0-day Attack/APT Data leaks VULNERABILITIES Weekly news Windows tips WORLD

Fingerprint glitch in passports swapped left and right hands

True, we accidentally swapped fingerprints for Danish citizens’ left and right hands on their passports, but it probably won’t cause much grief for these 228,000 people, said the head of Kube Data, which encoded the biometric data on the passports’ microprocessors.

The Copenhagen Post quoted Jonathan Jørgensen:

It’s difficult to imagine that this will give citizens much of a headache. It’s only the state police [Rigspolitiet] that has access to the encryption key to where the error is found, and many affected citizens have probably travelled with their passports without any problems.

According to the local news outlet, the fingerprint errors were discovered, by chance, in 2017 by a citizen. The mistake occurs in passports issued between 2014 and 2017.

Denmark introduced biometric passports in 2011, containing digital photos, fingerprints and signatures. The purpose is to fend off identity theft and passport forgery, as well as to fight a roster of other crimes:

The decision to introduce fingerprints in passports has been made at central level in the EU as part of the combat against terrorism, human trade, human trafficking, illegal immigration and other transnational crime. With the new biometric passport Danish citizens are secured the possibility to travel to countries which in the future will demand this type of passport for entry.

Police are looking into whether or not the quarter-million affected passports will need to be replaced. If they do, who’s going to pay for it? They’re discussing that with Kube Data, reportedly trying to make sure that the cost of passport replacement doesn’t come out of Danish citizens’ pockets.

We’ve heard from at least one think tank that has called the stuttering rollout of digital identity a mess. But aside from governments’ unsteady rollout, what about the security of the passports themselves?

As of mid-2018, e-passports had been rolled out in more than 150 countries, according to one vendor. Gemalto says that the future will bring e-passports that will soon store travel information such as eVisas and entry/exit stamps. Plus, with the upcoming version 2 of the logical data structure protocol (LDS2), they’ll move from read-only to read and write.

In other words, they’ll store even more than biometrics.

Let’s hope that Kube Data’s optimism about this left-to-right fingerprint swap is warranted. It’s a bit unnerving to think that errors can creep into the encryption key, an essential piece of keeping all that data secure.