RFID-Reading Passport Scanners Installed

Kozar_The_Malignant writes, "Electronic passport scanners have been installed at SFO. Ten of the scanners were received last week and have now been put in service. Various creative responses have been discussed here before."

Faraday Cage Suit

[corroncho]

I knew that farady cage suit would come in handy some day!!!
___________________________
Free iPods? Its legit. 5 of my friends got theirs. Get yours here!

can they be opened with a Diebold key or bar key?

[speculatrix]

anyone tried to open them their hotel mini-bar key?

Various Creative Responses

[Tackhead]

> New U.S. e-Passports contain a 64 kbit RFID chip with personal information about the passport holder.

After reading last night's thread, I suppose encoding ~250 copies of the string "Kip Hawley is an idiot. Michael Chertoff is also an idiot" into an off-the-shelf 64kbit chip, putting the chip in a small wad of gum, and then swallowing the gum, is no longer an option.

Well, so much for my weekend.

Re:Do passports already have RFID's in them?

[in2mind]

from the prev Slashdot article :

State Department spokeswoman Janelle Hironimus said existing passports will remain valid until they expire but, eventually, all U.S. passports -- about 13 million will be issued in 2006 -- will contain such chips

Wrapping your passport in Tinfoil?

[Yahma]

There is the ever present theory that wrapping something in tinfoil will prevent RFID communications from working. Does anyone know if this is true or has been tested? If it works, just wrap your passports in tinfoil.

Yahma -- BLASTProxy.com - A public anonymous proxy server that allows you to bypass firewall restrictions at home and work and surf safely.

Re:Wrapping your passport in Tinfoil?

[Bruce+Perens]

Look up "Faraday Shield". It works, but I can think of some approaches to get through it, although I doubt that any current RFID device uses them. Testing is always a good idea. And aluminum foil is not the most attenuating material, just the cheapest and by far the most easily available one.

Bruce

Passport Cases Now Become Important

[Bruce+Perens]

I have a passport case and will be sure to line it with mu-metal (not just aluminum foil) when I get a new passport in a few years. I'm sure that similar things will be up for sale. Indeed, if there's a manufacturer out there who wants to work on this, and knows sewing better than technology, write to bruce at perens dot com.

Bruce

Re:Passport Cases Now Become Important

[Bruce+Perens]

I guess this is something that not everybody understands yet. Of course you'd take the passport out of the case when there's a legitimate occassion to read it, like going through immigration security at some country (which I do a few times a month). The problem is that people can read it while it's in your pocket, with the right equipment, wherever you go, all the time, hundreds of times per day. And having it in a mu-metal case when you do not expect it to be read would be a good security practice. Is that more clear?

Thanks

Bruce

Re:Passport Cases Now Become Important

[kevin_conaway]

It already has a cover

Metallic anti-skimming material incorporated into the front cover and spine of the e-passport book prevents the chip from being skimmed, or read, when the book is fully closed;

Re:Passport Cases Now Become Important

[hcob$]

The problem is that people can read it while it's in your pocket, with the right equipment, wherever you go, all the time, hundreds of times per day. And having it in a mu-metal case when you do not expect it to be read would be a good security practice. Is that more clear?

I guess I'm going to be saying this often today. All you have to do is close the passport, there is a faraday cage in the cover that is completed when the cover is closed.

To the conspiracy wonks - entertain me

[Quiet_Desperation]

Oh, please do try and foil (pun intended) the RFID readers. Please. And bring a friend with a video camera so we can watch the resulting hilarity on YouTube.

Range can be increased

[Bruce+Perens]

There is a time-honored tradition of making RF signals go as far as possible. It's the first thing any kid tries with a walkie-talkie: how far can it go? It's possible to make RFID devices read from farther than designed by using higher power to energize the RFID and a higher-gain antenna to read its response. Certainly it will be practical to read these things as people walk through a door frame, with the proper equipment.

Bruce

Re:Range can be increased

[hcob$]

Is there any way to energize an unshielded card from more than, say, 5 feet away, or is the danger primarily from people with readers brushing up against you for a reading?

Sure, all that possible. If you leave your passport open(closing it completes the faraday cage in the cover). Of course, people can also read all the data on your passport whenever they open it using this ancient technology called "eyes". And if you want to extend their range, you just have to get a few "lenses" and you can see it a good ways away!

Re:Range can be increased

[Em+Adespoton]

Is there any way to energize an unshielded card from more than, say, 5 feet away, or is the danger primarily from people with readers brushing up against you for a reading?

The issues seem to be the following:
1) RFID chips are activated by the EM energy delivered from the reader.
2) When closed, the passports in question are contained in a complete farraday cage, blocking any EM radiation from passing between the inside and outside of the passport.
3) When open, the regular rules of electromagnetic radiation hold true (inverse square law?). You need exponentially more radiation to power the passport each time you double the distance away you are.
4) Devices with a 3V, 1A power supply are designed to read the cards at a distance of 3" (numbers pulled from my head; might not be 100% accurate). Using napkin mathematics, assuming a similar sized antenna, at 6", you would need 9V, and at 1' you would need 81V. At 2' you would need roughly 6.5kV. At 4' you would need roughly 43mV. This is to activate the chip, not to read it.
5) Reading an already activated chip with a passively receiving device would be much simpler; it could easily be done from 10' away with a 3V power supply and a larger antenna.

So, according to my flawed calculations: nobody is going to be reading a closed passport, only people with a pretty large generator are going to be activating and reading a passport from anywhere further away than a few inches, and anyone in line of sight (and some not in line of sight) could be reading your passport as it is simultaneously being read by official readers.

TravelTags

[EssTiDee]

This really isn't all that horribly different from the TollTags, EasyPasses, and basically every other scannable devices that identifies the device-holder. Your passport is the property of the government -- has been, and will continue to be. If they want to make it easier to check / scan / whatever, so be it. While I worry about the security of their online database, it's not really any less secure than it has been in the past. I say there's no real change taking place here, except maybe if not too many of the people in front of me in line have lined their passport holder with tin foil, rig their chips with some hate-message, and/or any other potentially disturbing thing, perhaps the line might move a little faster and I'll make my connecting flight once in awhile...

Re:Do passports already have RFID's in them?

[malsdavis]

My mate got a new British passport a couple of weeks ago. The 2nd last page or so has a chip and a large rectangular loop of wire shaped in it. From what I remember, the rectangular loop of wire measured about 8cm long by 2cm high or so.

Here's a smallish picture of what the RFID bit looks like: http://www.telegraph.co.uk/news/graphics/2005/11/1 8/npassport18.jpg

Fine by me

[lawpoop]

I have no problem with RFID in the passport, as long as it is implemented in an intelligent manner. I don't see it as any more of an invasion of privacy than the personal photo and address information, and also the log of my recent travels.

I plan on having an aluminum foil carrying case for my RFID passport, when I get one, so it can't be read without being opened. Recently I saw a link to a company that makes wallets with a metal foil already embedded in the leather, so RFID chips can't be scanned remotely. The also sell a foil insert that goes in the bill area. I acn't remember the name though -- I thought it was a wordplay with 'wallet' and 'magnet', perhaps the word 'envelope'?

The only thing I don't want is an RFID implant. You might wear a farraday armband, but the whole idea reminds me too much of Jews getting serial numbers tatooed shortly before they were shipped into the death camps.

aluminum cases through security anyhow?

[192939495969798999]

Has anyone actually tried to take an aluminum foil wrapped anything through airport security? I assume that would look suspicious to anyone, i.e. why the hell is it in foil, is it a bomb, etc. Did you get harassed at all? I actually just got a passport and am travelling far, far away, so I *could* try it...

Schneier says "rewew NOW"

[MrAtoz]

For what it's worth, Bruce Schneier is recommending that everyone renew their passports now so that you can avoid having a chipped one for another 10 years:

The security mechanisms on your passport chip have to last the lifetime of your passport. It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won't see another security update for Microsoft Windows in that time. Improvements in antenna technology will certainly increase the distance at which they can be read and might even allow unauthorized readers to penetrate the shielding.

As he says, "You don't want to be a guinea pig on this one."

He also says you can disable the chip by running the passport through the microwave, but "although the United States has said that a nonworking chip will not invalidate a passport, it is unclear if one with a deliberately damaged chip will be honored." My guess is that it would result in a long and painful trip to the customs interrogation area.

shielded cases for 18 dollars

[fantomas]

http://www.difrwear.com/products.shtml

looks like somebody's already selling them Bruce!

Re:Do passports already have RFID's in them?

[lcsjk]

I did some initial design for an RFID system last year. The credit card size unit has a microchip with memory and a coil of wire around the edge of the card (about 7cm x 5cm). THe coil is the secondary side of an air-core transformer and the reader (receiver) has the primary side. Note that it is not RF as in radio or telephone. It is a magnetic field. The reader has to send enough AC power through the air to the RFID coil so that a capacitor can be charged to give an operating voltage. When the voltage is high enough (milliseconds) the microchip will turn on and send its data to the receiver. My operating distance was small (less than 3 inches) because of limited reader power. However, if the reader had been transmitting more power from a longer distance (a few feet) I think it would have been able to read the data. The theory is easy, but the signal strength would have been smaller. We have equipment to read extremely small signals from space. Reading from a few feet away is most likely easy.

Typical Response without knowing the facts

[unPlugged-2.0]

Come on slashdot-folks I expected better than all these comments about tin-foil hats.

It's bad enought that I have to put up with this any time I talk to any non-techie about the fact that I work for an RFID company and no I am not evil and do not wish to track their every move and alert someone that they are using the bathroom too much.

--Now for the Facts--

There are two main categories for RFID systems on the market today. These are near field systems that
employ **inductive coupling** of the transponder tag or Smart Label to the reactive energy circulating around the reader antenna, and far field systems that couple to the real power contained in free space propagating electromagnetic plane waves.

The passports are (repeat after me) *inductive* which means that they are activated by a magnetic field which is amplified by that metal loop you see to provide power to read the memory on the chip. The claims that someone could build a reader to read your tag from even 10 or 20 feet away is ridiculous. It would require the creation of such a big magnetic field that it would probably zap all magnetic material (such as hard drives, floppy discs, usb keys) that I am sure someone would notice. Also in order to read the reflection of the magnetic field which is what determines the response (RFID works like an echo you yell at something and wait for the echo to figure out what the id is) you would need such a big receiver (note this is still for 10 - 20 feet only) that you would literally look like someone out of the verizon commercial.

I know us techies are generally oblivious to the outside world but I think if you saw someone like this within 10 feet you should generally notice. Also you should run because that magnetic energy will probably fry your nads among with other crucial body parts you may never use (sorry couldn't resist).

The only real danger is that some hot woman with an rfid reader decides to bump into you and just happen to place her hand where your passport is. If you foresee that happening a lot then I suggest you get a tin-foil cover. However if that happens to you a lot then you are probably not on slashdot and reading this anyways.

Sorry but I am a little sick and tired of hearing about all these security concerns by people who don't know how these systems actually work. Can you tell?

Re:Typical Response without knowing the facts

[Ludedude]

"Sorry but I am a little sick and tired of hearing about all these security concerns by people who don't know how these systems actually work. Can you tell?"

Sorry, but I am a little sick and tired about hearing about how there are no security concerns from the people who don't care about anything but selling their products to a government that wants more control over its people. Do you care?

Re:Typical Response without knowing the facts

[MisterBlue]

Most of the the comments in this forum are uninformed...

The passport case already has protection so the RFID cannot be read when the passport is closed. No need for tin-foil cases. (http://www.state.gov/r/pa/prs/ps/2006/70433.htm)

The contents of the RFID is your identifying information signed by a government key. The encryption has already been broken, but until the signing keys are compromised, new contents cannot be put into the RFID (refer to the many docuements on hashing and signing technologies).

There has been a lot of complaining about the RFID and after all the hearings, things were done to make the implementation better. My complaint is why they chose RFID -- if you have to open the passport, wouldn't an optical reader do just as well?

Re:Typical Response without knowing the facts

[NeutronCowboy]

Good points. However, there are two issues with electronic passports:
1) Someone can still read it remotely, and get access to all kinds of personally identifying information. Yes, you have to get close, but it still is quite possible. Ever seen pickpockets at work? They manage to *remove* your wallet without you noticing it. Considering the potential damage that can result from someone getting their hands on your passport, I'd rather not make it easier for people to access them.

2) You don't know what's on your passport. Yes, there are commercial RFID readers out there. Yes, you can probably buy one. Yes, you might even get it to work properly. But at what cost? Besides, is there any encrypted information on there? I'm sure the friendly US government won't give you access to the data on it. As for the dangers of what's on there... it will basically work like a permanent tag that people will trust completely. Just as an example of how easy it is to screw with these things, my current passport is a replacement for a lost one. However, some nitwit in database entry decided to mark my current passport as lost. Which means that everytime I enter the country, I get to sit for 45 minutes in the special triage section of customs and immigration. And it can't be fixed either - I asked several times.

In short, there is little benefit for me, but a whole lot of risk. I most likely will just fry my RFID chip when I get my new passport.

Re:Still ....

[Muad'Dave]

I mean it doesn't have personal information, even if decoded, so what use is it to anyone, except that it identifies you with a big random number like a cookie does.

Huh? You mean all of this personal info (PDF, see page 16) ??? You'll note that encryption is optional, but data integrity via a 1-way hash is mandatory.

Re:Range is a function of the reader

[mrchaotica]

The reader at the airport is limited. The reader being surreptitiously carried by the American-tourist-targeting mugger/kidnapper/whatever in whatever foreign country you're going to won't be.

Re:Do passports already have RFID's in them?

[sarabiz]

Yes, they began putting them in as of at least Summer 2005. I know this because I got married and needed to change my name on my passport. This used to require a simple addendum to the back and was free. However, since I had the old non-RFID passport, I was required to pay ~$70 for a new one. Suck.