RFID Passports Raise Safety Concerns

CurtMonash writes "CNNMoney.com features a skeptical article about the US State Department's plans to soon issue RFID passports (currently being tested on State Department employees). One fear is that they can be hacked for information about you. And even if they can't, carrying around a little transmitter saying 'I'm an American! I'm an American!' isn't a fun and safe thing to do in all parts of the world." From the article: "Basically, you've given everybody a little radio-frequency doodad that silently declares 'Hey, I'm a foreigner,' says author and futurist Bruce Sterling, who lectures on the future of RFID technology. 'If nobody bothers to listen, great. If people figure out they can listen to passport IDs, there will be a lot of strange and inventive ways to exploit that for criminal purposes.'"

RFID security

[joe 155]

I know that having your personal data stolen isn't any fun, it'll be worse if they put biometric data in there as well (I don't know what data the US passports currently have, in the UK we'll be having that put in soon). but for me a bigger concern is that they can be infected with a virus, which could quite easily be used to cause havok with the computers at airports and possibly bring the whole system down... the register reported on the proof of concept here: http://www.theregister.co.uk/2006/03/15/rfid_tags_ infected_by_virus/ [theregister.co.uk]

Re:yeah

[kickedfortrolling]

I suppose the worrying side of that is that weapons such as mines or explosives or even rockets could be RFID seeking, not just americans in general, but specific people/groups

What happens if the RFID doesnt work

[ConsumerOfMany]

Lets say you burn out the RFID using something like This [typepad.com]

Will you still be allowed to travel with just the written portion of the passport. Hell, just go around burning up other peoples passports and the riots will soon begin in the security line....

Easy Way To Stop Skimming

[Valthan]

Why not just have the case lined with tin-foil or a thin metal sheet of some kind. Then when it is needed to be checked you have to open the case and/or take it out. These cases can be distributed with the Passports. In my experience with RFID wrapping it in tin-foil alone stops it from working (My work makes me use one to get into the office, yes I have tested this)

Re:Hows about..

[Rob T Firefly]

legit people can use it to check against records, and illigit people are buggered

For someone sitting around with the gear to query RFIDs for illicit puurposes, getting any response at all is a good thing. Even if it's a useless string, the fact that it's there paints you as an American national with your passport on you. There are very many ways to exploit that information.

Yeah well. Not good.

[botzi]

And even if they can't, carrying around a little transmitter saying 'I'm an American! I'm an American!' isn't a fun and safe thing to do in all parts of the world."

So, the issue, you consider is that the transmitter is giving away your nationality and NOT that it's a....I dunno. a BLOODY TRANSMITTER?( worst case scenaria, and I'm really going off the top of my head here, how about professional passport thieves:"Hey, there is a city building with 24 passports in there, let's see which suits are empty at the moment, and do some damage."(I'd think anybody smart enough to detect the signal would be smart enough to block it afterwards)). I'd be appalled if other countries follow suit, I fear that they will. Let's just hope that there is enough damage done the moment they try to use RFID's so the launch fails.

Re:yeah

[Shaper_pmp]

And while I hate to be a bring-down, how long until we start seeing discrete RFID readers attached to personnel-sized IEDs in Iraq/Afghanistan/wherever the US invades/liberates next?

You can have a thousand native citizens walk down a busy street, and the bomb doesn't go off until an American (or possibly, even a native with US embassy employee-ID) walks right past it.

I know it's an essential part of the whole "keep 'em fat, stupid, scared and easily-trackable" agenda the US/UK governments have going, but I find it hard to believe the USA (especially!) is actually making it easier to identify its tourists and overseas personnel.

Why RFID and not smart cards?

[BeBoxer]

I just do not understand the insistance/fascination with RFID in this case. Think about the situation when these RFID's are supposed to be used. You are entering a country via immigration, and you hand your passport to the immigration agent. There is no need and no benefit to involving a radio. The agent could just as easily slip your passport into a reader which uses actual metal contacts as wave it over the RFID scanner. It would probably cost less, and would have none of the security concerns (valid or not) that the RFID chips have.

I can only think of two possibilities. One is just good old fashioned corruption. It's no secret that the GOP has pretty much put a 'For Sale' sign out front of the Capital, so it may just be a way to send a bunch of money to a valuable 'doner'. Or they have some requirement which needs RFID, but is being kept secret.

I suppose they could almost completely automate letting US citizens back into the country. Will I be able to use my RFID passport to scan in to the country just like I do with my work badge to get into the machine room or co-lo? I can see benefits for having an express lane at immigration for citizens with RFID passports so we don't have to wait behind all the riff-raff :-) Just walk up to the gate, wave your passport at it, and 'beep', you're back in the country.

Re:yeah

[xtracto]

Yah, I would welcome this, I remember a lot of times when I was in Mexico that, it was just after me and some friends knew that the people were from Canada or Europe that we wanted to be real friends.

Of course, this was not difficult were I lived as, usually people from USA get stuck in Cancun or Los Cabos were they find all their beloved touristic heaven. It is only European (and sometimes Canadian) tourism the one we (in Mexico) call "tourism with culture" that gets a bit away from Cancun to see the Mayan ruins [bill-in-tulsa.com] or Campeche [en-yucatan.com.mx] fortresses/history and all the incredible historical and natural wonders that are the real marvels of Mexico.

Of course the Estadounidenses dont know that because they are happy drinking Tequila and dancing until they fall in their expensive (not a lot for them of course) hotels and "Planet Hollywod" and "Hard Rock Cafe" (I have always wondered *why* do they bother to travel to Cancun if they are going to get into the same places they have in the USA).

And, as I lived in Campeche, the blonds that arrived there were usually Europeans or Canadians (although CAnadians were more often found in La Paz which is close to Los Cabos, but without all the "touristic" commercialization)

Re:yeah

[smittyoneeach]

But how hard is it to put the passport in an absorbent sleeve?

And, for added juice, an additional transmitter in the absorbent sleeve announcing that you're CowboyNeal! Who says the era of Cowboy Diplomacy is over?

Re:yeah

[Anonymous Coward]

It's easy to fight the war on terrorism if you just assume all people are terrorists and then force them to prove otherwise bhy pressing things like this on them.

It's the same principle McCarthyists used to find "communists". All communists are atheists, after all, so if you put "under God" in the pledge, the only people who won't say the pledge must, naturally, be communists.

Believe it or not, this is exactly how the current Administration here and its supporters think. They can't possibly fathom that there is anything in the world except absolute shades of white (you're with us) and black (you're against us). You're either all in gung-ho 100% American (e.g. - you do whatever Bush says) or you're not (e.g. - you have any negative opinion about Bush in any way, shape or form).

As insane as it sounds, this is the reasoning behind things like this. They don't do "nuance", so things like "uh, gee, if people hate Americans shouldn't we NOT be doing things to make them easier to find" never even crosses their hardwired little minds. You're either a terrorist who refuses to use them, regardless of your reason, or you're an American who gets one.

Anti-intellectualism in the states is so extreme right now that having anything but a purely black and white view of things, where you either unquestionably follow George Bush or you're absolutely the enemy, is to the point where the biggest threat on the planet to freedom may well be the American public.

Re:yeah

[Lurker187]

Damn, you beat me to it, but I do have a refinement: put foil inside the covers of the passport, so you can only read it when it's open. Then it really only does what it's supposed to, verify the printed contents. If someone's already got your passport open, your chances of hiding anything from them aren't very good anyway.

Re:New uses for microwave ovens ...

[Anonymous Coward]

Tux2000 wrote "toasted RFID chip with no visible sign of manipulation"

I've tried this on an RFID embedded object (not a passport, but a similar document). It did leave a small scorch mark right above where the RFID tag had been before it popped.

My verdict: this is an effective way to destroy the RFID tag, but it isn't undetectable.

Re:yeah

[jacksonj04]

Which leads to the question, why not just make them a smart chip with contacts? Slot the passport into a reader and it does the same as the RFID does.

RFID only has the edge if the data has to be read at high speed or where putting something in actual contact with a reader is awkward (Packages etc). There are a couple of exceptions (Such as 'hidden' door locks like at my school, to stop idiots filling card readers with chewing gum) but for the vast majority of cases it's just "Ooh new technology, lets use!"

I'm all in favour of digital passports, but RFID?

Re:What's the range?

[Phillup]

What a convenient tool for implementing an application named "proximity fuse."

Better yet "minimum target count".

Place a bomb at desired location... have it count the number of 'mericans in the vicinity... when the number exceeds a certain threshold... detonate.

Cool new way to make sure you don't waste explosive!

Other variations abound.

Place bomb inside but trigger at doorway. Count number of individuals that pass through door. Detonate when target amount reached. Of course this method can't account for persons leaving vs. entering... but you get the idea.

Hey... you could even have it wait for a specific passport! Great for those times when you need to knock off someone and collect insurance while making it look like random violence.

Gotta remember to thank the state department for such a convenient tool...

Re:yeah

[Conare]

This is actually a very good question. The answer is twofold:

1) Most contact chips don't last past 5 years, and they wanted a longer validity (10 years in the US case)
2) The chip specification was for the 28 (?) Visa-waiver countries and each of them can have a different passport form factor, so it would be very difficult/expensive to implement a single contact based reader or set of readers for them all. Contactless solves this issue and allows each country to keep whatever form factor they want.

The specifications for this were acutally developed by the International Civil Aviation Organization. Anti-Skimming is not a part of any of those specifications, however data encryption schemes are.

OK OK here you go, but you will have to buy them:

http://www.icao.int/ [icao.int]

Re:Why RFID and not smart cards?

[Phillup]

I just do not understand the insistance/fascination with RFID in this case.

Because smart cards were invented in the 70s [wikipedia.org] and the patent has expired. Thus not putting money into the pocket of your "constituents*" as fast as a patented technology would.

So... they aren't the ones that did the lobbying.

When it comes to politics... "why" is always easy.

Just follow the money.

*constituent: the people that bribed you