Hackers Clone RFID Passports

It was demonstrated today at the BlackHat conference.

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.

In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker -- Walluf, Germany-based ACG Identification Technologies -- but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.

He then launched a program that border patrol stations use to read the passports -- called Golden Reader Tool and made by secunet Security Networks -- and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.

Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader -- which can also act as a writer -- and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.

As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.

The result was a blank document that looks, to electronic passport readers, like the original passport.

I've long been opposed (that last link is an op-ed from The International Herald-Tribune) to RFID chips in passports, although last year I -- mistakenly -- withdrew my objections based on the security measures the State Department was taking.

That's silly. I'm not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.

Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won't be perfect. And a passport has a ten-year lifetime. It's sheer folly to believe the passport security won't be hacked in that time. This hack took only two weeks!

The best way to solve a security problem is not to have it at all. If there's an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there's no RFID chip, then the security problem is solved.

Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can't do, I am opposed to the idea.

Crossposted to the ACLU blog.

Posted on August 3, 2006 at 3:45 PM • 65 Comments

Comments

swiss connectionAugust 3, 2006 4:10 PM

I'm sure it's been posted on this blog before: What is the cheapest most effective way to shield and RFID chip from unwanted scanners?

timAugust 3, 2006 4:11 PM

Also worth noting is this:
http://www.youtube.com/watch?v=-XXaqraF7pI&eurl=

The video shows that the "shielded" US RFID passports can be read from distance if they are opened even 1/2" - which might happen if you for example wrapped your passport around your plane ticket folder. They then go on to show a demonstration of a possible "smart" terrorist bomb that waited until it detected a particular country's RFID passport before detonating. Although fairly low-tech, the video was chilling, to say the least.

nashAugust 3, 2006 4:14 PM

When I explain RFID to people who have never heard of it I try and compare it to magnetic stripes and barcodes. Barcodes can be read by anyone (or camera) within line of sight. Magnetic stripes are better because you have to have control of the stripe and have a reader to read it...
But RFID is worse than both of them. You not only dont need access, you dont even need line of sight. And even if you cant read the RFID it'd be easy to detect that a specific person has one on them, and then mug/steal it from them.

egeltjeAugust 3, 2006 4:19 PM

So now we are back to the security guard at the passport control checking if the photo on the plastic (passport) matches that on the screen (rfid chip) and matches that in real-life. (me)
Can anyone explain to me what exactly did we gain in this multi-milion dollar project?

MilaAugust 3, 2006 4:27 PM

According to a CNN article (http://money.cnn.com/2006/07/13/pf/rfid_passports/index.htm?cnn=yes), the State Department boasted of how secure these ePassports are, while security experts were sure that these RFID chips can be easily hacked into... I guess security experts were right.. who would've thought!

richAugust 3, 2006 4:45 PM

This article talks about cloning while Bruce's earlier article noted that the RFID info will be digitally signed. With a digital signature I can see a scenario where an exact signed copy (clone) could be made, but that a _modified_ copy cannot. Of course, if there is one private key for all passports and SHA-1 was used to sign, all bets are off. They wouldn't do that, would they?

quincunxAugust 3, 2006 6:18 PM

"The best way to solve a security problem is not to have it at all. "

Exactly!

The best way to solve a security problem is to not delegate security to a corrupt organization that exposes you to security problems by dicking around in foreign areas, and then foisting upon you poor security devices.

Eventually Bruce you will have to come around to the anarchist position.

Tyler LarsonAugust 3, 2006 7:18 PM

I'm not opposed to using RF instead of copper contacts on passports as long as the privacy is equivalent. RF chips can be shielded to prevent surreptitious access while the passport is in its "storage" configuration. At that point, your privacy is that same as it's always been: a passport can be photographed from afar, but the fact that its storage configuration is "closed" prevents the attacker from gaining any useful data.

The advantage of RF chips, and what makes them particularly well-suited for this application, is that they're highly flexible and can be completely sealed from the external environment to prevent accidental destruction. If you used metal contacts, how many copper-on-paper contact pads would still be intact after 8 years of abuse? What you use has to be (a) cheap and (b) durable. RFID fits that bill better than many technologies. If it can be coerced into "contact equivalent privacy", then I'm fine with it.

As a side note, the "hack" in the attached article is only relevant if verbatim copies of a passport are a risk. If the content is signed, then modification is impossible. OTOH, if you need protection against this sort of copying, use a challenge-response chip configuration instead.

grumpy_sysadminAugust 3, 2006 7:53 PM

@swiss connection: destroy the RFID chip (microwave ovens work well for this), and feign ignorance when some official can't get it to scan. Suggest they simply verify it (that is, the physical object, with your picture and identifying information printed right there on it) the old way. There is no secure way to protect an RFID-embedded identification.

DMAugust 3, 2006 8:33 PM

I cant for the life of me understand why a simple read-only optical encoding wont suffice.

Is the intention to make the passport electronically writeable? Thats the only advantage of RFID as far as I can see.

Does the passport then become a container for cookies as well as an identification mechanism.

RoxanneAugust 3, 2006 9:59 PM

I suspect the reason they want RFID tags on passports is so that They can have readers all over the place, and figure out who is where, and talking to whom, while they're at the airport. There is likely to be a rule that you carry your own passport - and only your own - at all times. Then rogue people (ones without RFID tags) become like unto rogue aircraft: targets until proven otherwise.

So what happens when Susie TourGuide collects everyone's passport for verification? Hijinks ensue!

There are other fun possibilities ... use your imagination!

ordajAugust 3, 2006 10:46 PM

"Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can't do, I am opposed to the idea."

To force technology in a certain direction?

To identify the sophistication level "out there?"

Because money was involved?

commentAugust 3, 2006 10:47 PM

Anything which encourages the person 'verifying' the person's identity to personally interact with the person being 'identified' is good. Anything which tells the guard they don't need to bother is bad.

Reading through the evidence against Zacaraia Massouai (sp) which has just been published (world first?) the obvious thing was that he was an obvious nutter anyone could have spotted if they just talked to him.

And when someone did, he was detected as a nutter and put out of harms way.

What's important is that people interact in constructive ways, more so than that each person's DNA and personal history can be picked out of a database reliably given just the person's name.

Spotting malintent is infinitely more useful than spotting faked identity documents, and computers are simply unable to do this.

Why not spend our efforts on constructive interactions, instead of this useless twaddling?

RogerAugust 3, 2006 11:36 PM

@Everyone:
Of course, merely copying a chip doesn't invalidate the security design, which derives from the fact that the digital photograph is digitally signed. What it does do is put paid to the idea of using writeable RFID chips to store visa information. Now if I want an embarassing visa to disappear I can just reload an old copy from backup.

More worrying to me is the observation that even small flaws in closing the cover completely foils the RF shielding in the cover of the passport. We're back to the "kill/mug me, I'm an American!" passport-of-death. Thanks, State Department morons.

@Tyler Larson:
"If you used metal contacts, how many copper-on-paper contact pads would still be intact after 8 years of abuse?"

The question isn't reliability of the pads on the passport, but on the reader. Even the most jet setting corporate executive is unlikely to use the passport more than a couple of thousand times in its ten year life, and contact chips can easily be made that robust. The readers, on the other hand, must each process the order of ten thousand readings per day.

" What you use has to be (a) cheap and (b) durable. RFID fits that bill better than many technologies."

Better than many, yes, but not all. 2D barcodes are:
a) already a well tried industry standard, unlike this novel RFID application;
b) robust enough to use on exteriors of shipping cartons, never mind inside valuable documents;
c) robust against RF fields, unlike RFID tags;
d) readers are also extremely robust, and adequately fast, as demonstrated by extensive experience in inventory management, point-of-sale, etc;
e) much more secure, since it can only be read by someone who would have been able to read the printed information anyway; and
f) a standard density 2D barcode covering a double page spread of a standard sized passport does hold enough data for the application.

@grumpy_sysadmin:
The international rules on this, already adopted by many member countries, is that a passport with a defective RFID chip will be treated as a mutilated document. They will NOT read it the old fashioned way, they will seize it and turn you away, and tell you to come back when you've obtained a repalcement from your consulate. The "old fashioned way" data is still on them solely for use by remote area border crossings not yet equipped with RFID readers, they are not for use in case of break down.

@DM:
"I cant for the life of me understand why a simple read-only optical encoding wont suffice."

My personal conspiracy theory is that it involved bribery by someone in the RFID industry consortium. They've been pumping like crazy to make RFID look like the brightest new thing since sliced bread, some of the investors are starting to wonder when they're going to get their money back. Economists within the industry have made estimates of the size of sales they will need to bring down the cost per item to 5c (at which point, theoretically, it all becomes self sustaining) and the industry is obsessed about getting this magic "big order" to get that rolling. And then along comes a US government official who forces every traveller in the world to install one, despite regular old barcodes being mainfestly superior for the application, and costing 1/10th as much. Hmmm...

"Is the intention to make the passport electronically writeable? Thats the only advantage of RFID as far as I can see."

It is, of course, also possible to make barcodes writeable. The device is known as a "printer". The process is more expensive than writes to an RFID chip (although we're still talking pennies here), but since writes should occur quite rarely that hardly matters.

quincunxAugust 4, 2006 12:39 AM

"My personal conspiracy theory is that it involved bribery by someone in the RFID industry consortium."

The RFID industry wants a client that will give them a cost-plus profit guarantee, and the government spends other peoples' money.

One need not formulate conspiracy theories, especially since the practice is CENTURIES old, and is open to any inquiring mind to observe. The practice of the state is that of the magician: sleight of hand. It can easily be observed, but you are distracted.

What is called 'conspiracy theory' is actually nothing more than the regular function of government. It is usually obscured by popular rhetoric like 'for the common good', 'general welfare', 'matters of national security', 'protecting the consumers', etc...

If you look at any bill passed by congress there is a long list of pork barrel projects that are wholly unrelated to the bill. I would expect universal national IDs to be logrolled very soon - without much public debate.

kevin lyda, co. galwayAugust 4, 2006 1:25 AM

So the lesson you get from that article is: "RFID are an unecessary security risk."

Why do I worry that the lesson for some will be: "Published standards are a security risk."

Clive RobinsonAugust 4, 2006 3:17 AM

@Bruce

"I'm not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.
"

My problem is RFID chips full stop.

The security of the information is quite secondary (and can with thought be protected to a reasonable degree).

My concerne is that all RFID chips irrespective of their security features can be detected at ranges of a few cms to several meters.

The way the RFID chips react to an RF pulse on various frequencies can be used to fingerprint them without being able to obtain any information stored on the chip.

Once the chip is fingerprinted it will be likley to identify the document the RFID chip is in.

People talk about "sheilding" their passports / ID cards / etc, the reality is that 99% of people will not do it and of the other 1% 80% of those will either do it badly or unreliably.

I predict that when RFID Passports becom more common there will be a cheep detector available on the black market for a hundred or so USD which criminals will be able to use to target victimes worth mugging / kidnapping etc etc.

RFID's are not the solution to any security problem, they are only usefull for keeping track of things (which is why UPS etc like them).

Anyone who talks up RIFDs for security of people have an agenda which is to turn every individual into a source of income over and above the cost of the device...

Think fines for not carrying your ID card, actuall searching everybody or asking them to produce it will involve lots of manpower, however a door way with a detector in it is a good way of catching the carless for a 1000USD fine.

Bruce SchneierAugust 4, 2006 3:37 AM

@quincunx: "Eventually Bruce you will have to come around to the anarchist position."

Actually, would I would really prefer is if you tone down the politics. This is a security blog; not a political blog. I would like you to be able to contribute to the comments, but not if you turn everyting into a political debate.

Please.

Bruce SchneierAugust 4, 2006 3:38 AM

@ DM:

My guess is that the the read/write nature of the chip is important. Eventually, we should expect digital visas to be written to the chip.

I'm not opposed to a chip on a passport; I'm opposed to a contactless chip.

Bruce SchneierAugust 4, 2006 3:41 AM

I received this in emal from Randy Vanderhoof, the Executive Director of the Smart Card Alliance. It speaks to why a contactless chip was chosen for passports and ID cards:

"A reason for choosing contactless technology over contact technology was not a security decision but rather a business and process decision. One can make a case that a contact chip would have made the passport more secure by the elimination the radio frequency element of the contactless interface. But, the standards committee is an international body and had to find global consensus on the recommended changes to passports, so time and cost factors had to be considered as well. Specifically, they needed to consider the passport form factor and the existing international passport manufacturing and personalization process as well as the security elements. ICAO had to consider the time and investment it would take to redefine the manufacturing process, such as printing and personalizing a passport that could support a contact chip that would last 10 years. They would also have to evaluate new operational requirements to insert a cover or the entire passport into a contact reader and create a new reader standard for such a device. No such reader standard or reader technology exists today.

"So, two good reasons for ICAO choosing contactless was (1) that they could maintain the current look and process for producing passports and only changing the passport cover material to include the contactless element to support a smooth transition for countries who issue millions of passports per year; and (2) that the swipe nature of reading the electronic passport could be used with existing ISO standard readers and have a reasonable expectation of the passport having a 10 year life."

I'm not convinced, but there you have it.

ACAugust 4, 2006 4:06 AM

Is there any official statement, written sentence or anything that explain *why* exactly the chips have to be in the passport at all, compared to barcode?

The whole world is supposed to use these chips and at so high price, and I still don't understand why chips at all. There are all the computer networks and stuff so once they read some unique ID, they can have all other data anyway. Why storing something more than some unique ID in the chip?

FreiheitAugust 4, 2006 5:39 AM

There were some security issues looked at, is it possible to name names and see which people they consulted with on this decision?

After all the spent OUR money on the design process and we have a right to know how it was spent.

@Clive

The mugging idea you brought up scares me more than the terrorist angle. Having a passport and looking western = tourist. Tourist = easy money and credit cards. Even at home having a passport means that you can afford international travel and makes one a target.

Matti KinnunenAugust 4, 2006 6:20 AM

@Freiheit

If RFID-passports fail, i.e. are a security risk, maybe government will issue us two passports: one with RFID for crossing borders and another without-RFID for usage as an international ID in foreign countries.

If so, you can then lead the RFID-passport in the safe of your hotel.

Of course, this makes you still a target while moving from hotel to hotel.

NylarthotepAugust 4, 2006 6:26 AM

Guess I'll have to make a Faraday (cage) Wallet. I think that should work to prevent access from those that shouldn't have it.

Though I wonder about the legality of such a wallet in the airport. They want to be able to access the info remotely, so could blocking their reader be illegal?

bobAugust 4, 2006 7:23 AM

SO what happens if my "new" US Passport stops working? Like if I accidentally put it in the microwave for 10 seconds?

Do they have a fallback to actually read it by eye or am I trapped in whatever country I happen to be trying to leave?

Could they not put a small switch on the document to ground out the antenna until the holder actually wanted it to be read?

quidamAugust 4, 2006 8:55 AM

What has been cloned is a passport implementing BAC (Basic Access Control). In such a passport, data can be read remotely. Such data is opaque, until you derive a key from the MRZ. And of course, this data is signed, by a 4096 bits RSA key, so it's not modifiable at all.

Pilots are being built (in Europe) to integrate EAC (Extended Access Control) into ICAO passports. In EAC mode, the reader and RFID-tag mutually authenticate to the other. RSA or ECDSA is used for the authentication part, ECDH is used for the encryption between the participants. Each passport will have its own private key (of course not readable), and each participant will be certified right up to the emitting CA. In EAC mode, a passport can't be cloned (at least, not that way).

Grab a document named "Advanced Security Mechanisms for Machine Readable Travel Documents", written by the german BSI for details.

LisaAugust 4, 2006 9:09 AM

One of the more interesting (mind-boggling) aspects about RFID technology is the inability to sufficiently secure it paired with the rush to integrate it into EVERY possible application.

The passport cloning of RFID is not the first of its kind. Exxon-Mobil SpeedPass, vehicle immobilizers, and VeriChip's human-implantable RFIDs have all been successfully cloned (among others, I'm sure).

The applications of this RFID technology include such things integral to our lives such as passports, human identity, and banknotes. Are we really securing our identity and our cash with a vulnerable technology?

I have yet to find a robust security model for RFIDs. If you know of one, please let me know. So, Bruce, I agree. RFIDs should not be used on passports. However, giving me a reason why they should would not suffice. I need a secure protocol. And once I have that, prove to me that it is secure. Then, maybe.

No1August 4, 2006 9:58 AM

@Lisa

What's an example of an invulnerable technology or a completely secure protocol?

quincunxAugust 4, 2006 10:29 AM

"Actually, would I would really prefer is if you tone down the politics. This is a security blog; not a political blog. I would like you to be able to contribute to the comments, but not if you turn everyting into a political debate."

I understand your disapproval, but the two are not unrelated. What good is security in a totalitarian state?

For that matter what is SECURITY?

I can understand you if you explicitly state that the point of security is to protect the blood sucking parasites (etymology of 'politics'), and insure their predation for a long time.

If you were called upon to figure out a way to securely control the slave population, would you really be bickering about the minutae of how to do it, or would you balk at this hot hand of fascism?

By glossing over the inherent insecurity to citizenzry, and then discussing the practical aspect of it in some sense legitimizes the whole thing, even if it is passive acceptance.

It becomes akin to arguing how to insure security for the slaves, should we use these types of shackles or the other? If they run away what technology should I use to capture them? How can I track them effectively?

When you say things like "The best way to solve a security problem is not to have it at all." one has to look at who created the security problem in the first place. When we do so it becomes painfully clear that it is the same institution that is charged with the task of providing security.

I merely suggest you embrace the anarchist position, or become more familiar with it, so that you can be a consistent security expert, otherwise you are essentially saying that we should keep patching an inherently insecure system.

You yourself preach the virtues of doing security right the first time, and all I'm saying is that you realize the full radical position your logic entails.

It is precisely why most prominent rational anarchists understand economics so well: they understand the full implications of applying their own methodology to the logic of human action.

DMAugust 4, 2006 11:03 AM

Would anyone object to a chip with optical IO on it? Power it up in a magnetic field, and communicate to it using IR transcievers. Is such a thing possible?

derfAugust 4, 2006 11:13 AM

The obvious question is - can you create a device that will remotely scramble RFID passports so they can't be read? If enough people get turned away because their passports are bad, the RFID system will be dismantled.

kennethAugust 4, 2006 8:53 PM

Are they actually talking about turning people away if the RFID chip is busted? I was always planning on popping my new passport in the microwave oven for a couple seconds...

Clive RobinsonAugust 5, 2006 6:00 AM

@DM

"Would anyone object to a chip with optical IO on it? Power it up in a magnetic field, and communicate to it using IR transcievers. Is such a thing possible?"

The problem with a magnetic field is to make it efficient it needs to be of a high frequency of several MHz or you would need to introduce something like ferrite into the passport which is heavy and very fragile (see EMC ferrites on data cables and in SM PSU transformers).

The minute you start using high frequency you get back to the problems of being detectable at a range of a meter or so.

The optical idea would certainly protect the data, but the tuned circuit used to energise the chip would still be detectable (probably even with the chip broken...) with the equivilant of a Grid Dip Oscillator. GDO's where used back in the days of valve technology to test/align tuned circuits without DC power being applied to the circuit. That way you did not get a shock from a couple of KV on the anode of a transmitter tube/valve etc. The modern equivalent is a FET Dip Oscillator.

As I said in my post above, the security of RFIDs starts with detectability which is long before you talking about data formats or crypto.

Talking about External Faraday sheilds is all very well but people in a hurry will just stuff the passport in their mouth or back in their pocket, and will not take the time to put it back in the shield. Likewise as shown by the artical a shield built into the passport will be unreliable (as will switches etc) at best.

Basically for a mugger there will always be enough detectable RFIDs around and therefore they will be able to "make a living" etc.

Also it is likley that in some countries where they are going to introduce new ID cards with RFIDs they will make it illegal for you to shield the chip... Otherwise the cost of detecting people out without their ID card goes up.

My point is still that no RFID system can be secure because the detectability is a fundimental flaw that cannot (reliably) be prevented.

salach shabatiAugust 5, 2006 8:25 AM

Just adding some facts :
In most countries e-passports are going to happen a lot sooner than border-control systems to process them , so keeping the booklet form-factor of traditional passports is the right thing to do . this mandates a contactless solution .

The most common problem with passports is modification of something , usually the picture . This is addressed by the digital signature on the data in the chip .

Cloning is a small threat because a skilled border-control officer (which will still be in place!) will catch most of the people using cloned passports .

Skimming of passport data is also a very small threat because if someone wants to construct this sci-fi device that waits for a certain person to shoot him or mug him , he needs to know a lot about that person and he has much easier ways to track him . Skimming is answered by Basic Access Control , *if it is done right* .

The real argument is completely different - does stricter border control answer the real threats ? I personally believe it answers more problems of illegal immigration than actual terror problems . If you need better border control - then biometrics & contactless chips are helpful .

BTW - another thing that contactless chips have & contact chips lack - high comm speed to move large amounts of data . you can find the details in the latest edition of the ISO14443 standard .

regards t u all

DMAugust 5, 2006 2:45 PM

@Clive Robinson

What you seem to be saying is that _any_ electronic device in a passport can be detected using the same techniques used in bug detectors.

Im not sure that thats the threat you seem to be saying it is - being able to detect a passport at a distance is very different from being able to detect a particular passport at a distance, or being able to read out passport data at a distance.

trine2cAugust 5, 2006 9:57 PM

@quincunx
>It is precisely why most prominent rational anarchists understand economics so well: they understand the full implications of applying their own methodology to the logic of human action.

You still don't offer any transition plan to reach this wonderful anarchist nirvana. This represents at least half of your "full implications".

Perhaps people are rejecting your proposal based on rational economic grounds.

As an end, you propose a radical change in government, economics, etc. That's the promised benefit. I won't even argue whether it's workable, sustainable, or universally beneficial. I'll simply grant all those points: it will work, it's sustainable, and it's beneficial to all.

So the next question is how to achieve it. Since no government will idly stand by and efficiently oversee its own removal, there is clearly going to be a long and difficult transition, with much bloodshed and destruction. That's the cost. Or more accurately, just the most obvious cost.

So based on a prudent assessment of the promised benefit and the obvious cost, a rational person might be expected to conclude that it's not worth it. Oddly enough, that's exactly the response you're getting, though you seem to see it as "superstition" and irrational behavior, rather than any kind of informed or rational behavior.

If you don't address the horrific transition costs, then it really doesn't matter how good the end result is, because no one would rationally choose to pay those costs. For a business, the end may be unquestionably beneficial, but the costs would destroy the company. As I'm sure you know, a real economic analysis involves both benefits AND costs. Failing to recognize costs is a serious blunder.

dimitrisAugust 6, 2006 3:05 AM

quidam: You're saying that this RFID chip will perform 4096-bit RSA and - presumably - SHA-1 and whatever other logic (certificate parsing etc), all just on power induced from several cm away?

That will not also pose a danger to, say, people with pacemakers?

Wow. Is there a prototype?

Scott CarneyAugust 6, 2006 8:42 PM

Dear Bruce,

A couple weeks ago I ran across another method to hack RFID chips--not in passports, but credit cards. I live in Chennai, India and a gang of sri lankan criminals forged a bunch of cards that had chips in them and then just hopped a plane to India where the ATMs can't read RFID. I wrote about it in my blog, check out this link

sc

no hat requiredAugust 7, 2006 2:14 AM

Quote: Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can't do, I am opposed to the idea.(end)

Try stamping a smartcard with an immigration official's rubber stamp and you will see why.

Bruce SchneierAugust 7, 2006 3:14 AM

"Quote: Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can't do, I am opposed to the idea.(end)

"Try stamping a smartcard with an immigration official's rubber stamp and you will see why."

Why what? Why the smart card chip has to be embedded in a passport, just like an RFID chip? I think if we tried stamping both a smart card chip and and RFID chip with a rubber stamp we would reach the conclusion that both technologies still requires the passport form factor, and that we can't expect people to carry around the raw chip.

I'm not really sure what your point is.

no hat requiredAugust 7, 2006 9:33 PM

"Why what? Why the smart card chip has to be embedded in a passport, just like an RFID chip? I think if we tried stamping both a smart card chip and and RFID chip with a rubber stamp we would reach the conclusion that both technologies still requires the passport form factor, and that we can't expect people to carry around the raw chip."

I am sorry, I've read this several times but I cannot exactiy understand what you are saying, but I think you may in fact be agreeing with me.

My point was this:

The passport form factor is essential to maintain worldwide compatibility. There are many states that are still using handwritten passports and they simply will not accept using smartcards instead of the traditional books. It's obviously not feasible to simultaneously upgrade the entire world at the same time - so we need to have the books.

Now, a contact chip cannot be reliably embedded into a passport book it's never been done before (to my knowledge)- the contacts will too easily become damaged with the mistreatment that passports encounter. Plus, the passport form factor is not a standard size for contact chips, so new - (ie not tried and tested)- readers will have to be created. These are unlikely to be reliable or long lasting, given the variance in book specifications eg thickness. (a smartcard is manufctured to very tight tolerances, a book can never be made to such exacting specifications). So we cannot embed a contact chip into the passport.

This leads to the conclusion that the only way to introduce a contact chip is to have two documents - a book plus a smartcard.

Just take a moment to imagine the problems that this will cause for the average traveller. They now have to carry two sets of documents for worldwide travel. Given that for many people, it's a major achievement to arrive at the airport with their passport and ticket, adding a third document is going to complicate matters more.

Increasing the number of documents that are required for travel is a step backwards, not forwards. The whole concept of the passport was that a single document would work around the world. Introducing an additional document is contrary to the whole basic idea.

TechieAugust 8, 2006 12:26 AM

@no hat required

Smartcard form factors are defined by international standards. Their electrical contacts are embossed on the card's surface. They are not as physically fragile as you seem to think. The readers are also standardized. Both card and reader standards have existed for years, if not decades, and are well-known and well-tested in real-world conditions.

People around the world already carry smartcards in their wallets, which they sit on, or in their purses, which contain keys and other metallic objects. None of these significantly damage smartcards. I doubt that a rubber stamp from a customs official will hurt a smartcard. This doesn't mean smartcards are indestructible. They can be damaged, but so can a paper passport, an RFID chip, or anything else short of laser-engraved titanium.

It should not be difficult to manufacture smartcards that fit a passport form factor. The electronics can be made to smartcard tolerances, and then affixed to a paper book and laminated together. With worldwide consumption, there would be many markets open to manufacturers, so it should be lucrative and competitive, since the physical and electronic standards already exist.

http://en.wikipedia.org/wiki/SmartCard

no hat requiredAugust 8, 2006 1:36 AM

"Smartcard form factors are defined by international standards. Their electrical contacts are embossed on the card's surface. They are not as physically fragile as you seem to think.

People around the world already carry smartcards in their wallets, which they sit on, or in their purses, which contain keys and other metallic objects. None of these significantly damage smartcards.
It should not be difficult to manufacture smartcards that fit a passport form factor. The electronics can be made to smartcard tolerances, and then affixed to a paper book and laminated together."

The contacts for contact chips are not embossed onto the surface of the card.

A hole is milled into the card. The chip module is inserted and held in place with glue. While strong, there is a chance of them 'popping out' if a strong bending force is applied to the card. The bigger the card (ie passport-sized), the stronger this force will be. A passport carried in a hip pocket will be subject to a lot of bending forces throughout its lifespan. Furthermore, the chip is connected to the contacts via one of two methods (connected wires or glueing into place so that the chip contacts press against the external contacts). Both of these suffer reliabilty problems when a significant bending force is applied.

Most smartcards are carried in a wallet or purse, so they have protection from physical damage. Most passports on the other hand are carried loose in jacket pockets, handbags or trouser pockets. The contacts are gold. Gold is not a particularly strong material and wear would be a real risk.

Passports are frequently mistreated. They are dropped in dust, kept in damp places, kept in hot places, exposed to corrosive elements. All of these factors would soon have a negative effect on the contacts. Passports failing to read because of dirty or damaged contacts would be a real problem.

Then imagine what happens with dirty passport when it is inserted into a reader. Fresh off the plane, a passport with peanut salt on the cover would soon jam up a reader. You would have long queues in immigration while the officials run around with cleaning supplies and vacuum cleaners, trying to get the readers to work correctly.

A contactless chip solves all these problems because it is sealed unit. Dust and dirt don't affect it. You can dunk an epassport into a bucket of water then dip it in sand and it will still read - and the reader will still function for the next passport. Try that with your Chip and PIN credit card at the ATM and see what happens.

Like it or not, a contactless chip is the most practical solution.

quidamAugust 8, 2006 5:51 AM

dimitris: no, I didn't write that the current RFID chips are doing 4096bits RSA signatures. There's an RSA4096 signature to protect the data contained in the RFID chip (name, birthdate, address, photo, digital prints, etc). and prevent this data from modification.

What will be done soon (really soon, in fact, it already exists) is a passport which will be able to authenticate itself (instead or: authenticate the data contained in it), authenticate the Inspection System (and the whole chain above it), and encrypt the communication; it will be of the same form factor (classical passport, + an RFID chip in the last page), RSA or ECDSA for the signature part, ECDH for key exchange.

WarrenAugust 8, 2006 1:45 PM

I got a new UK passport in May 2006, and it was my belief (from numerous articles on this site) that RFID passports would be;
1) Shielded and
2) Encrypted.
However, this article says that “Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control��? … (and got an image 4 seconds later)
This suggests to me that there was no need to scan the key-code using an OCR, or even open the passport for that matter, which negates BOTH of the above suppositions.
The UK passport office failed to respond to emails expressing my concerns.
I keep my passport in a leather cover, which is held closed by an elastic band. Between the outside of the cover and the passport itself, I have inserted a thick sheet of tin foil cut from a Chinese take-away container, although I have no idea if this is effective, (other than the fact that it does set off alarms when I walk through airport security gates).
I don’t know about other readers of this site, but frankly I am NOT happy about carrying this thing around with me, not only because it has been introduced on the quiet, not only because it seems to be wrapped in yet another tissue of government lies, not only because of what it is, but because of what it represents.

no hat requiredAugust 8, 2006 8:22 PM

"I got a new UK passport in May 2006, and it was my belief (from numerous articles on this site) that RFID passports would be;
1) Shielded and
2) Encrypted."
However, this article says that “Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control��? … (and got an image 4 seconds later)"

I believe that only the US passport will come with a shielded cover.

A lot of the readers used at immigration include a full-page optical scanner that scans the datapage and so generates the key to unlock the chip.

Your chinese takeaway container will prevent the chip from being read.


no shirt or shoes requiredAugust 9, 2006 2:10 PM

for security measures, maybe they should start by removing "united states of america" from the outside front cover.

KistelAugust 10, 2006 5:08 AM

It might be silly, but thinking about the true separation of the passport and the chip, why not have a regular passport _and_ a standard smartcard combination? The passport could have a sticked-in protective plastic sleeve (kind of what you get with many credit cards) on the inner side of the back, for holding the smart card - therefore you can have the two together without the chance of losing the SC. The SC as such is standardized, and if it's contact-only, you have every benefit of its kind.

This could have tremendous advantages. It is electronically readable, only with your consent (!). The SC inside is standard, so no newly invented devices needed at all. And they could be simultaneously (or even, separately...) issued if needed. The SC holder plastic sleeve could be so cheaply produced you barely could measure it.

And, you could sit on your passport even with the chip in it - since this is durable.

Would this be this feasible?

Brian KAugust 11, 2006 12:41 PM

California is currently considering SB 768, enacting restrictions on RFID identification cards.

It includes requirements, among others, for active permission from the person, strong encryption with keys at least 128 bits long, mutual authentication between reader and card, changing encryption mechanism if the currently used one proves ineffective, and provides for individuals to sue both the government and third party contractors if the personal information is improperly disclosed regardless of any economic loss.

I'm curious, Bruce, what are your opinions on the restrictions this bill enacts?

SiniAugust 15, 2006 9:12 AM

Roger mentioned Aug 3rd that a broken RFID chip on a passport would be interpreted as a mutilated document, which would mean the carrier would have to get a new passport before getting through.

Were you worrying about someone cloning your passport? How about getting on a "no-fly list" of this sort whenever a prankster aims an RFID zapper at your unprotected passport? It is my understanding that RFID chips can be fried by hitting them with strong enough "readers", and that they can come small enough to not attract attention. Forget about putting your passport in the microwave, someone's going to do it for you when you're not looking, and the chip's not going to reveal when exactly it broke down.

Doesn't this also give a rather convenient and hard-to-track method of causing a DoS attack on a large airport - carrying a device that wipes RFID chips all around at the press of a button, then goes passive again? Maybe it would pay to hang around places where people have to take their passports out of whatever Faraday cages they keep them in usually, too. Although if the electromagnetic bombardment manages to bother the check-in desk's devices too, zapping hangarounds might start drawing unwanted attention to themselves.

CryptoManAugust 15, 2006 4:24 PM

This fraud can be succesful if only STATIC DATA AUTHENTICATION is made, i.e. you can copy a document's data and a hash value signed by issuer's private key.

However, it will not work if the RFID chip contains an RSA CO-PROCESSOR and DYNAMIC DATA AUTHENTICATION is implemented.

i.e. if each travel document contains a unique and secret private key, and a public key retrievable from document after recovering issuer's public key from a record signed by issuer's private key, then a mutual authentication protocol can be built to which a random challenge can be sent to the document which should be signed by the private key of the document and if the reader can decrypt this random challenge by decrypting with public key of the document then it can be sure that the document is authentic and not a forgery.

Cloning, SDA signed data is a well known fact and not a big challenge but retrieving secret keys from them is not so easy as it is described here of logging ISO14443 contactless transmission and make clones of these documents.

If ICAO have made such a naive design than it is not so safe but as I described, if they implement DDA scheme, it should be quite strong and reliable.

LemmingAugust 17, 2006 10:41 PM

On blocking RFID readers, I found that aluminium foil (which some people still call tinfoil) is effective for blocking contact RFID readers. i.e. very short range readers.

My apt has an entry/exit RFID card at the gate, and I had made a card pouch out of aluminium foil and duct tape. This was originally meant to be a heat shield (I leave the card inside the car often) but I found it also blocks the RFID reader.

When the card is inside the pouch, the reader cannot read it at all, even when I contact the card/pouch directly on the reader.

BTW the pouch only uses two layers of foil.

As for a more robust blocking solution, I'd suggest looking at the "film protector" bags that were once fairly common. These have lead-lined material which could block X-rays, so I think they'd work great to block RFID readers too.

Not sure if you can still find them tho, due to everyone switching to digicams.

Subversive2October 4, 2006 2:30 AM

I will wait until my visit to a foreign country is over and I am returning home to zap my passport in a microwave. Does this mean that the country that I am in will not allow me to leave? If allowed to leave will the USA refuse me entry? Will there be a penalty exacted for a defective passport? Can a consulate produce another passport quickly? I saw a demonstration of a rfid passport partially open trigger an explosive. Why are we stupid enough to accept these new passpors? Politics is not relevant to this discussion, but our stupid index is relevant.

Robert ShrewsburyJanuary 27, 2008 1:00 PM

What material are IFRD chips/strips made out of in money?

Robert
email omaroliblish@gmail.com

bubbahJuly 11, 2009 5:06 PM

why not build the passport cover with a Faraday cage feature so the thing would be secure until the requisite distance is reached... there could also be a read sentinel that alerts the holder to a scan. And, further, there could be a velcro closure to keep unseen eyes off it.

bubbahJuly 11, 2009 5:08 PM

...one more thought ...if there are RFID chips in other things, can one "queer" remote reads by, for instance, interposing several in the same wallet (get a "blink" card, call it in "lost" getting a new number, use the old card as a "shield" right over the passport chip area)?

CymnefferveNovember 11, 2010 7:05 AM

I'm going to set up my own project since you don't see any good jobs to be found.

Could any person provide any tips or web sites as to how to apply for government grant money to begin with my personal business? I've been looking over the internet but just about every site demands for money and I have been previously told by the unemployment office to stay away from the sites that want cash for grant information because they're scam. I would be really thankful for any support.

MikeOctober 9, 2011 1:24 PM

This is an old thread, but the information posted by @Roger with regards to what happens when/if the rfid chip in a passport stops working is false. From the passport FAQ on travel.state.gov:
"
What will happen if my Electronic Passport fails at a port-of-entry?

The chip in the passport is just one of the many security features of the new passport. If the chip fails, the passport remains a valid travel document until its expiration date. You will continue to be processed by the port-of-entry officer as if you had a passport without a chip.
"

So, if all of this rfid stuff bothers you, just grab a hammer and go to town on your passport and quit whining.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..