RFID Chips Enable Hackers to Sniff Passports

by Rich

Sunday, July 12, 2009 at 11:07 PM EDT

The Los Angeles Times has a story by Todd Lewan, of the Associated Press, about a security researcher named Chris Paget, who went cruising around the streets of San Francisco in his car, looking for electronic US passport cards (PASS cards), which have embedded RFID chips. Within an hour of driving around Fisherman’s Wharf, using a scanner built from readily available parts, he had successfully captured the serial numbers of six pedestrians’ passport cards — without their knowledge.

These PASS cards are not regular passports; they are intended for travelers to Canada, Bermuda, the Caribbean, and Mexico. Since June 1, though, you must have one of these cards, or an approved state-issued alternative, that contains the RFID chip, unless you have an unexpired conventional passport. All US passports issued since 2007 contain the RFID chip (existing passports are still good till they expire).

In the wake of the Sept. 11 attacks — and the finding that some of the terrorists entered the United States using phony passports — the State Department proposed mandating that Americans and foreign visitors carry “enhanced” passport booklets, with microchips embedded in the covers.

The chips, it announced, would store the holder’s information from the data page, a biometric version of the bearer’s photo, and receive special coding to prevent data from being altered.

Security and privacy experts raised a number of concerns about this proposal. Initially, the data on the passport were not to be encrypted, so that each passport was a potential source of data for identity thieves. There was also considerable (and justified) concern about the use of RFID chips, which are designed to be read from a distance. That capability meant that someone could “sniff” data from passports merely by walking through a crowd at an airport, or driving a car around a popular tourist attraction. Finally, if everyone had an identification card (passport, driving license, whatever) that has a RFID chip, then the era of constant electronic surveillance really would be here. Bruce Schneier had an excellent op-ed article in the International Herald Tribune on this issue.

The concern was also reflected in public comments on the issue:

In February 2005, when the State Department asked for public comment, it got an outcry: Of the 2,335 comments received, 98.5 percent were negative, with 86 percent expressing security or privacy concerns, the department reported in an October 2005 notice in the Federal Register.

“Identity theft was of grave concern,” it stated, adding that “others expressed fears that the U.S. Government or other governments would use the chip to track and censor, intimidate or otherwise control or harm them.”

(I would observe in passing that it is remarkable to get 98.5% of a large sample of Americans to agree about anything.) ‘

The State Department did make some changes to the proposal in response. The personal data on the chip is now encrypted, using a technique that requires the optically-scanned information on the data page to perform a decryption. The cover of the passport was also redesigned to incorporate metallic fibers, to produce a sort of “Faraday cage” to hinder remote scanning.

However, the skeptics appear to have been correct. Both Mr Paget’s experiments and others have shown that the RFID tags can be read from a considerable distance, perhaps as much as 10 meters. And there is still a privacy concern about having a “serial number” (of the RFID tag) associated with each individual’s personal data. One need only consider what has happened with the Social Security number (which was specifically not supposed to be used for identification) to predict that these tags will shortly be incorporated into credit bureau records, and many other private sector data bases.

The “Big Brother” style trakcing of individuals is also a very real possibility. There is an amusement park in the UK that uses a very similar technology:

Imagine this: Sensors triggered by radio waves instructing cameras to zero in on people carrying RFID, unblinkingly tracking their movements.

Unbelievable? Intrusive? Outrageous?

Actually, it happens every day and makes people smile — at the Alton Towers amusement park in Britain, which videotapes visitors who agree to wear RFID bracelets as they move about the facility, then sells the footage as a keepsake.

Now the Departments of State and Homeland Security say that their data bases linked to the RFID tags will be secure, and used only for border and immigration control. Maybe so, though even with the best of intentions we should remember that the US goverment does not have a stellar reputation when it comes to information security. And, as with Social Security numbers, there is nothing to stop the numbers being used for other purposes. Also, if the technology is used to track people, then forging the electronic tag would make it possible for someone to seem to be in two places at once.

If the prospect of having your movements followed doesn’t concern you, you might consider this. It would not be that difficult to construct a device that would detect the presence of, say, 10 or more US passports in a given place, or even a specific passport. Enabling that is probably not a really good idea.