Saturday, August 16, 2008

Friday 15 August 2008

Latest from NO2ID

The e-passport is a worldwide standard developed by the International Civil Aviation Organisation (ICAO) following pressure from the US and each passport carries an embedded chip holding data about the holder. Two years ago Adam Laurie, a security expert, worked with NO2ID to demonstrate how easy it was for others, with the right kit, to read the data on the chip without even taking it from its envelope. It has now been revealed that fake chips could easily be implanted onto a legitimate passport. Following the news of the 3,000 blank passports that were stolen from the back of a van last month, e-passports at present offer no security or are no guarantee to preventing illegal immigrants and the scope for abuse is enormous.

Awareness is key to educating the public about the dangers of centralised databases containing all manner of information on citizens. A good way of doing this is though the media of a novel and author Jeffrey Deaver has done just this in his latest book ‘The Broken Window’. The threat of government databases is the basis if his story, revealing through NYPD forensic consultant Lincoln Rhyme and his detective partner how they go after a psychotic mastermind who uses data-mining to hunt down his victims and implicate complete innocents. Their research reveals the enormity of the Big Brother state and how the use of this data-mining can be used by homicidal maniacs. A true allegory of our times.

New wider data retention regulations have been published by the government as a proposal to mandate a law requiring all ISP’s to retain all user's email, text and Internet records. This vastly extends existing legislation that applied to non-Internet data only. If passed these laws could be on the statute books by next March. In parallel with this is the so-called ‘Snooper’s Charter’ (as I reported last Wednesday’s blog) which would allow a whole spectrum of public bodies, including everyone from councils to health authorities, the powers to tap this retained data and, essentially, ‘snoop’ on the public at large.

Meanwhile in Northern Ireland plans to roll out 640,000 free travel passes are being described as an ID card by stealth. John Welford, a Scottish pensioner who is against what these bus passes and their Scottish equivalents could become, has warned of the dangers. In 2005 Scottish MP’s rejected a national ID card. Welford believes that the bus passes issued to the most vulnerable section of society - pensioners - are a way around this non-compliance by the Scottish parliament.

Opposition to the outright introduction of ID cards can be easily got round by introducing them in a gradual, almost covert way. Starting out as benefit cards, they can allow free travel for the elderly. But once the cards are in place and holders get used to carrying them their use can later be extended and modified to include chips which, by use of a reader, can be used to track and trace people’s movements. As time progresses their capabilities can be enhanced, drip by drip, until they eventually become mandatory among all age groups, bear more and more personal information and then come with a requirement that they must be carried at all times. Then you’ve introduced your national ID card through the back door! Might this be an alternative method should opposition to their outright introduction become an insurmountable obstruction to the government?

Also in Scotland a controversial ID scheme involving some 8,000 school children from some eight secondary schools is to be introduced. The children involved in this pilot scheme will be fingerprinted so that they can be tracked by teachers, although the proposed plans have come under fire from parents who fear of misuse of adequate controls of who could have access to the fingerprint data.

A Dutch Security Researcher, Joroen van Beek, from the University of Amsterdam, has recently shown how he could get a ‘cloned and manipulated’ passport chip to be recognised by any reader thus allowing a fraudulant user to gain access into a country. This was all done without changing the passport chip itself! He could take a writable RFID chip, load it with personal data, then hash that data and make a self-signed certificate using the same parameters of a legitimate passport signature so that it would pass muster at immigration control. He even went on to show how he could become his own passport-issuing country!

Van Beek then went on to take the passport of a 16 month-old British boy, put it on a £40 smart card reader, punch a code into his computer and retrieve all the information on that card. Of course, this isn’t supposed to happen because of the powerful encryption used. But thanks to Adam Laurie, a renowned computer expert, he worked out how to crack the encryption code some 18 months ago. This information allowed Mr van Beek to then go on and clone the young British boy’s data chip onto another chip, launch a piece of software called ‘Golden Reader Tool’ (the International Civil Aviation Organisation standard kit for checking biometric passports) and the cloned chip is then flagged up as authentic!

But it only gets better.

On his computer, Mr van Beek alters the cloned chip and removes the image of the child, the Times photographer Michael Crabtree’s son, Thomas, and replaces it with the image of Osama bin Laden. He does the same with the passport of my partner, Suzanne Hallam, installing the image of Hiba Darghmeh, a Palestinian suicide bomber instead. And, if the chips had contained other biometric data, such as fingerprints or iris scans, he could have changed those too.

At first, Golden Reader refuses to authenticate the new, altered chips. A digital key signature, a certificate of authenticity, has been changed, and the reader is concerned. But Mr van Beek falls back on the work of Peter Gutmann, from Auckland University, New Zealand, who found a way to programme another key signature into the chip. The ICAO’s reader software now accepts both chips as genuine.
(TimesOnLine 8 August 2008).

No comments: