FIDIS on RFID Passports

The "Budapest Declaration on Machine Readable Travel Documents":

Abstract:

By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies and standards that are poorly conceived for its purpose. In this declaration, researchers on Identity and Identity Management (supported by a unanimous move in the September 2006 Budapest meeting of the FIDIS "Future of Identity in the Information Society" Network of Excellence[1]) summarise findings from an analysis of MRTDs and recommend corrective measures which need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues.

EDITED TO ADD (11/9): Slashdot thread.

Posted on November 9, 2006 at 12:26 PM • 31 Comments

Comments

gnomeNovember 9, 2006 3:46 PM

Just hang around a customs area with a powerful microwave gun and kill all RFID passports. Once enough people are fried and no RFID passports actually work, using the paper itself might come back into style.

AlanNovember 9, 2006 4:26 PM

Has anyone tried putting their RFID passport in a microwave to kill it? Mine is up for renewal soon and I'm seriously considering this.

Since the RFID is not required for the passport to be legitimate, this shouldn't cause any legal problems.

I'll let you know how it goes. =)

WooNovember 9, 2006 5:23 PM

How long should one microwave a rfid-contaminated passport to securely deactivate it? The chip vendors boast of a rather high overvoltage durability of their chips.. somehow I fear that microwaving the passport (which at least in many european models still consists of a laminated paper/cardboard thingie) it might blister or melt.. no paper is absolutely humidity-free.

the other GregNovember 9, 2006 5:33 PM

"recommendations for European stakeholders (politicians, industry and research)"

Citizens are mentioned separately, apparently as 'victims'.

AlanNovember 9, 2006 8:54 PM

I'll try microwaving my current passport first (once I get it back with the new one) and see how that works. Shouldn't be a problem. ha!

I don't think that any kind of silicon overvoltage durability can handle 1kw of microwave, even for 2 or 3 seconds... Have you ever microwaved a CD-ROM? It only takes a few seconds and its toast.

The RFID chip has an antenna, which is where it gets the power to transmit the data... overwhelm that and the rest is toast.

EricNovember 9, 2006 11:01 PM

Your other readers should be aware that, at least in the US, a new RFID-enabled passport, with the RFID destroyed (such as by microwave), is considered invalid.

cassandraNovember 9, 2006 11:11 PM

A cheap and easy to make version of the wavegun is called 'RFID-zapper' -
Furthermore, one sheet of kitchen aluminium put around the transponder (the card, passport, or good, etc.) is good-enough as Faraday-cage for 'proximity' mid-frequency RFs of 13,2MHz which are majority now

Later, for ISOs in the GHz range (not widely used now) use a layer of water: remember the movie TotalRecall when Arnie wraps his head in a wet scarf? not yet tested it, as I couldn't find such 'vicinity' tags

the wallets you sell are necessary, until they be outlawed... Do you also sell some fine metal-gloves for the Verichip? or arm-forcebands for the vip members of the Bahia club?

We must politically fight against this invasion - first by telling our grams about the principle


look there:
http://www.spychips.com/
brace yourself for Jump Ground -
http://www.eyesightfilms.com/

gregNovember 10, 2006 3:03 AM

@cassandra

These wallets will not be outlawed. Mainly because it won't change anything. Most ppl won't buy one, so it won't seen nessaray. OTOH anyone who knows about this stuff and gets one, will know about make your own types too.

But then again, the EU has just band liquids on planes.... So The stupidy of the Human race really is infinite.

SchanullekeNovember 10, 2006 3:11 AM

Here (http://www.rpi-polymath.com/ducttape/RFIDWallet.php) is a DIY guide to building a wallet.

Please be aware that the wallets is not actually big enough for most European passports.

evaNovember 10, 2006 4:10 AM

Alan, the folks at CASPIAN have indeed tried to fry RFIDs with a microwave oven, so if you want to know how it went, you can read it all in their book Spychips, it may also be described in their web site http://www.spychips.com/

The bottom line is: "don't do this at home!!" :)

Princess Panda PantsNovember 10, 2006 4:52 AM

@Mike Aiello

Apologies for the less than glowing endorsement of your product in a public place, but, as we all seem to be airing our linen in public - I am highly dissapointed by the extremely poor quality of both the passport case and wallet.

I'm sticking with homemade duct tape & tinfoil (to match the hat), until I find a much higher quality product.

supersnailNovember 10, 2006 7:37 AM

Has anyone considered the alternative approach of drowning out the passports chip with noise from other chips.
After all RFID chips are small enough that you could comfortably carry 50 to 100 in your wallet, and, easily availabe as you get one free with every wallmart purchase.

MarkNovember 10, 2006 9:00 AM

"Later, for ISOs in the GHz range (not widely used now) use a layer of water"

Now the ban on liquids on aircraft is starting to make sense!

MatthiasNovember 10, 2006 10:25 AM

I would strongly recommend against using a microwave oven, simply because it might cause harm to the non-RFID parts of the passport.

Apparently 13.2 MHz is the frequency some welding transformers work at, so you could probably even make it look like an accident.

AlanNovember 10, 2006 11:51 AM

@Eric -- where do you get the info that an e-passport with the RFID destroyed is invalid? This quote from the US Dept of State says otherwise:

"The chip in the passport is just one of the many security features of the new passport. If the chip fails, the passport remains a valid travel document until its expiration date. The bearer will continue to processed by the port-of-entry officer as if he/she had a passport without a chip."

http://travel.state.gov/passport/eppt/...

AlanNovember 10, 2006 12:03 PM

Based on the experience in "Spychips" (p146), three seconds was enough to char the surrounding material. That being the case, one second should be enough.

Mike AielloNovember 11, 2006 8:04 PM

Mr. Schneier. Thank you for allowing my previous post.

To address some of the criticisms mentioned (Princess Panda, Schanulleke); we have not received a complaint regarding product quality or EU passports not fitting.

Robin WiltonNovember 15, 2006 2:29 PM

I can confirm that a (UK-issued) EU-format passport will fit perfectly well into the DIFRwear passport wallet.

See my blog (linked) for a brief description of the rudimentary tests I've been able to do so far...

yrfidNovember 17, 2006 12:36 PM

"The chip in the passport is just one of the many security features of the new passport. If the chip fails, the passport remains a valid travel document until its expiration date. The bearer will continue to processed by the port-of-entry officer as if he/she had a passport without a chip."

http://www.yrfid.com

AnonymousMarch 21, 2008 2:08 AM

Don't try this at home! I got a passport last year, just nuked it, and after about 3 seconds, the chip caught fire, burned out, and burned several pages.

However, viewing the backpage of the passport, I can tell you where the chip is.

Top right corner, just below where the topmost right corner is.

So I have to report a lost passport, and start all over.

Acrid AttyApril 14, 2008 3:23 AM

To my Fascist US Govt:

I asked my govt for a US Passport not a fng "tracking device". I'll do whatever it takes to kill your damn planned bugs. My government does not have two brain cells to rub together when it comes to remembering the Constitution and Right to PRIVACY. Funny, my damn government wants to know how many squares of toilet paper I use and yet it does not want to tell me or any other citizen any of the millions of atocities it commits!! I think a lot of them are going to spend a long time in hell.

jisJanuary 27, 2010 3:21 AM

I've fried my uk passport, in under 3 seconds it sparked and flared, no visible damage to other pages however there is a minute hole melted into the plastic on the reverse of the chip. it looks as if someone put a hot needle through it. apparently you can stop this discolouration by putting it in water while you do it. what i want to know is has anyone tried using a "deactivated" passport to travel and what were the consequences, if any?

Clive RobinsonJanuary 27, 2010 9:22 AM

@ jis,

"what i want to know is has anyone tried using a "deactivated" passport to travel and what were the consequences, if any?"

Well, the front of the passport has this little embossed logo at the bottom that shows it's an RFID passport.

And all the rules I've seen say if the RFID does not work in such a passport it is considered to be in-valid, and thus you should not travel on it...

It might be fun for somebody to go out of the country via a way where the old look and check method is still in use and then try comming back by air...

Orange jump suits all round...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..