Slashdot Mirror


Fatal Flaw Weakens RFID Passports

fmwap writes "Wired news is reporting on new measures being taken to ensure RFID in US passports are not traceable. Encryption will be implemented via a key printed on the passport, which will be read by an optical scanner. The problem is the RFID serial number used for collisions will not be encrypted as is required for communication, thus still allowing tracking." We've previously reported on the decision to chip U.S. passports. From the article: "To its credit, the State Department listened to the criticism. As a result, RFID passports will now include a thin radio shield in their covers, protecting the chips when the passports are closed. Although some have derided this as a tinfoil hat for passports, the fact is the measure will prevent the documents from being snooped when closed." Update: 11/04 16:08 GMT by Z : Edited for accuracy.

4 of 281 comments (clear)

  1. Microwave your Passport? by n76lima · · Score: 4, Interesting

    So its time to Microwave your new Passport for a few seconds to cook the RFID device, right?

    --We don't NEED no stinkin' sig!

    1. Re:Microwave your Passport? by Marillion · · Score: 4, Interesting
      If the destruction can appear as innocent "wear and tear" one can always feign innocence. It wouldn't put a foil lined document in a microwave, however.

      I'm not too worried about the data that's on there. The level of sophistication required to acquire and decrypt my details is pretty high. I'd be more worried about a lightning strike.

      This is the scenario that give me the willies: The "ping" scenario. Most of us know about the internet tool called ping. A terrorist (or anyone else with strong motivations against the US) is walking down the streets of Paris or Frankfort or Cairo or wherever looking for Americans. He doesn't care who the American is, he just cares that someone is an American. He walks down the street getting within a foot or two of people until he gets an RFID ping.

      RFID Ping == American.
      American == Target.

      I've yet to hear anyone adequately appease this concern.

      --
      This is a boring sig
  2. Re:kidnapping travelling americans made easy by Catbeller · · Score: 4, Interesting

    My mom used to work at the welfare office for the Cabrini Green projects in Chicago. She used to listen to some of her fellow workers sitting at screens, data mining the client's records for people who weren't at home during working hours. They were using the information to rob the empty homes during lunch hours. True story.

    Technology gives bad people with power ever more ways of fucking you over. If they DON'T need the tool, don't give it to them. We didn't need RFID passports before, and we don't need them now. Misdirection is afoot. What ELSE are they adding to the passports besides RFID? Get that question answered, and you'll know how they are fucking us in brand new ways.

    When a corporation or a government (in the U.S., indistiguishable now) wants a new way to track people, it's never for the citizens' good, but for their own. Acquiesence to tyranny happens a tiny bit at a time. In twenty years, a whole generation of the world's people will have grown up in a virtual prison, and won't even notice.

  3. my understanding... by YesIAmAScript · · Score: 4, Interesting

    I expressed similar questions when reading the previous articles. Why not a barcode? An RFID system only has an identifier, a key ot a database. A barcode could have actual data on it.

    From one of the responses to the previous articles of this sort, I understand that the system here is a bit different than regular RFID. One is that this system actually does have information in it, not just an ID. That doesn't relate to your question, but I found it very enlightening.

    Another thing this system does is it is a challenge-response system. That is, it has information in it that is not emitted until you give the right information to it. Perhaps this is the information in that barcode on the password, I dunno. Anyway, a barcode is there for everyone to read, it cannot hide itself until the right key is given to it. The content could be encrypted, but once you take a picture of the barcode, you have its data, you could work on cracking it later, and the "owner" of the barcode wouldn't even know you were doing it. With this system, you can only work on extracting its secrets when you are in proximity to the chip. In addition, it is possible for the chip to monitor and know that you successfully passed its test and got its info. So you will at least know if you've been had when the "successful reads" counter (if it has one) is higher than you expected.

    All in all, it seemed like a reasonable system to me. The actual presence of data (as opposed to just a key), the tinfoil cover and the requirement to read the barcode optically before you can get the data (other than ID) out all just adds up to a pretty good system to me. Definitely far better than the representations of it I had seen earlier.

    --
    http://lkml.org/lkml/2005/8/20/95