Slashdot Mirror
Fatal Flaw Weakens RFID Passports
fmwap writes "Wired news is reporting on new measures being taken to ensure RFID in US passports are not traceable. Encryption will be implemented via a key printed on the passport, which will be read by an optical scanner. The problem is the RFID serial number used for collisions will not be encrypted as is required for communication, thus still allowing tracking." We've previously reported on the decision to chip U.S. passports. From the article: "To its credit, the State Department listened to the criticism. As a result, RFID passports will now include a thin radio shield in their covers, protecting the chips when the passports are closed. Although some have derided this as a tinfoil hat for passports, the fact is the measure will prevent the documents from being snooped when closed." Update: 11/04 16:08 GMT by Z : Edited for accuracy.
As with the UK's attempts to push through ID cards, the politicians in charge have at best a vague fuzzy idea of what the technology can do, but it sounds funky so let's do it anyway.
Tiny details like monumental security problems and the things plain not working don't exist in the simplified pitch they get from their lobbyists, so they continue to push it through anyway, on the grounds that it's "Anti-Terror".
You don't support Terror, do you?
"I Know You Are But What Am I?"
Yep... because tampering with federal documents is always the smartest thing to do...
I'm only paranoid because everyone is against me...
this magical RFID device needs to be opened manually, looked at, checked, optically scanned and then finally used as RFID to get the digital picture and print from the device?
This is going to take 3x longer and be prone to more failures surely?
This is a benefit how?
Surely a 2d barcode would be better, or just use old tech mag swipe?
Stupid mofo imbeciles.
liqbase
What, are you expecting sensible, informed or balanced reporting on RFID to appear on Slashdot?
The passports will also include a 'Tin Hat' that limits the RFID signal to only a few inches
I've got to wonder why, in this case, they don't use Magcards instead of RFID. Older technology, yes, but not any more limited for the use given, and a bit more secure as they require contact with the card to read. If they're supposedly going to limit the RFID to magcard limits, why not just use a magcard?
So what would the point be if they just have to give you another passport? Just sounds like a waste of many peoples time to me.
You are all a bunch of idots.
"To its credit, the State Department listened to the criticism. As a result, RFID passports will now include a thin radio shield in their covers, protecting the chips when the passports are closed. Although some have derided this as a tinfoil hat for passports, the fact is the measure will prevent the documents from being snooped when closed."
Well there has to be better protection for identity theft than having the passport closed all the time. You may not know whether it is open or closed, but it should have some way of notifying you if it is unsecured. How about having the passport just become a single card with some kind of flash memory built in?
There are many other scenarios where the RFID tags could be exploited, but you will first have to put on your tinfoil hat in order to even conceive of any of these conspiracies.
He who knows best knows how little he knows. - Thomas Jefferson
Buzzword compliance.
but if you cook it a second or two longer than needed it will burn the area where the chip is. a chip embedded in a plastic ID card is easier to destroy than one embedded in a basically paper document. did you ever see the pictures of the money people microwave? they have obvious burn marks where the chips supposedly are.
and as also stated, having a non-functional passport may be flagged as possible forgery and lead to bigger issues.
i am just as against the chips as anyone else, but think it through before you react. personally my passport needs to be renewed now so i will do that and not be an early adopter of the RFID model. hopefully any issues will show up and a fix will be worked out before i get a chipped one. by fix i even mean some 3rd party idea of a shielded passport wallet or something if that is what it comes down to.
The Benefits:
/. for a little knows how easy collecting personal data can be.
For the average bad guy, a contactless module will make much harder to fabricate an identity.
Ideally, gov'ts have a better idea who is coming and going from a country and in a much more efficient manner.
For the average person, this doesn't affect them at all.
For the average dissident, the gov't still going to give them a hard time, so this might be one more way to make life difficult.
The Bad:
Bad guys can "collect" information. It's unclear to me what they would do with a unique identifier. They need much more than just the unique identifier. They would need to associate the identifier with (one assumes) the right identity. You don't need to be a bad guy to do that. You can buy most of it from totally legal companies right now. Please explain if I'm missing something here.
Epensive! Understand that it's not just about a passport that will be at least 10x more expensive to make, but the infrastructure to make it work at least half-way decent is a huge project. I submitted my passport information at my local post office. Now, every agency that can accept passport applications has to be somehow connected to the place where the passport is made. Then how do the airports "know" the passport is authentic? More new infrastructure.
The gov't collects information.
Well, they do that already except they buy it from private enterprises. They watch the bad guys. They watch people that they view as threatening. I don't see what changes here. Furthermore, anyone that's been on
Am I missing something?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Encryption will be implemented via a key printed on the passport, which will be read by an optical scanner.
If an optical scanner needs to be used to read the encryption key, doesn't that defeat the no-contact advantage of RFID as the passport then needs to be close to the scanner. Why not just use some smart card technology and avoid the radio part altogether?
When merchants start asking me to see my passport before they'll sell me anything, I'm moving to a unabomber-style shack in the woods and never talking to another human being again.
Don't blame me; I'm never given mod points.
If the KEY is printed and thus has to be scanned, why don't they just print the information on there too? I mean, they are already planning to require you to put it across an optical scanner, so there must be another, unspoken, reason for using RFID.
The reasoning behind using RFID Passports seems *VERY* flawed. I am suspect of any agency that is a proponent of such reasoning. I'm sure terrorists and boogyman will be mentioned several times in the explanation as to why we should have this technology.
Someone is hiding something!!
Instead of wearing the tinfoil armour, i suggest you look into the mirror, understand that most of the world really doesn't give a lama's ass about where who and why you are. If people are capable of scanning/tracking your rfid chip, they probably are talented enough to do much more profitable stuff.
... (and they tell me that i with my 128 bit encryption am being paranoid ... ha!)
Dont let that ego cover you up in tinfoil, try to get in touch with reality for a second
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
To review:
Am I the only one who is beginning to think that RFID is a problem in search of a different problem. This news today proves conclusively that nothing is gained by using the chips. They open up pointless security holes and provide not one bit of protection.
What a damned waste.
I think you're overestimating the difficulty of snooping RFIDs. It's only going to get easier, too. You won't need to be an expert to snoop these passports; I'd bet you anything that soon after their introduction you'll just need a laptop, some cheap add-on, and some easily downloaded software.
Now, about people not caring who you are. That may be true for the most part, but did you even read the article? What about the example of bombs that are triggered by Americans in their proximity? What about criminals looking for victims (travelling Americans) out of their element in a foreign nation?
It's a bad idea to design systems with known security flaws, when the solutions are well known and actually cheaper than the broken design itself. In this situation, the solution is a smart-card with physical contacts for the reader.