We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Guardian hacks 'secure' UK passports

And it took the intrepid cardigan-wearing hacks only 48 hours to, er, hack the new, all-singing, all-dancing biometric passports. Which is pretty disturbing, really.

(I mean, if Guardian scribes can do such futuristic things, I can only assume that the Daily Mail editorial team is currently holed up in a hollowed-out volcano in the south Pacific, keeping a weather eye on asylum seekers, Tory grandees and house prices via massive futuristic video screens and laser beams.)

Three million people already have the 'ultra-secure' next-gen UK passports. In them, security has been boosted by the inclusion of microchips that store the holder's personal details and facial biometric information.

So how was the code cracked? Part of the problem is that the passports were created using standards set by the ICAO (the International Civil Aviation Organisation) in 2003. All well and good, you might think, but the organisation then proudly published the specifications of the passports on its site.

The Guardian article's author, Steve Boggan, then engaged a 'friendly computer expert' (not words that always sit together happily): one Adam Laurie, from Bunker Secure Hosting.

Together the pair set about cracking the passport, and were amazed at how easy a task it proved. They hit the ICAO site and discovered that the passport chips are not, in fact, encrypted. The biometric and identification information is held on an RFID chip, just like the stock information in your local supermarket.

The problem is that the ICAO recommended that the data should comprise, in the following order, passport number, date of birth and passport expiry date. Fatally, these numbers are also contained in the paper passport, if you know where to look. In effect, the passport hands the cracker the key to its code. Bletchley Park is not required. It took Laurie only 48 hours to throw together code to make some sense of the data, and hack the passport.

(There's every chance that I haven't fully understood the science here. Readers of a technical bent may enjoy the original article.)

If the Guardian is to be believed (and I would never doubt its friendly miss-spelt Berliner pages), this is a clear case of hi-tech encryption being undermined by a simple procedural flaw. The newspaper concludes that making a perfect clone of a passport would be relatively simple.

Is this a huge threat to our security? I'm not sure. Clearly the Home Office didn't intend for cloning to be so simple. But in order to create a perfectly cloned passport, an international super criminal would have to get hold of a genuine password, and then recreate all the hi-tech gubbins. Surely it makes more sense to just nick the original passport?

IDG UK Sites

Samsung Galaxy Alpha vs iPhone 5S comparison review: Metal smartphones fight

IDG UK Sites

Gateway to your kingdom: why everybody should check and update their broadband router

IDG UK Sites

Fonts review

IDG UK Sites

Best Mac? Complete Apple Mac buyers guide for 2014