America forcing your passport to be insecure October 2005

In the near future (October 2005), American passports will use RFID chips to store some basic information about the passport's owner. RFID chips work as follows: An RFID receiver sends out a short range radio message "Are there any RFID chips out there?" The RFID chip on your password actually uses these radio signals as a source of electricity to broadcast a predefined responce. The RFID receiver is continually listening for these broadcasts, and so basically, the RFID works as a digital label that gets read whenever you walk within around 30 feet of an RFID receiver.

The American government plans to have the RFID chip in your passport store your full name and nationality, as well as a digital picture of your face. Your picture will then actually be taken at the airport, and face-recognition software will actually determine if your face matches the one encoded on the passport. Furthermore, the United States is requiring all 27 countries whose citizens do not need visas to visit America to begin issuing e-passports by October (I believe Canada is one of these countries).

Now here's the insecure part: The data on the RFID chip will not be encrypted. What that basically means is that I can bring my laptop with an RFID receiver to the airport, and capture the name, nationality and picture of anyone who walks within 30 feet of me, and that's without downloading a clever hack program or anything like that. Your data is broadcast in plaintext for everyone to see. Even an executive at one of the companies developing a prototype for the State Department calls the international standards woefully inadequate.

The advice given, if you're stuck in the near future with one of these unencrypted RFID passports, is to wrap your password in tin foil while it's not in use. However, as soon as you take it out of the foil, for example at the customs agency or the hotel, you're exposed again. Bruce Schneier, a security expert, points out that "A contact chip would be so much safer. The only reason I can think of is the government wants surreptitious access. I'm running out of other explanations. I'd love to hear one." Obviously, if the only way to actually read the data of the passport chip was to actually press the passport up against some sort of reading surface, then you would always know when the data is being read, and people, 30 feet away, wouldn't be able to anonymously snoop the data.

The State Department s accepting written responses to the proposal until April 4 via e-mail sent to PassportRules@state.gov.

 
E-mail this story to a friend.
1. Leafy Person said:
I happen to be an «expert» in this field (machine readable travel documents) at work, so I might be able to answer Schneier's question about the choice of contactless chips. The reasons are multiple: need for speed in travel documents processing at the borders; need for global interoperability (a passport delivered by Country A can be read by machines in other countries regardless of dimensions and format), etc.. The security risk described by Neb is well known by the experts at my place of work, but the aspect that is the most worrisome for them is the possibility for terrorists to «remote read» a traveller's passport at an airport and pick out a target nationality, say Israelis for example, or Americans.
Posted on Thu February 24th, 2005, 2:41 PM EST acknowledged
2. Nebu Pookins said:

A few questions:

Are there any steps taken to prevent the printed information and the digital information from going out of sync (e.g. the photo on the chip and the photo printed in ink are different)? If the digital chip is broken, will the person be denied passage at the border? If so, will a traveller have a way to easily notice that his chip is broken so he can do something about it before actually going to a trip (short of buying an RFID reader himself)? How strong is the digital signature on the data on the chip? Can the signature be verified by anyone, or only airports or what?

Posted on Fri February 25th, 2005, 1:43 AM EST acknowledged
3. Leafy Person said:
A few answers: The digital and non-digital portraits are never supposed to go out of sync and if they do, it's a sign of tampering and the holder of the document will be prevented from using it to travel. Similarly, contactless chips are supposed to be longer lasting (at least 10 years) and less vulnerable to deterioration by external factors like dirt, humidity, etc. than contact chips. Therefore if a chip is broken, then the damage would have to be so extended as to be visible to the naked eye and the passport would also show signs of deterioration such as tears in the substrate, distorsion or loss of optical security attributes (irisation, fluorescence, etc). There is no ready way for a regular person to detect a broken chip in his/her passport, just like a non-working credit/cash card can only be detected when being used at the ATM or the store. The rest of your questions require answers that are too sensitive to be posted on a public blog. Link: link href="http://www.cnn.com/2005/TECH/01/06/passports/" (Sorry, I still cannot create a link, you'll have to copy and paste) (Or a paragraph)
Posted on Fri February 25th, 2005, 11:36 AM EST acknowledged
4. Nebu Pookins said:

I know the digital and non-digital pictures are not supposed to go out of sync, but I'm asking what measures are taken to check whether or not they are in sync?

Let's say I travel to Japan, and my chip just randomly breaks down by natural causes (maybe it's been 10 years since I've had the chip first installed). Since there's no way for me to check if my chip is working, all I can do is show up at customs, and be told there that I can't go back home 'cause my chip is broken. I might be delayed a few days or even a month while I try to get a new passport issued to me. Without the chip, the worst that could happen is my passport (the paper version) gets destroyed, and I would immediately notice this, and I could get a new passport issued to me in advance a few days before I try to return home, and suffer no delays.

I heard that the chip is going to use a digital signature to prevent forging the data (or else anyone could have their chip say anything). The excuse "they" are giving for not using encryption is that it might prevent less develop countries from adopting this chip system. But isn't the technology and computing power required for decrypting message pretty much the same as for verifying a digital signature? Does America expect some countries to simply not verify the signature at all?

Posted on Fri February 25th, 2005, 8:32 PM EST acknowledged

You must be logged in to post comments.