Biometric passports… secure or not?

Also on the Register this morning is a worrisome story where the Daily Mail has done an experiment to see just how secure UK biometric passports are.

Short answer – not very really. For a start the data on the card can be read wirelessly, but requires a decryption key to read it.

It seems that the encryption key used to encrypt the biometric chip data is not exactly rocket science to break being made up of the passport number, the holder’s date of birth and the passport expiry date.

So let’s say my new passport number is XYZ1234, my date of birth is 1977-12-12. Both these pieces of information are available on the passport itself, so if someone has your passport in front of you they can recreate the key without any difficulty.

Even if they have only scanned your chip (sounds naughty doesn’t it), passport hackers (in the UK at least) have enough clues on the envelope itself to get them some of the way. The one key piece of info that requires effort is the date of birth. So down the Central Registry office with us to get info on that (or google the person to see if they have a Bebo profile of have put info about their birthday on the web anywhere).

The passport office identifier is on the mailing label and the passport expiry date will usually be within 10 years of the post mark on the envelope. Please note – the envelope has not been opened yet.

Ahhh says you… “but the hacker will still have to get those facts in the right order to break the code. Even my ATM only lets me try 3 times. This technology is surely more secure than that”.

Me arse. It seems that Harry the Hacker can keep going until he cracks the code and gets all your details (including photo and other bio-facts) from the chip.

So, how secure is the Irish system? Do our new biometric passports have a similar vunverability. In my clippings from the Irish Time at home I have a front-page photo of our Minister for Foreign Affairs holding up his new biometric passport when they were launched last year. Clearly visible is his passport number.

So one piece of data down. His date of birth is pretty easily accessible ( narrows it down for us) and we know that biometric passports came into effect in Ireland in 2006. All I need is a bit of cheap kit and a scanner to steal his passport without touching his pockets.