RFID Passports: Ready or not here they come
The State Department expresses confidence in "e-Passports" while technologists fret about their security risks.
CNNMoney.com | July 13 2006
By Christian Zappone
NEW YORK (CNNMoney.com) -- Imagine being overseas and your identity being available for the taking - your nationality, your name, your passport number. Everything.
That's the fear of privacy and security specialists now that the State Department plans to issue "e-Passports" to American travelers beginning in late August.
Radio Frequency Identification technology, indicated by the symbol, is to be standard in U.S. passports by August 2006.
They'll have radio frequency identification (RFID) tags and are meant to cut down on human error of immigration officials, speed the processing of visitors and safeguard against counterfeit passports.
Yet critics are concerned that the security benefit of RFID technology, which combines silicon chips with antennas to make data accessible via radio waves, could be vastly outweighed by security threats to the passport holder.
"Basically, you've given everybody a little radio-frequency doodad that silently declares 'Hey, I'm a foreigner,'" says author and futurist Bruce Sterling, who lectures on the future of RFID technology. "If nobody bothers to listen, great. If people figure out they can listen to passport IDs, there will be a lot of strange and inventive ways to exploit that for criminal purposes."
RFID chips are used in security passes many companies issue to employees. They don't have to be touched to a reader-machine, only waved near it. Following initial objections by security and privacy experts, the State Department added several security precautions.
But experts still fear the data could be "skimmed," or read remotely without the bearer's knowledge.
Kidnappers, identity thieves and terrorists could all conceivably commit "contactless" crimes against victims who wouldn't know they've been violated until after the fact.
"The basic problem with RFID is surreptitious access to ID," said Bruce Schneier security technologist, author and chief technology officer of Counterpane Internet Security, a technology security consultancy. "The odds are zero that RFID passport technology won't be hackable."
The State Department argues the concerns are overstated. "We wouldn't be issuing the passports to ourselves if we didn't think they're secure," said Deputy Assistant Secretary of State for Passport Services Frank Moss, who noted that RFID passports have already been issued to core State Department personnel, including himself. "We're our own test population."
How skimming works
The equipment needed to skim an RFID chip neither has to be large nor expensive. Nokia sells cell phones capable of reading RFID chips. Texas Instruments sells kits to do the same thing.
In May, researchers at the University of Tel Aviv created a skimmer from electronics hobbyist kits costing less than $110. The equipment was small enough to fit into a briefcase or be disguised in any manner of luggage or clothes that could hide the 15-inch copper tube antenna.
The antenna boosts the read-range from a few inches to a few feet. To extend the range of surreptitious access much further, a second piece of equipment is needed to fake the RFID reader into sending a "read" signal, which is then relayed via radio waves to the skimmer's reader near the targeted RFID chip.
In 2005, a researcher at Cambridge extended the range to about 160 feet while successfully accessing a contactless smart card's details.
ID thieves who figure out a way around the security precaution on RFID passports, which includes anti-skimming material in the cover, can use this method in a crowded airport terminal or hotel lobby to conceivably "borrow" someone's ID data and spoof it to another official reader, effectively cloaking themselves in another's persons ID.
Or they could learn a person's nationality, or confirm the identity of someone they were searching for to harm.
"It's a great way for unfriendly elements to set up their own RFID scanning systems and pick Americans right out of a crowd...If you put an RFID scanner in a doorway or maybe a lamp-post," said Sterling, "you can just sit there automatically counting the passing passports."
Even if the skimmed data is encrypted -- as e-Passport information would be -- skilled hackers could potentially save the information and crack it elsewhere.
Researchers at the Dutch security test lab Riscure cracked the encryption on a mocked up RFID passport in two hours using a PC in 2005.
U.S. passports are issued for ten years, which means the RFID chip technology of those passports, along with their vulnerabilities, will be floating around for a decade. Technology would have to "stop cold" Schneier of Counterpane says for improvements in skimming and hacking equipment not to occur.
Moss said the State Department "recognizes that technology will change during the 10 year life cycle of US passports" and that's why it's focusing on more than one technology to protect data.
Sterling, however, compares RFID passports to a "nice yellow armband" -- a big sign on your body announcing your identity. "Would you pay anything for that device?" Sterling asks. "Would you buy it in a travel store because you thought it made you feel safer? Or would you conclude that this technology existed so that you could be treated like a can on a grocery-food shelf?"
Schneier says there are a number of ways to improve the security of RFID passports but the best trick is to not create RFID passports at all. "Someone in the government got it in their head to make it RFID. Yes, its cool technology," said Schneier, "but don't do it because it's cool."
RFID Passports Raise Safety Concerns