Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
RFID Passports: Improved, but still flawed?

By KC7GR in Technology
Mon Nov 07, 2005 at 11:14:05 AM EST
Tags: Security (all tags)
Security

In February of 2005, the U.S. State Department published a proposed amendment, in the Federal Register, of U.S. passport regulations. The proposal sought public comment on the idea of embedding RFID chips in all newly-issued passports beginning in 2006.

Over 2,300 comments were received in response, and more than 98% of them were negative, focusing on privacy and security concerns. Since the initial proposal had no provisions for encryption or access control of the stored data, people were concerned (rightly so) that their identities could be snooped by anyone with appropriate reader equipment, at any time and without their knowledge.

Now, eight months later, the State Department has made some changes for their final draft. Do you think they went far enough?


For those who may not be familiar with the technology: Radio frequency identification, or RFID, is a generic term for technologies that use radio waves to automatically identify people or objects. A complete RFID system consists of transponders (commonly called tags), usually one per object or person to be tracked, an appropriate reader, and a host computer to process the data.

There are two types of tags: Passive and Active. Passive tags draw their operating power from the induced energy of the reader's field, while Active tags have their own battery.

Active tags have a longer range, and can transmit more complex data, but they tend to be large for a chip and they cost a lot more than passive tags. Conversely, passive tags cost very little, and can be made nearly microscopic, but they have a limited range and cannot store as much data.

If you want more information on RFID itself, Wikipedia has some good references, and Texas Instruments has an entire department dedicated to RFID. There's also a comprehensive paper on RFID privacy issues, at least as they relate to libraries, to be found here.

Now, with that out of the way: What the State Department is proposing is that the RFID-enabled passports carry at least a duplicate copy of all the passport holder's personal information, and a digitized photograph, encoded into the chip. They've left expansion room for, supposedly, biometric data such as a fingerprint or retinal scan.

In response to the massive number of negative comments from the initial proposal, the State Department has made two design changes to the template for the new passports. First: The data encoded on the chip will be encrypted, and under access control. The passport will have to be first scanned with an optical reader, and this initial scan will provide the decryption key for the information on the RFID chip.

Second: A metallic shield will be woven into the passport's covers, thus creating a Faraday Cage effect which will, in theory, prevent the chip from being read when the passport's covers are closed by attenuating any RF energy well below the point where the chip would become active.

For the truly paranoid, it will be easy enough to slip the entire passport into an ESD shielding bag, thus providing an additional layer of Faraday protection.

While it is good that the officials at State paid attention to the feedback they got, I still don't think they fully understand RFID technology and its potential for abuse. As Bruce Schneier has written in this article on Wired, there is yet another potential security hole that DoS overlooked.

This hole takes the form of the collision-avoidance technology that is hardwired into each and every RFID chip. The specific standard that the State Department has apparently chosen is ISO specification 18000-3, Mode 1. RFID chips conforming to this standard have a static and unique 64-bit serial number embedded as a manufacturer's ID. This number is used as part of the collision-avoidance protocol detailed in the standard. More importantly, it can, with the appropriate equipment, be read completely independent of any encryption or access controls present on the chip.

In other words, anyone with a reader can query any passport chip for its unique manufacturer ID number, and the chip will respond if it's in range no matter what kind of encrypted info it may be carrying.

There is a different anticollision protocol, described under ISO 14443A, which requires that a random number be returned from the chips as opposed to the static numbers referenced above. This is the one that Schneier advocates to close this loophole. Whether DoS will listen is anyone's guess.

I regret that I am unable to provide further technical details on the actual standards and collision-avoidance protocols. The documents describing said details are not freely available (the lowest cost I found was $220 per copy).

I have two opinions on this whole situation. First, I don't think chipping passports is going to make our borders any more secure. Any criminal (including terrorists) with the determination and resources to forge passports is going to find a way to do so no matter what obstacles DoS throws at them.

Second, I question whether the "vulnerability" represents the privacy threat that Bruce Schneier thinks it does. The only way I could see it being abused would be to track a person's movements, and even that will be sharply limited or curtailed the moment they close their passport and/or slip it into that wonderful little shielding bag.

Even if the chip's manufacturer ID does get read by someone other than Customs authorities, how in the Multiverse would whoever's doing the reading tie personal information about the holder to it? They'd either have to have access to the Customs computer system (unlikely if they don't work for Customs), or they'd have to literally engage their desired target in conversation, and start asking questions which would make nearly anyone suspicious.

One thing I'd like to know is whether anyone is going to cut back or eliminate international trips due to a perceived fear of being tracked. I'm certainly not going to...

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
RFID Passports: Good idea?
o Yes... 12%
o No... 45%
o Don't Care Either Way... 16%
o The Pyramid is Opening! 25%

Votes: 24
Results | Other Polls

Related Links
o proposed amendment,
o Federal Register,
o made some changes
o good references,
o Texas Instruments
o entire department
o here.
o Faraday Cage
o ESD shielding bag,
o this article on Wired,
o Also by KC7GR


Display: Sort:
RFID Passports: Improved, but still flawed? | 33 comments (21 topical, 12 editorial, 0 hidden)
You do realize (2.60 / 5) (#12)
by trhurler on Sun Nov 06, 2005 at 12:00:10 PM EST

that they probably know exactly what they're doing, right? The government regards "privacy" in the same way most corporations regard "security" - as a PR issue. If they can make the PR problem go away(and they can, as evidenced by the fact that nobody is even paying attention anymore except you and me,) while still getting what they want(which is passports that will uniquely identify you at a distance even without fancy encryption gear,) they're going to do it.

--
'God dammit, your posts make me hard.' --LilDebbie

The facts don't back up your statement (none / 0) (#16)
by duffbeer703 on Mon Nov 07, 2005 at 08:13:39 AM EST

The DoS solicited public comment on the RFID issue, and took action to address those concerns. They've encrypted your personal data that could be used for identity theft and shielded the electronics to make it difficult to remotely read the passport at a distance.

Your conspiracy theories just don't hold any water. US citizens don't carry passports with them within the US for the most part, and international travellers are penned up for easy identification, so the ability to surreptitiously read a US passport at a distance doesn't buy you anything.

If I were working for some secret government agency with aims to track and identify citizens remotely, I'd be looking at ways to remotely read the new, unsheilded RFID credit cards at a distance... there are more AMEX and MasterCard cardholders in the US than passport holders, after all.

[ Parent ]

Three things (none / 0) (#20)
by trhurler on Mon Nov 07, 2005 at 09:01:19 PM EST

First of all, most of the people the federal government is interested in DO HAVE passports.

Second, they actively solicited comments after an uproar about their plan after they trial balloon'ed it. That isn't genuine concern - it is PR.

Third, tracking people via credit cards sounds nice, but it isn't very reliable. There are several ways that multiple cards with the same number can be in circulation, and the RFID doesn't include enough information to distinguish them for security reasons(amusingly.)

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
Out of curiosity (and totally off topic) (none / 0) (#23)
by hatshepsut on Tue Nov 08, 2005 at 04:30:00 PM EST

What people exactly does your federal government have interest in? Why exactly? And they mostly have passports?

I have heard a lot of conspiracy theories, and general "they are watching us all" sorts of statements (mostly from americans), but have never heard WHY exactly this is perceived to be (or actually, what the hell do I know about it) going on.

I am not american, and my feeling on the matter is that my government couldn't care less about me as an individual, providing I pay my taxes and don't require any social assistance of any kind. Since both are, currently, true, I figure I am probably pretty much off the radar (yes, I have a passport, and travel relatively frequently for both business and pleasure).

[ Parent ]

Well, (none / 0) (#26)
by trhurler on Wed Nov 09, 2005 at 09:02:04 PM EST

I'll put it to you this way. The United States intelligence establishment, counting black budget that isn't publicly visible by best possible estimate, spends somewhere around twenty billion dollars a year spying on people. That's billion with a B.

Most of them are foriegners, but most of them are also people who have and/or do travel(ed) to the United States, and most of the US citizens they care about travel overseas as well. To do that, you need a passport.

The thing you have to realize is, we already know that basically every phone call, radio transmission, and major IAP is monitored by the NSA for certain key words. That's ten or twenty year old technology, and while it hasn't been declassified, people on the inside of that work have spoken up.

If you believe you don't live in a surveillance society, you just aren't paying attention.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
So what's the big deal, anyway (none / 0) (#29)
by duffbeer703 on Fri Nov 11, 2005 at 08:44:37 AM EST

"They" are already listening to all telephone conversations (highly doubtful) and spend billions watching our every move... what's the big deal with passports?

Most movements out of the country are already under surveillance and have been for decades. Every major port of embarkation takes your name, passport and probably your picture as well when you come and go. RFID passports are designed to make that process smoother and to eliminate forged documents which can be had for less than $500.

The RFID in passports is based on ISO 14443, the same standard used in the new RFID-enabled credit cards from American Express and Visa. It isn't a conspiracy theory, and they're not out to get you.

[ Parent ]

Well, (none / 0) (#30)
by trhurler on Fri Nov 11, 2005 at 07:54:08 PM EST

First of all, no the NSA isn't listening to all telephone conversations. They do have systems that can scan most, if not all of them for certain phrases and so on.

Second, the big deal with passports is that unlike having your picture taken or your name written down and so on by officials, ANYONE can read these passports from substantial distances away WHILE the passport is in your pocket or whatever you carry it in.

Third, this won't eliminate forged documents. Forging these will take place just like any other document, except it will require a slightly different skillset.

And finally, I won't carry RFID credit cards either. Why? Because I don't WANT someone to be able to produce a duplicate card after scanning me from 50 feet away and then run up tons of charges. Sure, I can fight them, but understand: if the person has a card rather than punching your number into a machine by hand, the presumption is that you made the charges, and you have to prove yourself innocent. As things are, it would be most likely that fraud against me would be by someone who got my number and hand punched it - a clerk, for instance - someone bright enough to know this is possible, and stupid enough not to realize that it is obvious to a card issuer's fraud teams. With RFID, the most likely route is a professional snagging my number right out of my wallet while I walk down the street and then making up a fake card and using it at an ATM or similar. And if I couldn't prove I didn't do it, they'd bill me!

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
Can and do are very different things (none / 0) (#32)
by duffbeer703 on Sun Nov 13, 2005 at 07:00:19 PM EST

Those echelon or similar systems aren't as widely deployed as you may think -- its still too difficult.

As for the passport issue -- it has been resolved. The passport booklets are being lined with foil, which makes it nearly impossible to activate the RFID chip from more than a few inches away. I've worked on RFID projects, and the devices are unrelibable enough that a few rolls of toilet paper defeat many of the systems. (Which is why you haven't seen the RFID boom that was forseen by many)

You'd better get used to not carrying debit or credit cards. Magnetic cards will be a distant memory in a decade -- the technology isn't secure at all. Even unsophisticated street gangs are cloning credit and ATM cards onto things like hotel room keycards these days.

Credit card banks are legally liable for all credit card fraud over $50, so you can be sure that they are paying attention to the security issues surrounding RFID cards. If people are able to remotely clone the RFID cards, the banks would never issue them!


[ Parent ]

Heh (none / 0) (#33)
by trhurler on Sun Nov 13, 2005 at 11:41:56 PM EST

Those echelon or similar systems aren't as widely deployed as you may think -- its still too difficult.
Covering all international phonecalls worldwide requires less than half a dozen listening stations; they all go through certain cables and/or satellites, and it is easy to get those few choke points covered. Other traffic is "harder," but keep in mind that for quite a long time now telcos have been required in the US and most of the rest of the west to not only allow but PAY for government access to their networks such that any number of calls can be monitored. The only places that'd be really tough to cover are other countries' internal phone systems. Which, incidentally, are frequently built and deployed by NATO members.
As for the passport issue -- it has been resolved. The passport booklets are being lined with foil, which makes it nearly impossible to activate the RFID chip from more than a few inches away.
I hadn't heard this, and I looked a bit. Do you have a source handy? They said that WOULD fix it, but I can't find anyone saying they're doing it.
I've worked on RFID projects, and the devices are unrelibable enough that a few rolls of toilet paper defeat many of the systems.
On the other hand, I've seen projects where groups of kids studying for undergrad EE degrees have managed to read RFID devices used on clothing and so on from dozens of meters away using $50 worth of parts(similar to Bluetooth sniping, but obviously not quite the same since you're transmitting the original signal.)
(Which is why you haven't seen the RFID boom that was forseen by many)
We HAVE seen it - it just isn't all that visible. You almost can't buy clothing that doesn't have RFID tags. Some food items are starting to carry them, and you can expect that to expand rapidly once the cost of the tags drops just a bit. Home electronics typically have tags these days. A lot of the time you have to really look to find them; remember, the systems being deployed for these purposes are adhesive labels, and they're purposely hidden so you won't be able to remove them easily if you're a shoplifter.
You'd better get used to not carrying debit or credit cards. Magnetic cards will be a distant memory in a decade -- the technology isn't secure at all. Even unsophisticated street gangs are cloning credit and ATM cards onto things like hotel room keycards these days.
RFID is worse. The only reasonably secure cards these days are the smartcard based ones, but those aren't really taking off as far as I can tell.
Credit card banks are legally liable for all credit card fraud over $50, so you can be sure that they are paying attention to the security issues surrounding RFID cards.
You mean the same way they insist that ATM cards with four digit PINs are secure even though it has been proven they're not? Yeah, I trust those guys. (Remember, they're liable, but as long as the cost of improving the situation is larger than the cost of the fraud, fraud wins.)
If people are able to remotely clone the RFID cards, the banks would never issue them!
Why not? They do business in all sorts of known to be insecure ways, and they don't seem to care much. You have an overestimation of both their imagination and their fear of fraud. They're more afraid of being SEEN as victims of fraud than of BEING victims of fraud.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
Australian "ePassport" (none / 1) (#14)
by ccdotnet on Mon Nov 07, 2005 at 05:55:03 AM EST

Since October 24 all new Australian passports feature:

The chip embedded in the centre pages stores your digitised photograph, name, gender, date of birth, nationality, passport number, and the passport expiry date.

From here.

Fortunately no mention of RFID yet, and the chip's data is "protected" by PKI.

the real privacy concern is (none / 1) (#15)
by dimaq on Mon Nov 07, 2005 at 06:58:17 AM EST

when they develop the classified tech to read RFID tags from satellites, or for truly paranoid flying saucers *g*

Not necessary (none / 0) (#17)
by Viliam Bur on Mon Nov 07, 2005 at 08:18:32 AM EST

You just need to put some RFID readers on streets. A few at first, at most important places. Then more. And more. And finally, you will get the same result (at least in the cities) as you would get from satellite.

[ Parent ]
we have them already and you too (none / 0) (#21)
by dimaq on Tue Nov 08, 2005 at 08:00:18 AM EST

they are called traffic cameras.

[ Parent ]
Flying saucers (none / 0) (#19)
by The Diary Section on Mon Nov 07, 2005 at 11:56:28 AM EST

read the RFID chip embedded in your brain shortly after birth by doctors in the pay of the new world order. Everyone knows that!
Spend 10 minutes in the company of an American and you end up feeling like a Keats or a Shelley: Thin, brilliant, suave, and desperate for industrial-scale quantities of opium.
[ Parent ]
Vulnerability (none / 0) (#18)
by fyngyrz on Mon Nov 07, 2005 at 11:00:37 AM EST

I question whether the "vulnerability" represents the privacy threat that Bruce Schneier thinks it does. The only way I could see it being abused would be to track a person's movements

Government has your data in a computer. Government encodes your data into a passport, along with unique ID number (RFID serial number.) You walk by (insert your least favorite Government monitoring instance here, such as warrant-free monitoring authorized by the FBI.) They read your passport's serial number. Then (astounding you, who cannot envision a connection to "customs computers") these sterling folks use this incredible, cross-intra-network tool called (wait for it) the Internet to access your data. They are now in possession of everything on your passport, and are now in the process of looking up everything else about you using the information they got off the passport as a starting point.

Now: First of all, if the government has your data, then we know that more generally, people have your data, because everyone has their price and our congresscritters will sell it to them, just as they sold out the social security number. The potential is very high that entities other than government will be able to get your data as you walk by, as well. This could lead to uses as mundane as tailoring ad content or special offers to you in a dynamic way, or to criminals deciding you are worth mugging more than the last twerp who walked by. Considering that criminals have the lowest barrier to entry for this information (meaning, they won't wait for it to be legal to have it, they'll just get it if they can), this is more likely than ad-tailoring. On the other hand, if the ad people get it, you can be sure that the criminals either already have it, or will have it immediately following.


Blog, Photos.

paranoid (none / 0) (#28)
by vqp on Fri Nov 11, 2005 at 03:26:42 AM EST

Every time you walk on a public space, you are carrying a unique ID with you, it's your face and can be scanned from farther the RFID technology. It's a question of time before the first face-recognition systems will be appliable.
Also, the online central database is a reality and nobody can stop it.
So, the answer to your concerns is: yes, you'll going to be unwillingly identified at a distance, but hey!, that is the same thing that happened 200 years ago when we human live in villages!.

Why living in small villages is romantic for people and being identified is not?, irrational fear?

In my country, criminals that are able to use this kind of technology, will either dedicate to politics or print a photograph of the victim and send ursos with the picture to look for you.

happiness = d(Reality - Expectations) / dt

[ Parent ]
The thing is... (none / 0) (#31)
by fyngyrz on Fri Nov 11, 2005 at 10:55:23 PM EST

A number can be stored as an index to a database very easily, and doesn' t need matching to locate in the database — basically, you have instant, positive lookup. A face takes much, much more storage, and matching it out of a large group is entirely non-trivial. This fact makes databases that use numbers for indexes a real threat, right now, today, and databases that use faces as indexes a non-threat for, oh, probably the next twenty years or longer.

The fact that one face can be recognized by software after a few moments computation (yes, that's the face, or no, it isn't) is one thing; recognizing one face out of 300 million in the time it takes to walk by a scanning device — that's entirely another. It is fantasy, not reality.

My post wasn't the result of paranoia. It was simply the result of a decent understanding of 2005-level technology.

Blog, Photos.
[ Parent ]

Why Wireless? (none / 0) (#22)
by Western Infidels on Tue Nov 08, 2005 at 03:30:09 PM EST

What is the justification for going wireless? Why not use a contact-based smartcard-like system, and make many of these security / privacy concerns disappear?

Because... (none / 0) (#24)
by makohill on Tue Nov 08, 2005 at 09:26:25 PM EST

..because contacts wear out.

There is a relatively small number of times that a contact based chip can be scanned. Passports are supposed to last 10 years and are frequently treated rougher than a credit card. I rarely have a smartcard or magnetic stripe card that gets any sort of active use last a single year.

Creativity can be a social contribution, but only in so far as society is free to use the results. --RMS
[ Parent ]

Well (none / 0) (#25)
by Western Infidels on Wed Nov 09, 2005 at 04:52:45 PM EST

I appreciate your answer, and I'm not denying your reasoning - but is that the government's justification, or is it your own educated guess?

Your magnetic stripe experience surprises me.  I've never had one of those fail.  I had an ATM card that survived 12 years of frequent use before it literally fell apart.  Even then, it still worked fine, if I was careful to align the top and bottom pieces before putting it into the machine.


[ Parent ]

WTF? only the key is needed... (none / 0) (#27)
by vqp on Fri Nov 11, 2005 at 03:18:00 AM EST

I don't understand the efforts to put all the information in the chip, it's useless and it can be forged.

Why don't they use an online (or even offline) centralized system to store all the information, uniquely identified by the RFID key?

I know that privacy-paranoids will complain and say that a database with personal data is dangerous in the hands of government. Wake up: they already have it!, so why make the identification process cumbersome? Is it really so difficult to understand?.

You already carry a unique ID that can be scanned from a 10 meter distance: it's your face. And the government already have your photo in their database. It is a question of time (20 years to be conservative) in order to develop a consistent face recognition system.

Then all these whinings will be over.

happiness = d(Reality - Expectations) / dt

RFID Passports: Improved, but still flawed? | 33 comments (21 topical, 12 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!