Slashdot Mirror

← Back to Stories (view on slashdot.org)

No Encryption For RFID passports

Posted by Hemos on from the continued-stupidity dept.

Spy der Mann writes "Despite widespread criticism from security experts, the government is declining to encrypt data on RFID passports. Lee Tien, an attorney at the Electronic Frontier Foundation, said: 'It is my understanding it's possible to read this information from 10 to 30 feet away with the right equipment.' Considering gadgets like the BlueSniper as 'right equipment,' I think he's got a point. Tinfoil covers, anyone?"

9 of 73 comments (clear)

  1. Why put ANY data on passports? by Andy_R · · Score: 4, Insightful

    Even if you accept that RFID should be incorporated in passports (and the concept of terrorists and criminals owning a hand-held US-passport detector should be more than enough reason to realise it's a completely dumb idea), then why on earth should there be any locally stored data?

    If the passport held a unique ID number and nothing else, then sensitive data could be stored somewhere safe off-site, rather than in the back pocket of a potential terrorist.

    --
    A pizza of radius z and thickness a has a volume of pi z z a
    1. Re:Why put ANY data on passports? by Wwolmack · · Score: 4, Informative

      It's an anti-counterfeiting measure.

      From TFA:
      [the RFID contains] all the information on the data page of the passport, including name, date and place of birth, and a digitized version of the photo passport [passport number, and date/place of issuance]

      So thanks to the digital signature (however strong that may be), passport forgers will need to crack the signature to create a passport with matching name, photo, etc. that would pass muster. Its basically adding another layer of difficulty for forgers.

      Of course, this still ignores the potential of:
      -Skimming via a bluesniper
      -Forgers creating fake rfid chips (how hard/far off can it be, now that this will be the primary goal of passport forgers?)

      The decision to rely on a digital signature (which is basically crypto!) and not encrypt the data is positively loopy. They haven't even decided what kind of signature it will be, and weakenesses in cryptographic methods are discovered all the time.

  2. Better yet by Creepy+Crawler · · Score: 4, Insightful

    Either remove the RFID bug or fry it with microwaves.

    Either way, just guarantee there's nothing to harvest information from.

    Still, I fail to understand why anybody would want encryption on it.. Encryption schemes are broken, as are signing algorythims and other complex mathematical constructs. COnsidering how long passports have been around, would you trust your data to DES?

    --
  3. Tinfoil automobile... by advocate_one · · Score: 3, Funny

    just what you need when driving around town with your new RFID enabled passport... amazing how things just pop up when the topics are appropriate...

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  4. Tinfoil cover built in! by IO+ERROR · · Score: 4, Informative
    From the article:

    The State Department concedes that skimming is a legitimate threat, but says the chips will have a read range of inches, that eavesdropping at border stations would be very conspicuous and that the passports will have a shielding mechanism -- perhaps a foil case or a weave in the cover that will cloak the chip when the passport is closed.
    --
    How am I supposed to fit a pithy, relevant quote into 120 characters?
  5. no security better than thinking you've got some by martin · · Score: 3, Insightful

    Of course should they have encrypted/passwd prototected the security, and then some person cracks that method they'd be in trouble too.

    Knowingly having zero security *can* be better than having poor security and thinking it's strong security. eg the early 802.11 standards where security was thought to be good and turned out to be abismal, the css on DVD's etc.

  6. RFID allows facial ID by SimianOverlord · · Score: 4, Informative

    According to the wired article: Agents will also be able to use facial identification software to compare the person to the digitized photo, which is not feasible with current passports.

    Which is interesting because, according to this the error rate for real time facial recognition: the current error rate is 20% [...] this implies that out of 50,000 match scores there are 1,000 errors.

    Enjoy the wait. Remind me how many of the 9/11 hijackers had invalid passports?

    --
    Meine Schwester ist sehr, sehr reizvoll - Nietzsche
  7. Encryption would have accomplished nothing... by anthony_dipierro · · Score: 3, Insightful

    We're talking about RFID here, these things aren't powerful enough to do any processing themselves, you can just read data from them. So if you use encryption, then you've gotta give anyone who needs to read the thing a decryption key - customs agents in every country of the world. It would be a matter of minutes before the decryption key got into the hands of criminals.

  8. Yagi equiped sniper rifle by Terri416 · · Score: 4, Interesting

    Put a nice long Yagi on a sniper rifle and a PDA to control it. Go to a convenient rooftop and survey your choice of targets. Choose a likely one and squeeze lightly .. the Yagi sends an activation pulse to the target's passport and listens for the nationality .. "USA". A second later, one less Merkin.

    Your tax dollars at work!

    Actually, a hidden roadside bomb is more likely. You can even target on the basis of other data, such as name or religion. Great fun.

    I already have my aluminium card holder.