient way to store that is on a small chip. On its own, this is a good idea: Provided that the issuer's private signature key isn't compromised, it really does help reduce counterfeiting, which is why banks are adding chips to credit and debit cards.

The European version of the biometric passport is planned to have digital imaging and fingerprint scan biometrics placed on the RFID. The government of UK thinks that the public has a negative opinion of RFID chips so instead they call it a contactless chip.

The UK BP are the only type of passport you can get in the UK since 2006-03-06.

Contacting the helpful people a NO2ID would be recommended as the new passport and the id card scheme appear to have become intertwined.

Background

The new passports will be fully compliant with ICAO regulations, including a digital version of the holders photograph on a chip embedded in the passports. The cost of the new passports will be £51 to rise to £70 over next 2 years and £85 in 2008. The biometric passport will contain a radio frequency contactless integrated circuit that conforms to ISO 14443.

About 70 new passport offices are to be opened - and thousands more staff employed.

This year about 600,000 first time applicants will be obliged to attend a passport office for interview before a passport will be issued.

UK Passport Service “Later in the decade we may require all applicants (first time and renewals) to apply in person so that they can be interviewed and have their fingerprints and possibly biometrics recorded”. This will be around 7 million people each year.

Data Held

Officially we do not know what data will be held on the chip but the Dutch chip held the following information: date of birth, facial image and fingerprint.

To comply with the new international standards biometric passports require a digital photograph that is machine readable.

On 31 Jan 2007 Gordon Prentice MP asked the Secretary of State for the Home Department "whether iris scans are to be included in passport chips" and received the following reply:

The e-Passport, which was introduced in 2006, contains an embedded chip which holds data on the bearer in line with ICAO (International Civil Aviation Organisation) recommendations. At present this data is limited to biographical data such as name, date of birth etc. and a digital photograph of the passport holder. In the future, in line with other European countries, we plan to include images of two of the passport holder's fingerprints but we have no plans to store images of the passport holder's irises on the passport chip.

Problems and Concerns

The House of Commons' science and technology committee called on the government to reconsider the technology behind the biometric ID scheme.

It only took Lukas Grunwald, a consultant with a German security company, less than a fortnight and equipment costing just £105 to discover a method for cloning the information stored in the new passports, transferring data onto blank chips which could then be implanted in fake passports.

The information that will be stored on the chip has not been made public and privacy activists have questioned why.

As there will be a high degree of standardisation across Europe it is reasonable to assume that the UK BP will hold the same information as the Dutch chip (DOB, facial image and fingerprint).

The biggest problem with the BP is strangely not that they contain biometric information, as a photo is a crude form of biometric information.

The biggest problem is that they use radio to communicate, thus opening a major weakness that did not have to happen. The RFID chips are meant to only transmit over a small distance but if you build a large aerial and have more sensitive receivers you can read them from a greater distance, potentially much greater distances if you are willing to spend the money. This leads to two problems, the interception of the information transmitted and the potential to track the location of anyone with a BP.

To stop skimming, this information has to be encrypted but this encryption has proved to be weak. The Dutch were the first to run into this problem.

To stop information being intercepted casually or people being tracked the American BP at first had a wire mesh added to try stop the RF signal. This is not a fool proof solution but goes a very long way to reducing the distance that a signal can realistically be skimmed from. I know some members of ORG have knowledge of RF work so they may wish to add comments here.

If you can be present when the cover is opened or gain physical access to the passport for even a second, the contents of the chip can be read unless the data is stored in a encrypted form. We do not know if it is stored encrypted or if it is, how good that encryption will be.

A group of German privacy hackers have come up with a portable device that can wipe a passive RFID-Tag permanently, called the RFID-Zapper.

Why broadcast passport data at all? With machine-readable travel documents that require physical contact between passport and reader, you can rest assured that your passport will only be read when you intend to show it, eliminating any risk of surreptitious reading.

During the UK Passport Service Biometric Trial an average Verification delay of between 40 seconds for the best group and 80 seconds for the worst performing group were recorded. This would seem to be an unacceptably long time. These kind of problems show up with any hi-tech product while still in development, the more worrying thing was that no follow on trials where scheduled and that the passports are now being issued.

During the trial the reported error rates were also astonishingly bad, ranging from 4% for iris scans to around 30% failure for facial recognition. Spy Blog: UK Passport Service Biometric Trial

Links

Organisations

Press

2008-08-06 - The Times - 'Fakeproof' e-passport is cloned in minutes
Author: Steve Boggan
Summary: New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports. ... In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.
2008-07-29 - Liberal Democrats - Government cannot be trusted with blank passports let alone ID Cards
Author: David Howarth MP
Summary: Commenting on the theft of 3,000 blank passports from a hijacked van, Liberal Democrat Home Affairs Spokesperson, David Howarth said: "The Government has proven time and time again that it cannot be trusted with sensitive documents." "If passports can be stolen this easily, why can't ID Cards?"
2007-06-15 - Liberal Democrats - Passport price rise part of attempt to bury ID card costs
Author: Nick Clegg MP
Summary: Commenting on the news that the cost of a British passport is to rise for the third time in less than two years, Liberal Democrat Shadow Home Secretary, Nick Clegg MP said: "Last time I asked, the Government refused to justify its implausible claim that 70 per cent of the cost of ID cards would be absorbed by new passport costs." "This latest price hike suggests the Government is going full steam ahead with its cynical plan to bury ID card costs inside each and every passport."
2007-03-26 - The Register - IPS explains plan to make copied biometric passports useful
Author: John Lettice
Summary: The Home Office has repeatedly disputed claims that the new biometric passport has been 'cracked', and spokespeople have argued that in any event, none of the exploits so far reported has compromised security. Last week, however, Identity & Passport Service executive director Bernard Herdan inadvertently revealed that the UK was planning to implement a border control system that could make entry on a copied biometric passport easier.
2007-03-05 - The Daily Mail - 'Safest ever' passport is not fit for purpose
Author: Sue Reid
Summary: In just four hours, the Mail hacked into a new biometric passport and stole the details a people trafficker or illegal migrant would need to set up a life in Britain. With out even opening the envelope containing the passport.
2007-02-07 - Liberal Democrats - E-passport flaws highlight larger ID card risk - Clegg
Author: Nick Clegg MP
Summary: Commenting on the National Audit Office’s report into the new electronic passport microchips, Liberal Democrat Shadow Home Secretary, Nick Clegg MP said:"Once again this Government’s fascination with whizz-bang technological solutions appears to be running well ahead of what technology is really able to do." "First we discover that the information on the e-passport chips can easily be hacked into, and now we discover the chips themselves have only a limited shelf life." "If the Government can’t get this right, why should anyone believe they can launch an immeasurably more complex ID card database?"
2007-02-07 - The Register - Replace your broken biometric passport? Just say no...
Author: John Lettice
Summary: Widespread reports (proving at least that the press and opposition parties can speed read executive summaries) damn the Identity & Passport Service for only securing a two year warranty for a product with a ten year lifespan. Ah, but that's by no means the only thing about the project that's broken.
2007-02-07 - BBC - Warning over ePassport microchips
Summary: Microchips in Britain's new ePassports only have two-year warranties, a National Audit Office report says. They are so new, no-one knows how long they will last, or how the scanners reading them will work, the NAO said. Public Accounts Committee chairman Edward Leigh said the fact they had a two-year warranty, when passports were kept for 10 years, was "most worrying".
2007-02-07 - National Audit Office - Identity and Passport Service: Introduction of ePassports
Summary: The Identity and Passport Service has successfully completed its project to introduce electronic passports, or ePassports, on time and to the required international standards. However, longer term risks to value for money remain because of the newness of the technology and unknown performance of border control readers in high-volume situations, a National Audit Office report concludes today. Total set-up costs, when the project closes in a few months’ time are expected to be £61 million compared to a budget of £63 million. The additional cost of producing the electronic element of the new passports is estimated at £195 million between 2005-06 and 2010-11. To cover these costs, the fee for a standard adult passport went up on 5 October 2006 from £51 to £66 and for a child passport from £34 to £45...
2006-12-20 - The Register - Home Office to register biometrics of foreign nationals in UK
Summary: The Home Office is considering the possibility of compelling foreign nationals in the UK to register their biometrics. It said the power would be introduced on a rolling basis and would build on biometric IDs for foreign nationals, which will be introduced from 2008. The policy would target groups such as migrant workers seeking to extend their stay in the UK.
2006-12-15 - BBC - ePassports 'at risk' from cloning
Author: David Reid
Summary: It will, we are promised, keep the unwanted and dangerous outside our borders, while streamlining entry for those welcome to come and visit. But as the implementation of the scheme gets under way it is becoming clear that there could be serious problems with it. ... "It is almost like writing your pin number on the back of your cashpoint card."
2006-12-08 - Telegraph - Face scans for air passengers a step nearer
Author: Tim Hall
Summary: Passengers at Heathrow had their fingerprints taken for the first time yesterday, in tests which could lead to routine biometric scanning at Britain's airports.
2006-12-08 - The Register - UK plans 'real-time' no-fly lists plus fingerprint ID for air travel
Author: John Lettice
Summary: As has been illustrated all too frequently in the past, they don't tell immigration ministers anything - and, if what he had to say this week at the official unveiling of Heathrow's biometric trial is anything to go by, current incumbent Liam Byrne is no exception.
2006-12-06 - BBC - Heathrow begins biometric trials
Summary: Airline passengers at Heathrow airport are being invited to sign up for a British trial of biometric security scanners.
2006-11-17 - Wired - Arphid Watch: Find Own Foot, Aim Hastily, Pull Trigger
Author: Bruce Sterling
Summary: Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes? Bruce Sterling's blistering commentary.
2006-11-17 - The Register - Shock, horror, outrage - biometric passport data snooped, again
Author: John Lettice
Summary: The biometric passport has been 'cracked' again - but it's the same crack as the old crack (which is not exactly a crack). This time it's the new UK passport, and Liberal Home Affairs spokesman Nick Clegg MP is calling for the urgent recall of all the 3 million that have already been issued.
2006-11-17 - The Guardian - Recall demand after cloning of new biometric passports
Author: Steve Boggan
Summary: The government was facing demands to recall 3m micro-chipped biometric passports last night after a Guardian investigation which found that they could be electronically attacked and cloned with a £174 microchip reader.
2006-11-17 - The Guardian - Cracked it!
Author: Steve Boggan
Summary: Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?
2006-10-31 - The Register - Code highlights e-passport eavesdropping risk
Author: John Leyden
Summary: Researchers have released proof-of-concept code that creates a means to read personal details from next-generation passports outfitted with RFID chips.
2006-10-31 - The Register - Fingerprint the expats! FCO plans phase two biometric passport
Author: John Lettice
Summary: Plans to add fingerprints to UK overseas passports are under way, despite the cost and complexity involved in gathering biometrics from UK citizens across the globe, a parliamentary answer revealed last week.
2006-10-23 - The Register - Irish passports go RFID, and naked
Author: Thomas C Greene
Summary: The Irish government has begun issuing RFID passports with biometric data that can be read at a distance to comply with US regulations for its visa waiver programme. But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.
2006-10-22 - The Sunday Times - ‘Terror risk’ for electronic passport
Author: Mark Tighe
Summary: The new Irish e-passport is lacking a basic security feature contained in the American version, leaving Irish passport holders open to targeting by terrorists, according to a leading lobby group. Digital Rights Ireland claims the lack of any shielding in the passports means “skimmers” will be able to detect the passports from picking up their frequencies, and even identify nationality, without the holder knowing.
2006-10-06 - The Register - IPS completes biometric passport move
Summary: The Identity and Passport Service (IPS) has completed its transition to the production of ePassports, replacing the production of traditional passports with those containing a facial biometric.
2006-09-20 - The Register - People prefer iPods to biometric passports
Author: Mark Ballard
Summary: The Home Office has tried to frighten people into taking its identity plans seriously by publishing a marketing survey it said proved their passports were easy targets for ruthless criminals. People care more about their iPods and mobile phones than their passports, according to an Identity and Passport Service (IPS) survey, making passports an easy target for criminals.
2006-08-11 - The Register - Industry group defends e-passports
Author: John Leyden
Summary: A demonstration that the chips on upcoming electronic passports can be cloned does not add up to a threat to either border security or citizen privacy, according to an industry group backing the development of the technology. The Smart Card Alliance argues that e-passports planned for the US rely on multiple layers of security.
2006-08-07 - The Guardian - Hackers crack new biometric passports
Author: Bobbie Johnson
Summary: Hi-tech biometric passports used by Britain and other countries have been hacked by a computer expert, throwing into doubt fundamental parts of the UK's £415m scheme to load passports with information such as fingerprints, facial scans and iris patterns.
2006-08-03 - Wired - Hackers Clone E-Passports
Author: Kim Zetter
Summary: A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.
2006-08-03 - Slashdot - Hackers Clone E-Passport
Summary: I guess the sceptical Slashdot community always knew that e-passports are a big waste of time and money; now German security consultants have been able to successfully clone e-passports, even onto building access cards. FTA: 'The whole passport design is totally brain damaged,' Grunwald says. 'From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all.'
2006-07-25 - Telegraph - Cost of passport jumps by 29pc
Author: John Steele
Summary: The ePassport is seen as prototype for the Government's long-term aim of a national identity card scheme. David Davis, the shadow home secretary, said: "The Home Secretary likes to brag about customer satisfaction with the UK Passport Agency. This first instalment of the plastic poll tax that is the ID card system will completely undermine that."
2006-07-25 - The Guardian - Passport price rise 'a tax on holidaymakers'
Author: Alan Travis, home affairs editor
Summary: ID card scheme blamed for second big increase. The cost of a passport is to rise by 29% to £66 from October to pay for the introduction of the first phase of the government's identity card programme. Phil Booth of the NO2ID campaign shared his shock: "This is nothing more than a front for the introduction of the ID scheme. Fifteen pounds a person from October is just the first instalment of a plan that will see you pay £93 or more once ID cards are introduced."
2006-07-05 - Ideal Government - Back to biometrics: EU goes forward to fingerprints
Author: William Heath
Summary: The Commission decision of 28 June 2006 relates to the additional storage of two fingerprints on the passport chip.
2006-06-14 - Spy Blog - Investigating the UK "Biometric" Passport with ISO 14443 contactless chip
Summary: Adam Laurie has published his first go at reading the new ISO 14443B contactless chip in a new style UK "Biometric" Passport (no fingerprints or iris scans are stored in the "Biometric" Passports , yet, only a digitised photo image)
2006-03-06 - BBC - UK biometric passports launched
Summary: The first UK biometric e-passports are to be issued to applicants this week, the Home Office has announced. The hi-tech documents have added security features such as a chip holding the carrier's facial details, in a bid to combat fraud and forgery.
Comments: Also covered on no2id. Lots of news sites also have the same story.
2006-03-06 - The Scotsman - First biometric passports issued to UK travellers
Author: Tony Jones
Summary: The first biometric e-passports will be issued to applicants this week, the Home Office has announced. The new-style passports have added security features, including a chip holding the carrier's facial details, in a bid to combat fraud and forgery.
2006-01-30 - The Register - Face and fingerprints swiped in Dutch biometric passport crack
Author: John Lettice
Summary: Chip skimmed, then security breached, attack can be executed from around 10 metres, revealing date of birth, facial image and fingerprint, in around two hours.
2006-01-30 - The Register - 'RFID tag' - the rude words ID card ministers won't say
Author: John Lettice
Summary: Lengthy descriptions of duck, but no d-word. Explains how the Home Office Minister went to great lengths to describe the contactless, proximity chip with out using the word RFID, and why.
2006-01-27 - Mirror - THREAT OF 'SPY CHIPS' IN ID CARDS
Summary: Plans to fit radio transmitters in identity cards were greeted with fury last night as opponents claimed they could be a spy device. Angry MPs and pressure groups said the cards might lead to a Big Brother state by tracking the movements of innocent people.
Comments: NO2ID comments on story
2006-01-27 - Mirror - ID CARDS AN INTERFERENCE
Author:
Summary: LAW-ABIDING citizens will be horrified at the prospect of being electronically tagged like criminals on parole. Today's disclosure that ID cards are to carry radio transmitters is a dangerous move towards a Big Brother society.
2005-10-31 - The Register - Much of UK biometric passport data for archive, police use only?
Author: John Lettice
Summary: Passports are unlikely to actually use most the "13 biometrics" the Government proposes to collect.
2005-04-30 - Washington Post - Security Concerns Prompt Passport Redesign
Author: Sara Kehaulani Goo
Summary: The State Department plans to improve technology that will be embedded in new U.S. passports after tests this month revealed that information in the documents could be vulnerable to identity theft.
Comments: Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a civil libertarian group that focuses on technology issues, questioned that rationale.
"If you have to have the passport physically scanned, then where's all the supposed convenience of being able to read the passport at a distance," he asked. The argument for having the technology "is sort of falling apart," he said.
2005-03-25 - Times - £85 passport is price of security
Author: Richard Ford
Summary: Plans to counter fraud and identity theft could double the cost of passports over the next three years. Every person applying for a passport may have to attend a face-to-face interview.
Comments: No2ID have the same facts but slimmed down and from a more critical point of view
2004-08-06 - The Register - Home Office prohibits happy biometric passports
Author: Lucy Sherriff
Summary: The Home Office says all new passport photographs must be of an unsmiling face with its gob firmly shut because open mouths can confuse facial recognition systems.
2004-03-30 - BBC - Concern over biometric passports
Summary: Civil rights campaigners have voiced concerns over plans to implement a global biometric identity system for air travellers.

Documents