Slashdot Mirror

← Back to Stories (view on slashdot.org)

No Encryption For RFID passports

Posted by Hemos on from the continued-stupidity dept.

Spy der Mann writes "Despite widespread criticism from security experts, the government is declining to encrypt data on RFID passports. Lee Tien, an attorney at the Electronic Frontier Foundation, said: 'It is my understanding it's possible to read this information from 10 to 30 feet away with the right equipment.' Considering gadgets like the BlueSniper as 'right equipment,' I think he's got a point. Tinfoil covers, anyone?"

5 of 73 comments (clear)

  1. Re:Why put ANY data on passports? by JRIsidore · · Score: 2, Interesting

    From the technical point of view you are right, storing just a unique ID would be the simplest way. But this does not fit well into the scheme of privacy. With your solution you will have no control about who uses the data belonging to your ID. If you store the data directly in the passport chip you have the full control to either allow or deny someone to read it.

    --
    :w!q
  2. Yagi equiped sniper rifle by Terri416 · · Score: 4, Interesting

    Put a nice long Yagi on a sniper rifle and a PDA to control it. Go to a convenient rooftop and survey your choice of targets. Choose a likely one and squeeze lightly .. the Yagi sends an activation pulse to the target's passport and listens for the nationality .. "USA". A second later, one less Merkin.

    Your tax dollars at work!

    Actually, a hidden roadside bomb is more likely. You can even target on the basis of other data, such as name or religion. Great fun.

    I already have my aluminium card holder.

  3. Re:no security better than thinking you've got som by Sylver+Dragon · · Score: 2, Interesting

    Better yet, if they really want to store data, without broadcasting, and no need for a battery, use a contact smart-card. Those little guys can store all the data you would need for a photo, plus a few lines of text, and a signature of some sort. And, the only way you can read it, is by placing the chip physically in a reader. the only drawback I see with it, is that the contacts may wear out over time. Honestly, I'm not sure how many reads one can get before they wear down, but I do know that its a rather large number.
    If anything, this is just irresponsibility from the governemnt at its finest. Putting unencrypted data on a device that can be queried from a distance is unbelievably stupid. And I don't see how this is going to help security in the long run. Anybody can buy RFID smart cards. All a "terrorist" would have to do is pose as a security company, and buy the cards, in bulk, from a supplier. Figure out the algorithim to make a correct digital signature, and then start printing their own cards. Embed them is a halfway convincing passport (no longer even needs to hold up to close visual inspection), and viola! instant "Get into the US free" card.
    It never ceases to amaze me, the government is spending all of its effort running around trying to convince people to "fear the terrorist", but in the end, they are just making it easier for them to get in. I guess this "War on Terror" is little more than a thinly vield effort to erode civil rights. Its the perfect scam really, pretend to be doing everything to make people safer, while, in reality you relax security. More terrorist style attacks get through, and people get more scared. They then will be willing to give up even more liberty for security. Wash, rinse, repeat. In a few short years, you have the people willing to put up with anything, so long as it makes thing think that they will be safer. Machiavelli would be proud.

    --
    Necessity is the mother of invention.
    Laziness is the father.
  4. Re:Full Control by JRIsidore · · Score: 2, Interesting

    Duh... there are some security concepts that require the reading machine to have visible access to your passport. Before any personal data is exchanged the reader has to authenticate itself by sending the RFID chip a secret key that is imprinted inside the passport. So without making an image of the passport or reading a barcode etc. the reader is unable to retrieve any data.

    --
    :w!q
  5. Re:Why put ANY data on passports? by WaterSlapjes · · Score: 2, Interesting

    The reason is quicker transfer of more data (high resolution pictures of your face, biometric information like fingerprints) than can be achieved with the paper version.

    It should be noted that it is only the US that does not deploy "basic access control", which effectively locks out RFID readers unless they can optically read the passport (e.g. it is on the scanner).

    Europe and Japan are implementing this privacy protection. The irony is that especially for US citizens the threat of identity theft is (still?) much higher then for European and Japanese citizens...

    Technically: the access to the data requires successful authentication against a hash of the four lines of data on your passport ("MRZ") and setup of an encrypted tunnel ("secure messaging" in smartcard terminology) before allowing access to the data. Effective strength is about 30-40 bits.

    See http://www.icao.int/mrtd/ for more technical information (assumes working knowledge of smartcard protocols and tolerance of government talk).