RFID passports: a tragedy waiting to happen
You're strolling in the south if France when a van stops, men burst out and in seconds hustle you into the van. "American scum!" they hiss as they hood you. But wearing a Sorbonne t-shirt and no fanny pack, how did they know? Thank your government - and a bad storage choice.
In a recent article Todd Lewan accompanied ethical hacker Chris Paget as he found chipped tourists around San Francisco's Fishermans Wharf - from a van. Your Canadian flag patch won't save you now.
Panic + stupid = RFID passports In 9/11's aftermath panic ruled the nation's domestic security bureaucracies, Congress and the White House. Paranoid mid-level bureaucrats were given free rein to "innovate" and guess what popped up? RFID tags in your passport.
And now they are adding them to driver's licenses too.
Just How Stupid Is It? Threat Level: Red and rising. Passports have a 10 year life, so the bad guys who want your info – or your scalp – will have 10 years of technology advances to refine their technique.
RFID scanners will get smaller and cheaper. You’ll get older and slower.
But the data is encrypted! Well, no, it isn't.
Even if it were encryption works best on unstructured data. What’s in a passport? Name, birthdate, birthplace, date of issue, height, weight, eye color, photo.
Gosh, who could break the code for that? It took security pros using a PC two hours to crack the Dutch version in 2005. Skimming your data for identity theft isn't too hard.
Then: Z-Hunting. Now: RFID Crack & Track Of course you are much more likely to die in a car accident than a terrorist attack. Crime is much more likely.
In the 90's Florida criminals went "Z-hunting" - rental cars had "Z" tags - looking for easily confused or intimidated tourists to rip off. Now foreign criminals - like kidnapping gangs in Mexico - will have the same opportunity.
Put that hammer DOWN, Sarah Connor! Some people - who'd rather not be secretly ID'd as Americans when traveling - have suggested that the chip could be broken with a hammer. True, but the State Department is way ahead of you:
Any passport which has been materially changed in physical appearance or composition, or contains a damaged, defective or otherwise nonfunctioning electronic chip, . . . may be invalidated.
Slaves of the ICAO The irony is that this dangerous scheme was hatched by an administration - America's most popular EX-President - famous for go-it-alone, protect-America-first bluster. And the justification for NOT using a smart card or optical ID system?
This choice is compatible with standards and recommendations of ICAO.
Oh, the United Nations recommended it? Sign us up!
And remember all those ranting "UN-world-government-foreign-laws-destroy-American-freedom" congressman protesting this ill-conceived program? Fox news? Bill O'Reilly? Anderson Cooper? Oprah? Anybody outside the tech and security communities?
Me neither. Probably took the day off.
The Storage Bits take This is a bad tech decision made by people who really don't understand the technology or the pace of change. 10 years - the life of a US passport - is several lifetimes in tech.
It will take almost 5 years before half of all passports are e-chipped. We will have e-chipped tourists wandering around the world for the next 15 to 20 years. And more vulnerable each year.
There are so many better options - smart cards, 2D optical codes, dataglyphs and more - that would not compromise citizen security the way RFID does. I hope some unlucky Americans aren't injured or killed before this misguided program gets revoked.
Comments welcome, of course. Also check out Edward Hasbrouck's blog for some more background.