RFID passports: a tragedy waiting to happen

RFID passports: a tragedy waiting to happen

Summary: You're strolling in the south if France when a van stops, men burst out and in seconds hustle you into the van. "American scum!

SHARE:
TOPICS: Security, Mobility, Wi-Fi
197

You're strolling in the south if France when a van stops, men burst out and in seconds hustle you into the van. "American scum!" they hiss as they hood you. But wearing a Sorbonne t-shirt and no fanny pack, how did they know? Thank your government - and a bad storage choice.

In a recent article Todd Lewan accompanied ethical hacker Chris Paget as he found chipped tourists around San Francisco's Fishermans Wharf - from a van. Your Canadian flag patch won't save you now.

Panic + stupid = RFID passports In 9/11's aftermath panic ruled the nation's domestic security bureaucracies, Congress and the White House. Paranoid mid-level bureaucrats were given free rein to "innovate" and guess what popped up? RFID tags in your passport.

And now they are adding them to driver's licenses too.

Just How Stupid Is It? Threat Level: Red and rising. Passports have a 10 year life, so the bad guys who want your info – or your scalp – will have 10 years of technology advances to refine their technique.

RFID scanners will get smaller and cheaper. You’ll get older and slower.

But the data is encrypted! Well, no, it isn't.

Even if it were encryption works best on unstructured data. What’s in a passport? Name, birthdate, birthplace, date of issue, height, weight, eye color, photo.

Gosh, who could break the code for that? It took security pros using a PC two hours to crack the Dutch version in 2005. Skimming your data for identity theft isn't too hard.

Then: Z-Hunting. Now: RFID Crack & Track Of course you are much more likely to die in a car accident than a terrorist attack. Crime is much more likely.

In the 90's Florida criminals went "Z-hunting" - rental cars had "Z" tags - looking for easily confused or intimidated tourists to rip off. Now foreign criminals - like kidnapping gangs in Mexico - will have the same opportunity.

Put that hammer DOWN, Sarah Connor! Some people - who'd rather not be secretly ID'd as Americans when traveling - have suggested that the chip could be broken with a hammer. True, but the State Department is way ahead of you:

Any passport which has been materially changed in physical appearance or composition, or contains a damaged, defective or otherwise nonfunctioning electronic chip, . . . may be invalidated.

Slaves of the ICAO The irony is that this dangerous scheme was hatched by an administration - America's most popular EX-President - famous for go-it-alone, protect-America-first bluster. And the justification for NOT using a smart card or optical ID system?

This choice is compatible with standards and recommendations of ICAO.

Oh, the United Nations recommended it? Sign us up!

And remember all those ranting "UN-world-government-foreign-laws-destroy-American-freedom" congressman protesting this ill-conceived program? Fox news? Bill O'Reilly? Anderson Cooper? Oprah? Anybody outside the tech and security communities?

Me neither. Probably took the day off.

The Storage Bits take This is a bad tech decision made by people who really don't understand the technology or the pace of change. 10 years - the life of a US passport - is several lifetimes in tech.

It will take almost 5 years before half of all passports are e-chipped. We will have e-chipped tourists wandering around the world for the next 15 to 20 years. And more vulnerable each year.

There are so many better options - smart cards, 2D optical codes, dataglyphs and more - that would not compromise citizen security the way RFID does. I hope some unlucky Americans aren't injured or killed before this misguided program gets revoked.

Comments welcome, of course. Also check out Edward Hasbrouck's blog for some more background.

Topics: Security, Mobility, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

197 comments
Log in or register to join the discussion
  • Spot on about RFID - bad technology choice

    However I'm not sure RFID is required to spot the American tourist in
    France;-)
    Richard Flude
    • No fanny pack is a good start.

      Long pants, a button up shirt and a jacket will guarantee that you will be
      taken for anything but American.

      Robin
      Robin Harris
      • Don't forget about...

        leaving a trail of cigarette smoke that a steam locomotive would be proud of.
        Letophoro
    • Actually poor implmentation...

      You should not encode the RFID tag with the actual data, instead code it with some form of
      key, that must be sent back via a secure link to look up the data and then return it.
      mrlinux
      • I guess we know ...

        our leaders don't know the first thing about orginizing data and storing it securely... Although I'm sure it's not like that hackers couldn't just get into the database since the secuirty is likely to have many issues. At least with that idea ,unless you obviously look like an american, you will be safe from the kinds of threats posed by evil frenchies from the south side... lol (and I mean that as a joke and light heartedly btw)
        chrisportela
      • Actually wrong technology....

        Hmm, you need to remember that the RFID tags are powered by passing through a RF field. You start involving challenge response routines and decryption alogrithms in the RFID tag itself and you are going to require a longer RF field scan and much more power. RFID tags by nature are passive, they don't have their own power. In otherwords, RFID tags are not the right technology. Maybe something similar with a battery could work but plain old RFID tags are not a good solution.
        codeguy007
        • Apparently they don't use RFID tags hmm

          Well as posted later on the passports do use a different technology that is more advanced than RFID tags that is capable of processing alogrithms and the like.
          codeguy007
      • No personal info imbedded

        I beg to differ, if I can believe the gov site about passports. According to the following web page, the info stored is indeed a reference code to retrieve personal data from the appropriate server.
        See about halfway down the page on: http://travel.state.gov/passport/ppt_card/ppt_card_3921.html
        kragjensen@...
        • Personal info does not matter

          Spot on - no personal info is on the passport book or passport card.
          HOWEVER, the only thing that is 100% guaranteed to be determined from
          the code is... The NATIONALITY of the passport! The risk is not that
          someone targets YOU. The risk is someone targets AMERICANS,
          IRANIANS, SAUDIS, <pick your favorite target here>.
          eburger
  • RE: RFID passports: a tragedy waiting to happen

    Good read. I wonder if it is possible to slip the passport in a lightweight sleeve (metal mesh?) that will shield the signal from prying "eyes". Technology is/can be a wonderful thing, when used appropriately.
    psquared007
    • It may not be that bad, as long as . . .

      Put the RFID cards and passport in a Faraday's Icebox - that means wrap it in metal so no electromagnet waves get in or out.

      I'd bet a metal case would be 100% effective and I'd suspect wrapping it in aluminum foil might be 100% effective.

      If you have the tools, please test it.

      Only unwrap it when needed and try to do so only in a secure environment.
      EdinPeoria
    • Solution to problem

      Wrap the item in question in aluminum foil. End of problem.
      deowll
      • Newest travel accessory

        I expect metal-lined (or metal mesh) passport cases will be on sale (at
        ridiculous prices) at every airport shop. The only problem with them (and
        the cheapies foil wrappers) is that people will forget to put their passport
        through the x-ray machine and set off the metal detectors.

        Why do we need physical passports anyway (which can easily be stolen or
        lost)? Why not just "chip" all the humans like they do with cats and dogs
        which travel. It will be great when tin-foil hats actually serve some use!
        a.barry@...
        • Yeah...

          And then get tumors like cats and dogs at the chipped site!
          Calknight
          • Carved out

            And if some criminal want to get the chip they have to carve it out. No theft anymore. Just murder.
            Gizbar
      • Would it work?

        I know Faraday cages generally stop radio waves, however I believe RFID tends to work on induction. Alfoil doesn't stop magnetic fields.
        An iron foil or other magnetic material might work better - research required. A quick but not foolproof test would be to try sneaking an rfid anti-theft tag through a shop security scanner - but with the permission of the shop staff to avoid arrest for shoplifting!
        Seems there should be a market for shielded passport folders.
        ausvirgo
        • Yes

          The tag is excited by an RF field (RF ID= Radio Frequency IDentification) It then uses the rf field to generate/transmit a signal containing the tags information. Pure magnetic induction would require the card/chip be within fractions of an inch from the signal and reader under most circumstances.
          rdhalsteatzd
  • RE: RFID passports: a tragedy waiting to happen

    You can purchase a carrying case that is a faraday cage, stopping the RFID from transmitting anything while you're just carrying it around.

    If you pull it out though, you obviously lose the protection.
    ksj99
    • A Fritos bag?

      There is little experimental evidence on the topic. Some have reported
      success with a Frito-Lay corn-chip bag with shiny silver lining, but
      only if not rumpled.

      Of course, if we let the free market work no one would ever ship an
      RFID-proof case that didn't work. They'd be out of business in days
      after consumers tested them at their local consumer EMI test bed.

      I've carried a passport for years and never in a case - too much
      hassle. When they announced they were starting to ship the RFID
      passports I got a rush renewal and no chip. 8 more years to go.

      Robin
      Robin Harris
      • BX sales

        As retired Air Force Guard, my friends still in military service inform me that -- unsurprisingly -- service personnel can buy RFID-blocking Faraday-cage slipcases at their Base Exchange.

        JJB
        JJ Brannon