RFID passports (finally) coming soon to the US

(via Engadget)
The US State Department appears to finally think it is ready to issue e-Passports to Americans. Privacy advocates, security specialists, techie-weenies, and sensible people everywhere object, but in typical government manner, the State Department doesn’t care. “Nyah, Nyah!” appears to be the message.

Here’s the gist of it:

They’ll have radio frequency identification (RFID) tags and are meant to cut down on human error of immigration officials, speed the processing of visitors and safeguard against counterfeit passports.

Yet critics are concerned that the security benefit of RFID technology, which combines silicon chips with antennas to make data accessible via radio waves, could be vastly outweighed by security threats to the passport holder.

Making RFID tags usable but not abusable is a tough problem (right up there with solving Fermat’s last theorem, honestly). The technology will likely speed border checks and such, but by the very nature of the technology, they will be abusable and likely very insecure.

“Basically, you’ve given everybody a little radio-frequency doodad that silently declares ‘Hey, I’m a foreigner,'” says author and futurist Bruce Sterling, who lectures on the future of RFID technology. “If nobody bothers to listen, great. If people figure out they can listen to passport IDs, there will be a lot of strange and inventive ways to exploit that for criminal purposes.”

. . .

“The basic problem with RFID is surreptitious access to ID,” said Bruce Schneier security technologist, author and chief technology officer of Counterpane Internet Security, a technology security consultancy. “The odds are zero that RFID passport technology won’t be hackable.”

. . .

In May, researchers at the University of Tel Aviv created a skimmer from electronics hobbyist kits costing less than $110. The equipment was small enough to fit into a briefcase or be disguised in any manner of luggage or clothes that could hide the 15-inch copper tube antenna.

The antenna boosts the read-range from a few inches to a few feet. To extend the range of surreptitious access much further, a second piece of equipment is needed to fake the RFID reader into sending a “read” signal, which is then relayed via radio waves to the skimmer’s reader near the targeted RFID chip.

. . .

U.S. passports are issued for ten years, which means the RFID chip technology of those passports, along with their vulnerabilities, will be floating around for a decade. Technology would have to “stop cold” Schneier of Counterpane says for improvements in skimming and hacking equipment not to occur.

Schneier has talked about this before in his Crypto-Gram newsletter.

In 2004, when the U.S. State Department first started talking about embedding RFID chips in passports, the outcry from privacy advocates was huge. When the State Department issued its draft regulation in February, it got 2,335 comments, 98.5% negative. In response, the final State Department regulations, issued last month, contain two features that attempt to address security and privacy concerns. But one serious problem remains.

It’s still a hard problem to solve, and none of the security experts I trust have bought in to the project yet. Until I see someone like Schneier say “This is well done, with measures which should prevent unauthorized access.” I’m not liking it. Oh, and a little hint – it’s not likely any such expert will say any such thing any time soon.

[tags]RFID passports, e-passports, Identity theft[/tags]