New biometric passports can be cloned using £100 equipment sold over internet

 Add your view

A simple microchip reader can clone the information from a passport.

Passports which have rocketed in value to make them more secure can be easily cloned using a microchip reader bought over the internet for less than £100.

The revelation is a huge embarrassment for the Home Office, which has increased the cost of travel documents by 60 per cent in less than a year.

The rise to £66 paid for the introduction of a supposedly-secure biometric chip on the passport, containing the owner's personal details and an image of their face.

The idea was to make it harder to produce a copy of a person's travel document.

But it has now emerged that a simple microchip reader, purchased from the Internet for £95.73, can clone the information - including the photograph.

It could then be used to produced an exact replica of the travel document, complete with a new microchip.

Opposition MPs called for the three million biometric passports issued since March this year from the Home Office's new £60m production lines to be recalled.

Nick Clegg, the Liberal Democrat home affairs spokesman, said: "Three million people now have passports that expose them to a greater risk of identity fraud than before.

"We need an urgent redesign of the biometric passport and a recall of all insecure passports once a new protected design is available."

The fiasco was exposed by the NO2ID campaign, which is concerned similarly poor security will dog the Government's £5 billion ID cards scheme.

They enlisted computer expert Adam Laurie to write a piece of software to suck such data from the chips - a task which took just 48 hours.

The software was then attached to the microchip reader, bought-legally from a UK-based company and dispatched within only four days. Three passports were then stripped of their data, which was loaded on to a laptop computer.

NO2ID said the Government had encrypted the data on the microchip to stop it being stolen - but had made basic mistakes.

Instead of producing a complicated code - the sequence of electronic numbers and letters which unlocks access to the information on the chip - they had simply applied a minimum set of rules published by the International Civil Aviation Authority.

These state the code should include the holder's passport number, date of birth and the document's expiry date - all of which would be clearly visible over the shoulder of somebody preparing to show it to a border guard.

The chip reader, once it knows the code, then has open access to steal the data which it contains.

Mr Laurie said: "The Home Office is using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are breaking one of the fundamental principles of encryption by using non-secret information published in the passport to create a 'secret key'.

"That is the equivalent of installing a solid steel front door to your house and putting the key under the mat."

Gus Hosein, an expert in information systems at the London School of Economics, said: "This is stupid technology. If chips can be cloned they will be used in counterfeit passports."

Phil Booth, of NO2ID, added: "The government is clearly derelict in its duty to protect the privacy and security of British citizens."

The Government opted to introduce the biometric passports after the US authorities - in the wake of September 11 - demanded new security measures on travel documents. Without the changes, any Briton wanting to travel to America would require a visa, causing chaos for millions of holidaymakers.

But it has since decided to make the passports the cornerstone of the ID card project, which is due to begin in 2008 or 2009.

As a result, the cost of a new passport has increased from only £42 in December 2005 to £66. The Home Office said cloning the chip 'doesn't matter'.

A spokesman said: "The information itself cannot be altered; the photo would still be the same so the copy would be of no use to an impersonator trying to use it fraudulently.

"Other than the photograph, which could be obtained easily by other means, they would gain no information that they did not already have - so the whole exercise would be utterly pointless."

 

What's on today   What's on tomorrow

Receive our newsletter