How a baby became Bin Laden

I’m always wondering about the trend to more IT in passports, government transactions and medical systems. Stuff like that has been pushed by the industry for years now, never even bothering about its usefulness or – behold – business case. In my view, this is driven purely by vendor sports.

Look at this

“Jeroen van Beek takes the passport of a 16-month-old British boy and puts it on to a £40 smartcard reader the size of an iPod. He punches a code into his computer and, within seconds, the information contained in the passport’s microchip appears on screen.

This is not supposed to happen, as communication between the chip and the reader uses powerful encryption, but a renowned British computer expert called Adam Laurie worked out how to crack the code 18 months ago.
On his computer, Mr van Beek alters the cloned chip and removes the image of the child, the Times photographer Michael Crabtree’s son, Thomas, and replaces it with the image of Osama bin Laden. He does the same with the passport of my partner, Suzanne Hallam, installing the image of Hiba Darghmeh, a Palestinian suicide bomber instead. And, if the chips had contained other biometric data, such as fingerprints or iris scans, he could have changed those too.”

Passports are often valid for 5 years or more. From the sales pitch until the roll-out, the technology used is probably 5 years old already.

I have spent roughly 10 years in PKI and security related topics, and I haven’t seen a single technology that could be secure over such long time periods.