Investigating the UK "Biometric" Passport with ISO 14443 contactless chip
June 14, 2006
Adam Laurie has published his first go at reading the new ISO 14443B contactless chip in a new style UK "Biometric" Passport (no fingerprints or iris scans are stored in the "Biometric" Passports , yet, only a digitised photo image)
This standard seems to be the one which will also be used in the UK Identity Cards, especially the ones which are valid for travel within the European Union, according to this Written Answer to Adam Holloway MP
The chip seems to be generating a pseudo-random id number, something which is not specified in the International Civil Aviation organisation's Machine Readable Travel Document specifications, but which companies like Axalto (formerly owned by Schlumberger) also seem to be doing with US "Biometric" Passports.
Unless and until such a feature is agreed internationally as a modified ICAO standard, then these "Biometric" passports will be internationally incompatible, and a waste of time and money.
However since the tests were only on one example Passport, that says nothing about any underlying weaknesses in the collision avoidance protocol, which could still allow individual remote tracking or to be used to target individuals or groups in terrorist attacks. (see "Security and Privacy Issues in E-passports" by Ari Juels, David Molnar, and David Wagner)
This UK "Biometric" passport still appears to be vulnerable to already demonstrated "man-in-the-middle" relay attacks which have already been shown to work with cheap equipment by Gerhard Hancke
Cross posted from Spy Blog
Posted by wtwu