Investigating the UK "Biometric" Passport with ISO 14443 contactless chip

June 14, 2006

Spy Blog:

Adam Laurie has published his first go at reading the new ISO 14443B contactless chip in a new style UK "Biometric" Passport (no fingerprints or iris scans are stored in the "Biometric" Passports , yet, only a digitised photo image)

This standard seems to be the one which will also be used in the UK Identity Cards, especially the ones which are valid for travel within the European Union, according to this Written Answer to Adam Holloway MP

The chip seems to be generating a pseudo-random id number, something which is not specified in the International Civil Aviation organisation's Machine Readable Travel Document specifications, but which companies like Axalto (formerly owned by Schlumberger) also seem to be doing with US "Biometric" Passports.

Unless and until such a feature is agreed internationally as a modified ICAO standard, then these "Biometric" passports will be internationally incompatible, and a waste of time and money.

However since the tests were only on one example Passport, that says nothing about any underlying weaknesses in the collision avoidance protocol, which could still allow individual remote tracking or to be used to target individuals or groups in terrorist attacks. (see "Security and Privacy Issues in E-passports" by Ari Juels, David Molnar, and David Wagner)

This UK "Biometric" passport still appears to be vulnerable to already demonstrated "man-in-the-middle" relay attacks which have already been shown to work with cheap equipment by Gerhard Hancke

Cross posted from Spy Blog

Posted by wtwu

Post a comment

Remember personal info?