RFID Chips Enable Hackers to Sniff Passports
Sunday, July 12, 2009 at 11:07 PM EDT
The Los Angeles Times has a story by Todd Lewan, of the Associated Press, about a security researcher named Chris Paget, who went cruising around the streets of San Francisco in his car, looking for electronic US passport cards (PASS cards), which have embedded RFID chips. Within an hour of driving around Fishermanâ€™s Wharf, using a scanner built from readily available parts, he had successfully captured the serial numbers of six pedestriansâ€™ passport cards â€” without their knowledge.
These PASS cards are not regular passports; they are intended for travelers to Canada, Bermuda, the Caribbean, and Mexico. Since June 1, though, you must have one of these cards, or an approved state-issued alternative, that contains the RFID chip, unless you have an unexpired conventional passport. All US passports issued since 2007 contain the RFID chip (existing passports are still good till they expire).
Security and privacy experts raised a number of concerns about this proposal. Initially, the data on the passport were not to be encrypted, so that each passport was a potential source of data for identity thieves. There was also considerable (and justified) concern about the use of RFID chips, which are designed to be read from a distance. That capability meant that someone could â€œsniffâ€ data from passports merely by walking through a crowd at an airport, or driving a car around a popular tourist attraction. Finally, if everyone had an identification card (passport, driving license, whatever) that has a RFID chip, then the era of constant electronic surveillance really would be here. Bruce Schneier had an excellent op-ed article in the International Herald Tribune on this issue.
The concern was also reflected in public comments on the issue:
(I would observe in passing that it is remarkable to get 98.5% of a large sample of Americans to agree about anything.) â€˜
The State Department did make some changes to the proposal in response. The personal data on the chip is now encrypted, using a technique that requires the optically-scanned information on the data page to perform a decryption. The cover of the passport was also redesigned to incorporate metallic fibers, to produce a sort of â€œFaraday cageâ€ to hinder remote scanning.
However, the skeptics appear to have been correct. Both Mr Pagetâ€™s experiments and others have shown that the RFID tags can be read from a considerable distance, perhaps as much as 10 meters. And there is still a privacy concern about having a â€œserial numberâ€ (of the RFID tag) associated with each individualâ€™s personal data. One need only consider what has happened with the Social Security number (which was specifically not supposed to be used for identification) to predict that these tags will shortly be incorporated into credit bureau records, and many other private sector data bases.
The â€œBig Brotherâ€ style trakcing of individuals is also a very real possibility. There is an amusement park in the UK that uses a very similar technology:
Now the Departments of State and Homeland Security say that their data bases linked to the RFID tags will be secure, and used only for border and immigration control. Maybe so, though even with the best of intentions we should remember that the US goverment does not have a stellar reputation when it comes to information security. And, as with Social Security numbers, there is nothing to stop the numbers being used for other purposes. Also, if the technology is used to track people, then forging the electronic tag would make it possible for someone to seem to be in two places at once.
If the prospect of having your movements followed doesnâ€™t concern you, you might consider this. It would not be that difficult to construct a device that would detect the presence of, say, 10 or more US passports in a given place, or even a specific passport. Enabling that is probably not a really good idea.
This article originally appeared on Rich's Random Walks.