Dutch biometric passport hack raises questions

Whilst the civil liberties aspect of the ID debate continues to rumble in, recent events in the Netherlands that have shown how Dutch biometric passports can be cracked, highlights the important technical important concerns that still need to be overcome.

In order to comply with standards set by the International Civil Aviation Organization (ICAO) the Dutch biometric passport contains a contactless chip that enables the passport to be read remotely by scanners at airports but, according to Dutch smartcard security experts Riscure, and first reported at The Register, personal data can be grabbed from the passport, at a distance of up to 10 metres.

Once the information has been obtained it can then cracked in under 2 hours using flaws built-in to the system to reveal the passport holder’s date of birth, facial image and finger print. The crack is apparently made easier due to the sequential numbering used in the Dutch passport scheme.

Obtaining this information would mean criminals are one step closer to producing forgeries although, in this instance, the Dutch system has yet to be rolled out. An abstract of a presentation by Bart Jacobs, Research Director of the Institute for Computing and Information Sciences, on the process can be found here.

The news from the Netherlands will have an interesting bearing on our ID card debate as Britain is planning to place contactless chips in ID cards to enable them to be used as an alternative to passports for travelling within the European Union.

The UK government claims the chip will only be readable from about 2cm away but problems over the skimming of data have plagued the US passport rollout with anti-skimming measures introduced to ensure the passport can only be read when opened.

Best keep a bit of tin foil handy for your ID card then.