Fatal Flaw Weakens RFID Passports
By Bruce Schneier
November 3, 2005
In 2004, when the U.S. State Department first started talking about embedding RFID chips in passports, the outcry from privacy advocates was huge. When the State Department issued its draft regulation in February, it got 2,335 comments, 98.5 percent negative. In response, the final State Department regulations, issued last week, contain two features that attempt to address security and privacy concerns. But one serious problem remains.
Before I describe the problem, some context on the surrounding controversy may be helpful. RFID chips are passive, and broadcast information to any reader that queries the chip. So critics, myself included, were worried that the new passports would reveal your identity without your consent or even your knowledge. Thieves could collect the personal data of people as they walk down a street, criminals could scan passports looking for Westerners to kidnap or rob and terrorists could rig bombs to explode only when four Americans are nearby. The police could use the chips to conduct surveillance on an individual; stores could use the technology to identify customers without their knowledge.
RFID privacy problems are larger than passports and identity cards. The RFID industry envisions these chips embedded everywhere: in the items we buy, for example. But even a chip that only contains a unique serial number could be used for surveillance. And it's easy to link the serial number with an identity -- when you buy the item using a credit card, for example -- and from then on it can identify you. Data brokers like ChoicePoint will certainly maintain databases of RFID numbers and associated people; they'd do a disservice to their stockholders if they didn't.
The State Department downplayed these risks by insisting that the RFID chips only work at short distances. In fact, last week's publication claims: "The proximity chip technology utilized in the electronic passport is designed to be read with chip readers at ports of entry only when the document is placed within inches of such readers." The issue is that they're confusing three things: the designed range at which the chip is specified to be read, the maximum range at which the chip could be read and the eavesdropping range or the maximum range the chip could be read with specialized equipment. The first is indeed inches, but the second was demonstrated earlier this year to be 69 feet. The third is significantly longer.
And remember, technology always gets better -- it never gets worse. It's simply folly to believe that these ranges won't get longer over time.
To its credit, the State Department listened to the criticism. As a result, RFID passports will now include a thin radio shield in their covers, protecting the chips when the passports are closed. Although some have derided this as a tinfoil hat for passports, the fact is the measure will prevent the documents from being snooped when closed.
However, anyone who travels knows that passports are used for more than border crossings. You often have to show your passport at hotels and airports, and while changing money. More and more it's an identity card; new Italian regulations require foreigners to show their passports when using an internet cafe.
Because of this, the State Department added a second, and more-important, feature: access control. The data on the chip will be encrypted, and the key is printed on the passport. A customs officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip.
This means that the passport holder can control who gets access to the information on the chip, and someone cannot skim information from the passport without first opening it up and reading the information inside. This also means that a third party can't eavesdrop on the communication between the card and the reader, because it's encrypted.
By any measure, these features are exemplary, and should serve as a role model for any RFID identity-document applications. Unfortunately, there's still a problem.
RFID chips, including the ones specified for U.S. passports, can still be uniquely identified by their radio behavior. Specifically, these chips have a unique identification number used for collision avoidance. It's how the chips avoid communications problems if you put a bagful of them next to a reader. This is something buried deep within the chip, and has nothing to do with the data or application on the chip.
Chip manufacturers don't like to talk about collision IDs or how they work, but researchers have shown how to uniquely identify RFID chips by querying them and watching how they behave. And since these queries access a lower level of the chip than the passport application, an access-control mechanism doesn't help.
To fix this, the State Department needs to require that the chips used in passports implement a collision-avoidance system not based on unique serial numbers. The RFID spec -- ISO 14443A is its name -- allows for a random system, but I don't believe any manufacturer implements it this way.
Adding chips to passports can inarguably be good for security. Initial chips will only contain the information printed on the passport, but this system has always envisioned adding digital biometrics like photographs or even fingerprints, which will make passports harder to forge, and stolen passports harder to use.
But the State Department's contention that they need an RFID chip, that smartcard-like contact chips won't work, is much less convincing. Even with all this security, RFID should be the design choice of last resort.
The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn't have enough of the expertise it needed to do this right.
Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don't know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny.
The State Department's plan to issue RFID passports by October 2006 is both precipitous and risky. It made a mistake designing this behind closed doors. There needs to be some pretty serious quality assurance and testing before deploying this system, and this includes careful security evaluations by independent security experts. Right now the State Department has no intention of doing that; it's already committed to a scheme before knowing if it even works or if it protects privacy.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..