Peter Cochrane's Blog: Bordering on stupidity

Are electronic passports up to the job?

By Peter Cochrane, 21 August 2008 14:48

COMMENT

Written in a coffee shop in Mountain View CA and dispatched the next day from a free wi-fi service in the hotel.

What could be easier? Take that old paper passport and add some electronics to turn it into a super-secure means of ID and certification.

After all, we only have to decide on the global standards for content, format, encryption, transmitters, receivers, scanners and so on, and we are home and dry. Right? Wrong.

A to Z of ID Cards

A is for Act
B is for Biometrics
C is for Compulsory
D is for Data privacy worries
E is for EDS
F is for Forgery
G is for Government IT
H is for Home Office
I is for Identity and Passport Service
J is for Jury
K is for Hong Kong
L is for London School of Economics
M is for Money
N is for National Identity Register
O is for Other cards
P is for Passports
Q is for Quarter
R is for Refuseniks
S is for Self-destruct
T is for Terrorist
U is for Utility bill
V is for Verification
W is for When
X is for Xenophobia
Y is for Young people
Z is for London Zoo

From the outset such an ideal has been fraught with international disagreements and tensions that start with the need to get standards in place. To be blunt, these standards still don't exist.

But the biggest failure seems to be the rush to get the technology out and into general use. Decisions appear to have been made without enough thought, without modelling, or a view to the future IT capabilities available to those on the dark side.

As far as I can see, every ePassport design introduced to date, including the UK's, Germany's and the USA's, have been demonstrated to be relatively insecure provided you muster a reasonable set of tech skills.

In short; the information can be read, changed, and cloned. With the demonstration of false passports able to pass as authentic by UN-approved reader software, the entire program might be expected to be in disarray and needs to be rethought.

But no, everything seems to still be rolling ahead as planned. How can this be? ePassport rollout has started en masse and it was all supposed to make us more secure but it appears that the technology provides little or no defence against a determined enemy.

At best it might just speed up our transit at immigration points. But if it is a flawed technology, we will be back where we started, having wasted billions. The long lines of people waiting for a visual inspection a page at a time will still be there.

Of course, this actually is rocket science. It does need a high degree of tech knowledge and capability to get it right. And most countries do have that capability.

Certainly it is available on the international stage. But not, I fear, the management and political nous required to build a successful solution and transition plan.

With any security system it is foolish to rely on any one parameter set or technology approach. It is even more foolish to assume that attackers won't be able to keep up, or even overtake in due course.

All security solutions have to evolve and try to keep ahead of those determined to breach them.

In the case of ePassports there needs to be at least an online database augmentation of the information contained in the embedded chips, and in addition, some form of PIN, password, phrase and/or picture choice known only to the real identity holder. This might just keep ahead of the dark side for some considerable time.

From the outset it seems all ePassport programs to date have been rushed through in some kind of blind panic.

But with any IT project it is essential the managers and politicians are sufficiently versed in technology to grasp what is said to them - and in such cases political imperatives must bow to reality.

Wasting billions is one thing but potentially weakening our security by the temporary illusion of electronic infallibility is another.

Comments

There are 6 comments. Join the discussion

  1. 1. Chips

    From a US newspaper article:

    "Two European researchers have found a way to defeat the chips being placed in passports to eliminate fraud..."

    "...was able in about four hours to decipher the key and use an RFID scanner to steal the digital information from a passport contained in a sealed envelope..."

    "....He’s spent much of the last year going back and forth with the British government about just what exactly is and isn’t secure with the new passports.
    'Every time they’ve said something is infallible we’ve proved them wrong'

  2. 2. Jeremy Wickins

    It is a mystery to me why RFID was ever brought into the e-passport programme. The last thing a passport should do is transmit information. As it stands, one can never be sure the information has been lifted, since it can be done without taking the physical passport - a gift to identity fraudsters. If a chip was necessary (and I'm not convinced about that, either), then it should have been contact only - at least the passport would have to be stolen, and therefore missed by the owner, in order to get the info. Unfortunately, I suspect the RFID snake-oil salesmen correctly assessed the level of ignorance on the part of the commissioners - it was known for several years that the manufacturers were actively looking for a "killer app" that would make them a fortune.

  3. 3. Karen Challinor

    two fallacies about e passports as expounded by politicians and UKIP

    1 - they are secure no one can break the encryption and read the contents

    wrong, as Chips pointed out in an earlier reply

    2 - because they have a chip the epassport is now unforgeable and useless to criminals

    wrong again, the data encryption method is known and a huge pile of blank, genuine epassports went missing recently, anyone seriously think they aren't being programmed as we speak
    and even then whats to stop a sufficiently technically lliterate criminal group from developing their own chip that behaves in much the same way and sticking these in their own forged passports after all these things are worth a lot to the right or even the wrong people

    plus if they steal a passport they can remove the chip and replace it while altering the rest of the details to suit

    so basically the introduction of the epassport has forced the criminal organisations that make the copies to turn out a better product

    all it's done is stop the lower end criminal classes from making their own and paying the higher end criminal classes for the good forgeries

    which they will pay for with money stolen from us, which they will now need more of, so crime levels will go up because of this

    plus we have to pay more for the legitemate ones because of this added infallible layer of security that doesn't actually provide any security

    gee thanks HMG & UKIPS I don't know what we'd do without you, but it would probably be cheaper and cause less crime

  4. 4. Davidson Scott

    Indeed; applauded

  5. 5. anonymous

    From a very external view of the standards development process, I have noted that this tends to be led by a single organisation or group with a lead or particular innovation in a technology or process. The conclusion I draw from this shallow view is a pseudo political system is in play; where organisations effectively lobby for control of the process or power positions.
    As Peter does have greater knowledge and understanding of the standards process, would he be willing to discuss potential solutions?

  6. 6. Radical Meldrew

    This is a clear case of a government requirement being misinterpreted and ill met by varying technical solutions. I should imagine that ministers around the world have set standards without really knowing or caring about the intricacies of a global scheme.

    Results are required, and fast, so they usually settle for reading some of the consultancy hype and listening to a few well chosen arguments from some one who has dealt with this kind of thing before. After that, things simply get nodded through; the whole thing is done and dusted. Errrr… until the tell-tale signs that things could go wrong rise to the surface…

    That’s when our politicians become elusive creatures. They are only available for a few well chosen words or disappear altogether, leaving a junior spokesman to fend off any awkward questions.

    Which gets me back to my point; are politicians the best people to specify complex requirements internationally? They probably care little or don’t understand the need for uniformity, their primary mission is to defend their own borders and anything that ticks that box is a step forward in their book. Their on-board consultants only feel the need to keep the minister or his department well informed, secure in the knowledge that they are fire proof all the while they meet their contractual obligations in full.

    As in economics with diminishing returns, politics has acquired its own theory of diminishing responsibility, which endows projects with levels of diversity that defies all credibility. We saw this many years ago with ATM where it took many years to achieve an accepted standard. We need an effective global standards board with the authority to consolidate ideas and make rational decisions on the best way forward.

Post your comment

In order to post a comment you need to be registered and logged in.

Log in or create your silicon.com account below

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy.

Questions about membership? Find the answers in the Membership FAQ