If I can scan my own passport can I scan yours.
If I can borrow yours can I scan it and can I clone it?
If I can clone it, what are the implications?
Android owners with NFC handsets can now read their passports with an official Home Office app - and civil servants want to know what other features could be added to it. UK passports have had chips in them since 2006, containing a digital version of the photograph and other details, all cryptographically signed. Phones …
> and the first to publicly ask: Why bother?
Steady on. If every piece of software: paid or free, was to question whether there was any need for it, there would be hardly any of the stuff around and the likes of Github would be an empty wilderness containing the rare few projects that had a life of their own - or corporate sponsorship.
Most amateur written software is produced to demonstrate the prowess of the writer (just like comments in forums are ... ) rather than to make a meaningful contribution to the sum of human happiness. If these guys enjoyed writing their app, and it doesn't harm anyone (and there aren't any security downsides) then what the hell - let 'em do it if it makes them happy.
The only legitimate use for a passport is to allow you to PASS through a PORT when entering a country, where government officials will have all they need to read the document - or is Border Agency going down the BYOD line?
Any other usage (as an ID document etc) is very dodgy, and an attempt to introduce ID cards by the back door.
> Any other usage (as an ID document etc) is very dodgy
Especially in foreign parts where a passport number is often used in lieu of a citizen's ID card number - even on official documents. Buy a house abroad and you could well find your PP number is written into the official documents of ownership. A bit of a bummer as every time you change your passport you get a different number ...
Might have a quick look at this, simply to see who my passport actually thinks I am. Having tried the ePassport gates @ Gatwick now several times (business travel) and getting bounced from them more times than they let me through, I'm becoming convinced I'm either not who my passport thinks I am, or perhaps not who I think I am (not sure which is the more worrying option).
Oh bring back the IRIS gates - quick, simple and they actually worked...
Bit of a pointless (an exceptionally UGLY looking) application imho
My son just got a new passport and I happened to have a quick read through the notes that came with it while sticking them in recycling last night. Think this app is basically an extension of the way they answer the
"How can I find out what info is electronically stored on my passport"
with
"You can see this by using the passport scanner in a passport office"
So, now they can add
"or if you have a suitable Android phone you can yous the IPS passport reader app"
I think its intended as a "reassurance" for people who think there's lots of secret information about them stored electronically on their passport ... but then again, would those people really believe that there isn't lots of secret information stored electronically on their passport that this app won't show!
N.b. cannot comment on exceptionally UGLY looking as I don't have a suitable phone!
The main electronic check of passport data is if the name checks against the number, and (if so equipped) if biometrics match. Gaining access to the stored biometrics means you can feed fully valid data into any system and hey, presto, it was you who did x/y/z. And we all know that according to officials, the computer never lies.
One more argument to buy an RFID proofed passport and credit card holder.
Cloning would involve the physical features of the passport, and signing the data on the chip - so reading is a LONG way from cloning.
One reason for reading the data would be to access the digital photo at a higher level of quality than you would get by scanning the page. Automated entry gates use this approach to compare your face (by taking a photo) to the copy on the passport.
I’m now wondering if there would be some way to use it to prove that you’re physically holding your passport in your hand i.e. passport as 2 factor authentication.... might be a few uses for that.
If the chip only contains stuff that can be optically read from the passport, and if it needs to be optically read for data that is needed to retrieve data from the chip, what's the point in the chip, other than supposedly to spot when the optical data and the chip data doesn't match? I take it that the data on the chip is in someway officially signed to prevent someone tampering with it or faking it.
This Android app as it stands is OK as a basic chip working/not working check, but of little use in the commercial admin world. Perhaps by adding an online element to this program, it could become a useful Passport authenticator, checking that the Passport that has been scanned is indeed an original, authentic document as issued by HMPO. This might well have applications in the world of HR, banking and legal services and if provided for free, would probably enjoy wide spread use.
One of the first things I did with my NFC enabled phone was scan my passport with NFC Tag Info, just because.
Although I regret it, as my passport photo is awful!
Having said that, it's easy enough to see the point in the chip for border control, verifying both sets of data, and assuming a "signed" nfc chip.
And good of them to release an official app, so you can see what's on yours, just because. Also immediately made me feel better when I saw you cant drive-by scan passports without knowing the details already.
As the only permission the app asks for is NFC, why worry? It can't access the internet, phone logs etc. As soon as it tried it would crash. One of the good things about Android permissions, if they're not specified in the manifest file, they won't work.
http://www.hackinparis.com/Bypassing-the-Android-permission-model
http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-android-permissions-what-you-need-to-know/
I could go on, but I think that makes the point: perms can't protect you against a malicious app. In this particular case, the reader app could easily invoke the browser to upload your data to a remote website as part of a URL query string.
I have used the scanners at Schiphol with no problem - but the UK version, which looks hugely more complicated and expensive, can't read my passport (or a lot of others). Perhaps the guy who came up with the android app should be given the contract for the airport scanners?
I remember having a very tedious conversation with immigration that went:
Who gets fined/imprisoned if I employ someone without a uk passport/visa? - you do
How do I check they have a uk passport/visa? - ask them to show you it
How do I check it's valid? - you can't
So it could be anyone's passport/visa with the photo replaced? - yes
...and I go to prison if I can't tell - yes
...so all I can do is not employ people who are a bit off white or speak funny - no, that would be illegal sir
This might fill that hole.
Can anyone else get this App to work properly?
I tried it once on my passport - it's very tedious to use as you have to enter the passport number and other data from the same page to show that you have physical access to the passport. It did indeed display my (awful) passport photo, but that's all. I then tried it on my wife's passport which also has a chip. I couldn't get it to work. I then tried it on mine again, re-entering all the necessary data of course. Didn't work this time. So perhaps it's a use-once application?
These are, of course, the people who brought us the Iris scanners at major airports, which in my experience only worked about one time in ten. The new facial recognition terminals at Heathrow were all out of order last time I entered the country, so maybe their reliability is just as good.
My understanding is that having made a reasonable attempt to check is a valid defence, and that the law (or the courts) recognise that we are not experts in validating passports. Although it is wise to have a written policy and to keep a record that you can produce if asked. Of course, IANAL.
This does lead me into a concern about this app, though. If an app like this is available, many people might decide they need to use the app, and record the details, to protect themselves. For employers keeping records of right to work it might be reasonable, but how long before a local pub or club decides that you have to produce and scan your passport in order to get in? And then come under presure to turn over the records to the police when they discover that a terrorist suspect had been in the pub??
In other words, with apps like this around, a passport could become a de-facto national ID card, by the back door. I, for one, will not be producing my passport for any UK business that wants to do business with me.