US Passports now all have RFID tags
The security review on the EU passports reminded me of this one: As of October 2006, all US passports will contain RFID chips in them, which, when read reveal all the information that is printed on the passport itself, as well as a digital photo of the passport holder. This brings up a privacy issue since basically we will now all be holding passports that can be read without our consent. When using an RFID system, in which data can be read off of the small computer chip inside the passport – only by being in proximity to a reader. This means that an adversary can do what is called ‘skimming’ in which they can intercept the transmission between the reader and the passport – obtaining all the passport’s data, undetected. This is very similar to ‘packet sniffing’ on the internet. Just as one can sit in a coffee shop and read your gmail without you knowing, eavesdroppers can now sit at the airport and read your passport without you knowing.
The US State Department knows of this vulnerability and has attempted to cover it by adding ‘shielding’ to the passport so that the tag can only be read when the passport is open. According to the ISO 14443 specification the RFID tags can only be read when brought within 10 cm to the reader. This is a narrow window, which helps the security of the system, but does not completely protect it. Also, they have added a so called PIN to the passport so that the data on the chip can only be read when the PIN (which is printed on the passport) is entered.
Did this just defeat the purpose? They added the ability to quickly scan all the information for viewing on the computer, but then add a PIN so that a number must be entered in order to get this information… In my view, this is quite the same as entering one’s passport id number (maybe a few characters longer than the PIN) and looking it up in an internal database to see the passport holder’s information. This is much more secure in my opinion and keeps all data out of the air. The question is – at what point does convenience triumph security? This answer should be ‘never’, but many systems have ignored this and this is why there are many vulnerable systems out there. As with Kerckhoffs’ principle, the only thing that should be kept secret should be the key. But what is the key in this situation? It seems as if there are many parts in this system, all of which are trying to be kept secret, which is known as ‘security by obsecurity’ and is frowned upon by many. As with voting and many other things – some things are best left to being done the old fashioned way – on paper.
Comment by Ryan McElroy
January 16, 2009 @ 2:34 pm
Requiring a PIN is a step in the right direction — it means that the passport is now two-factor authentication, and merely skimming information isn’t enough to get all the information an attacker needs to copy a passport completely. Unfortunately, I feel that I already have too many passwords and PINs to remember. With the exception of a few frequent international travelers, passports are not used on a regular basis, so it seems likely that many passports will end up with PINs written on them somewhere, which almost entirely defeats the purpose of the PIN in the first place (except that it still prevents skimming attacks).
Comment by jimmy
January 16, 2009 @ 3:43 pm
Security in regards to passport RFID tags is definitely a significant national problem, but also at the international level. Wired recently posted this article about a German programmer who managed to corrupt the JPEG image in the passport such that it could crash the RFID reading systems. One could imagine extending this exploit to do more malicious things to the reading system, including creating fake passports that are always verified through the electronic system. Clearly this exemplifies a real threat that developers need to be constantly aware of when creating these systems.
I would like to refute, however, one small point in your post. In response to the hypothetical question “at what point should convenience trump security,” in practical situations it is not very realistic to answer with the broad term ‘never.’ No system is ever 100% secure, and even if one were, it would not be a useful product unless users found it convenient enough to use regularly. Security is definitively important, however should always be considered in the context of the application it is designed for, and developed with that the overall goals and outcomes that application attempts to achieve.
Comment by jap24
January 16, 2009 @ 9:52 pm
About the limited range of the RFID chip, when I was researching them for TC231 a few quarters ago I found articles suggesting that the government and manufacturers tended to underestimate the range. For example, an article at The Guardian (www.guardian.co.uk/technology/2006/nov/17/news.homeaffairs) notes that the UK government said their 2006 biometric passports couldn’t be read from farther than 2cm, but the security expert the author was working with could read them from 7.5cm.
Comment by erikturn
January 23, 2009 @ 6:08 pm
Another issue is that once you obtain a passport you cannot disable the RFID chip without your passport being considered void. Many security minded individuals found that putting their passports into a microwave or smashing it with a hammer were effective ways to disable the chip. However, the U.S. government considers these actions destruction to their property. The following is what and individual agrees to by obtaining a passport from the U.S. government, “Any passport which has been materially changed in physical appearance or composition, or contains a damaged, defective or otherwise nonfunctioning electronic chip, or which includes unauthorized changes, obliterations, entries or photographs, … may be invalidated.” The phrase “unauthorized changes” in my mind makes me wonder if they have a system to detect changes to the data on a passport, such as a checksum or CRC. In the case of a passport, it is especially important to verify the integrity of the data. On my passport (I couldn’t verify for the new RFID passports), there is also a clause stating if alteration is detected the owner may be subject to prosecution.