Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fatal Flaw Weakens RFID Passports

Posted by Zonk on from the may-you-live-in-interesting-times dept.

fmwap writes "Wired news is reporting on new measures being taken to ensure RFID in US passports are not traceable. Encryption will be implemented via a key printed on the passport, which will be read by an optical scanner. The problem is the RFID serial number used for collisions will not be encrypted as is required for communication, thus still allowing tracking." We've previously reported on the decision to chip U.S. passports. From the article: "To its credit, the State Department listened to the criticism. As a result, RFID passports will now include a thin radio shield in their covers, protecting the chips when the passports are closed. Although some have derided this as a tinfoil hat for passports, the fact is the measure will prevent the documents from being snooped when closed." Update: 11/04 16:08 GMT by Z : Edited for accuracy.

12 of 281 comments (clear)

  1. TFA is inconsistent by Agelmar · · Score: 4, Informative
    TFA is flawed and inconsistent with its own citations. RFID chips in passports can not be read from a distance of 69 feet. If one reads TFA, it links to a Washington Post blog about RFID tags being read from 69 feet at Defcon. If you actually follow the link and read the story, however, you see:
    Los Angeles-based Flexilis set the world record for transmitting data to and from a "passive" radio frequency identification (RFID) card -- covering a distance of more than 69 feet. (Active RFID -- the kind being integrated into foreign passports, for example -- differs from passive RFID in that it emits its own magnetic signal and can only be detected from a much shorter distance.)
    The author is misrepresenting articles that he cites! wtf?
    1. Re:TFA is inconsistent by starrift · · Score: 5, Informative

      The RFIDs in the passports are passive. They were to be active but that was canceled. I think you may be "misrepresenting articles."

    2. Re:TFA is inconsistent by Anonymous Coward · · Score: 1, Informative

      The foreign passports cited in the Post blog use magnetic, active RFID. The State Department-mandated passports are to use passive RFID, like the sort that was tested at DefCon.

    3. Re:TFA is inconsistent by drinkypoo · · Score: 2, Informative

      Besides, as the blurb says, they can't be read unless the passport is open. So long as you keep it shut they can't read it at all.

      Do you really believe that?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:TFA is inconsistent by SiliconEntity · · Score: 4, Informative

      Los Angeles-based Flexilis set the world record for transmitting data to and from a "passive" radio frequency identification (RFID) card -- covering a distance of more than 69 feet. (Active RFID -- the kind being integrated into foreign passports, for example -- differs from passive RFID in that it emits its own magnetic signal and can only be detected from a much shorter distance.)

      This article (from the WaPost blog) is confused. Active RFID has a battery attached to the chip. It has MUCH higher power and MUCH higher range. It can be used for tracking animals in the field and similar purposes. You can receive a signal from hundreds of yards away or even more. It's really unlimited depending on how much power you use.

      Passive RFID has no internal power supply. It gets power from the radio signal that is used to query it. These chips have a much lower range. Generally, the power required to query a passive RFID goes as the fourth power of the distance. I can't imagine successfully querying one of these things from 70 feet. That is some pretty impressive antenna technology, either that or they were using a microwave beam so intense that it would be dangerous to get in front of it.

      AFAIK all passports would be passive RFID. Nobody has proposed to put batteries in them, because of battery lifetime issues among other problems.

  2. Re:Microwave your Passport? by MntlChaos · · Score: 2, Informative

    How else do you think they'll react when they'll expect a RFID signal and will get none?

    They'll assume the RFID chip broke. It happens occasionally. My college has had RFID-based ID cards, and there have been instances when the cards just suddenly stop working. The office in charge of them seemed to know that this occured and was ready to make new cards if needed.

  3. Specialized Hardware... by NelsonM · · Score: 3, Informative

    "A demonstration has been made that using specialized hardware, the signal can be intercepted from up to 69 feet."

    Is this anything like the BlueSniper?

  4. Beat the RFID - renew now by davidwr · · Score: 3, Informative

    Get or renew your passport now and it should be RFID-free for the next 10 years.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  5. Re:German passport by slavemowgli · · Score: 3, Informative

    If you want to visit the USA, you just may have to get a new one soon, anyway (considering that they implemented this in order to still be eligible for the visa waiver program) - either that, or apply for a visa, which isn't exactly a wark in the park, either.

    Case in point: I have a friend who lives in Sweden who once needed a visa. Outside of having her photo taken by a photographer certified by the US embassy (a regular photo used for passports etc. wouldn't work), she also had to come to the embassy in Stockholm in person to be interviewed - a six-hour train drive, FWIW, and the fact that they gave her an appointment at 8:30 Monday morning meant that she had to arrive on Sunday already, too (so in addition to the train ride, she also had to pay for a hotel room for one night). The interview itself was pretty much straightforward, from what she told me, but relatively long - more than half an hour. And the security measures were rather tight, too; for example, she had brought a bottle of water, and she actually had to drink that before being allowed to enter. And not just some of it, in order to prove it wasn't poison or whatever they suspected it might be - all of it.

    The whole thing, IMO, was/is extremely idiotic, but considering that she needed the visa, she had to put up with it.

    I'm not sure, but if that's the price you have to pay in order to get a visa, even in a highly developed country like Sweden (or Germany, for that matter), then having an RFID passport almost sounds like the lesser evil - at least you can put that into a leaded box and leave it at home whenever you're not travelling. (When you are, to the USA at least, all bets are off, anyway; you'll be fingerprinted and photographed upon trying to enter, and I wouldn't be surprised if in a few years, they'd conduct random body cavity searches as well. The problem is that pretty much noone here actually cares - after all, it all just happens to foreigners, anyway.)

    --
    quidquid latine dictum sit altum videtur.
  6. Re:Why contactless? by Conare · · Score: 5, Informative

    Excellent Question!

    US Passports have a validity of 10 years. Modern contact chips in smart cards have an estimated life of 4-5 years. So you would theoretically have to get at least twice as many passports. Also, you can't really just replace passports with smart cards because not every country in the world will be able to read those smartcards at the get go. (Think Chad or other 3rd world countries) so you have to continue to use a typical human readable passport. This program is designed for the 27 or so VISA-waiver countries. There was no way that anyone was going to successfully mandate a single physical form factor for the passports of 28 different sovereign nations, but they were able to (finally) reach an agreement on an embedded chip, interface and some minimal and optional contents. These were the driving reason for contactless, and it is unfortunate that the US State Dept. did not consider privacy from the get go. But thanks to a public outcry, now they have.

    Someone else asked what was wrong with the current passports. In a word, the answer is forgery. The new passports include a digital signature across the entire contents of the passport including the photo. So if I as a bad guy, take your passport and try to replace your photo with mine, either the photo on the chip won't match, or if you somehow figure out how to replace the photo on a chip that has had its write mode disabled permanantly, the digital signature will not verify. So with the new passports, the only way to get an undetectable forgery is to get the real thing through the passport office, probably not impossible (think bribes and extortion of issuance officers), but now we have an honest shot at detecting it, and if one does turn up, you might be able to go back and figure out who issued it. This has an additional side benefit in that it makes stealing chip equipped passports worthless. This should help increase the security of travellers who are sometimes attacked or robbed solely for their passport.

    Im my opinion, now that steps have been taken to reduce the possibilities of skimming, the benefits of the new passports outweigh the negatives. Schnier's alarmism about the serial numbers is just that. If someone really wants to track people so badly that they will start building databases of those serial numbers and correlating them with information that they have obtained through some justified mechanism, just so that they can track you when you happen to have your passport open anyway, then they are going to track you, and there is not much you can do about it anywyay. This is roughly the same risk as having a hidden camera near a point where you open your passport (or someone opens it for you). It's just to far to go for the limited benefit. The new protections have tipped the balance in favor of the new ePassport, and while Schnier does point out a flaw that is unfortunate, it is certainly repairable in the future, and not "fatal". If the US starts issuing passports without the flaw in the next few years (before all the passports with no chip at all expire) no one will bother trying to attack passport security in this fashion. It just isn't worth it.

    --
    Stop Continental Drift! Reunite Gondwanaland!
  7. So wrong by Conare · · Score: 2, Informative

    wrong. There are still 2 important benefits:

    1. Contact chips only last 4-5 years. US passports are valid for 10. The contactless chip is more durable. 2. There is no need to attempt to mandate the exact size and shape of 28 countries different passport. Very difficult, especially in the current political climate. Remember that this initiative started when the US said you have to do this to be a visa waiver country. The International Civil Aviation Organization then set the standards. So don't blame just the US for the fact that it's an RFID chip. 28 countries agreed to this because it was the path of least resistance.

    Also, I don't think optical codes can store as much data as this RFID chip, but I may be wrong about that

    I see your B.S. and raise you!

    --
    Stop Continental Drift! Reunite Gondwanaland!
  8. The new European Passports will not have this prob by Cili · · Score: 2, Informative
    from TFA:
    RFID chips, including the ones specified for U.S. passports, can still be uniquely identified by their radio behavior. Specifically, these chips have a unique identification number used for collision avoidance. It's how the chips avoid communications problems if you put a bagful of them next to a reader. This is something buried deep within the chip, and has nothing to do with the data or application on the chip.

    Chip manufacturers don't like to talk about collision IDs or how they work, but researchers have shown how to uniquely identify RFID chips by querying them and watching how they behave. And since these queries access a lower level of the chip than the passport application, an access-control mechanism doesn't help.

    To fix this, the State Department needs to require that the chips used in passports implement a collision-avoidance system not based on unique serial numbers. The RFID spec -- ISO 14443A is its name -- allows for a random system, but I don't believe any manufacturer implements it this way.
    The new European Passports have this problem, too. I worked three months with the Radboud University in Nijmegen, Netherlands on this issue. We tested a pair of sample passports and each had a unique serial number (called UID in the ISO standard).

    The only way to solve this is to randomly-generate the UID on the RFID during the anti-collision process, which dramatically increases the cost of the card. Encrypting the UID is out of the question because the anti-collision process is very low-level.

    To the people who are scared of identity theft: this flaw does NOT expose the information on the card, so an atacker using this will NOT get your photo,name,age,fingerprent minutia, etc. The only malicious way this could be used is to recognize a person identified before.

    But the area where the anti-collision process can be eavesdropped on is at least 10m (some 30 feet), because a part of the process requires that the RFID reader broadcast the UID of the card it selects for comunication. Wrapping the passport in tin-foil will protect you from hidden readers, so your passport will not be detectable in your pocket.