Shostack + Friends Blog Archive

 

US-Electronic-Passports

The CBC reports on documents that the US tried to bury by releasing the day after Thanksgiving, admitting that “…Canada, Germany, the Netherlands and Britain share the suspicion that the international standard set for the electronic passports inadequately protects privacy and security.”

These chips can be read from 30 feet away, today. That’s the opinion of experts inside the US Government. (Phil Libin quotes from a NIST report.) The only reasons to support these things are if you want to be reading out who’s in a crowd at a distance.

The documents go on to say that “We are still hard at work at ensuring the security and integrity of the data on the chip,” [Frank] Moss [deputy assistant secretary of state for passport services] said. However, we plan to start issuing these passports before that’s done, and then back-compatability issues will prevent any security at all.

The right security measure is contact. If passports need chips, and I’ve yet to see anyone explain why they do, require that the chip be in contact with the reader. Simple, cheap, easy.

5 comments on "US-Electronic-Passports"

  • 9to1 says:

    It shouldn’t be too hard to create metal passport holders that act as a faraday cage for your documents, if you are worried about being scanned in a crowd. However, this technology certainly makes it harder for people to hide extra passports on their persons, or in their luggage, as they will still show up as a lump of metal of certain minimum dimensions.

  • adam says:

    Sure, I can do that, but is passport smuggling a serious enough issue that millions of people have to get new passport holders to protect themselves from identity theft and muggings?
    If I want to smuggle a passport, I can still carry it inside, say, a metal attache case, or if you want to be James Bondish, laptop battery, or a re-sealed pop tart with some anti-theft RFID glued on the outside.

  • 9to1 says:

    I wasn’t saying I was in favor of it; I was merely commenting on what concerns me. I am not nearly as worried about having my ID read in a crowd as I am being caught with multiple sets of paperwork with different names on them. Travelling by airplane is just about the only time I am ever carrying more than one set.
    In the past, when I had to, I have just carried a couple extras in my front pants pockets. Passports are thin, and you can slip your other matching cards inside them. Even when I have been patted down, they have always gone undiscovered.
    My current US Passports are all issued from the US embassy in Barbados, which as late as 1999 was still using old style passports that did not even have a magnetic strip or barcode of any kind. Perhaps getting passports renewed in the right places overseas will be a way to avoid this RFID technology for a few more years.
    The pop tart idea is interesting. Do you recommend the use of extra RFID tags for interference?

  • adam says:

    RFID tags are designed not to interfere with each other, so extra tags won’t change things. I do expect that someone will start making “buggy” chips that you can attach to things, which will work sometimes only.
    These chips may have the side-effect of breaking anti-theft uses of RFID, and may not be offered at the fancier shops.

  • Nudecybot says:

    Egad what a dumb idea.
    This will open up a whole new field of wireless passport hackery.
    We all have been following bluetooth’s woes, the latest of which is “bluesniping” or hacking peoples bluetooth phones at unheard of distances.
    Can’t say I like the though of being passportsniped, even if RFID is read-only and possibly more limited in range.

Comments are closed.