Page 3 of 4
From EPIC:
A document obtained by EPIC from the State Department reveals that 2004 government tests found passports with radio frequency identification (RFID) chips that are read 27% to 43% less successfully than the previous Machine Readable Zone technology (two lines of text printed at the bottom of the first page of a passport).
I’ve written about RFID passports before.
EDITED TO ADD (11/17): Commentary by Bruce Sterling.
Welcome to a surveillance society:
If you want to hire a car at Stansted Airport, you now need to give a fingerprint.
The scheme being tested by Essex police and car hire firms, is not voluntary. Every car rental customer must take part.
No fingerprint, no car hire at Stansted airport.
These are stored by the hire firms—and will be handed over to the police if the car is stolen or used for another crime.
This is the most amusing bit:
“It’s not intrusive really. It’s different—and people need to adjust to it. It’s not Big Brother, it’s about protecting people’s identities. The police will never see these thumbprints unless a crime is committed.”
What are the odds that no crime will ever be committed?
Fingerprints are becoming more common in the UK:
But regardless of any ideological arguments, the use of biometric technology—where someone is identified by a physical characteristic—is already entering the mainstream.
Biometric UK passports were introduced this year, using facial mapping information stored on a microchip, and more than a million have already been issued.
A shop in the Bluewater centre in Kent has used a fingerprint checking scheme to tackle credit card fraud. And in Yeovil, Somerset, fingerprinting has been used to cut town-centre violence, with scanners helping pick out troublemakers.
It’s not just about crime. Biometric recognition is also being pitched as more convenient for shoppers.
Pay By Touch allows customers to settle their supermarket bill with a fingerprint rather than a credit card. With three million customers in the United States, this payment system is now being tested in the UK, in three Co-op supermarkets in Oxfordshire.
The “Budapest Declaration on Machine Readable Travel Documents“:
Abstract:
By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies and standards that are poorly conceived for its purpose. In this declaration, researchers on Identity and Identity Management (supported by a unanimous move in the September 2006 Budapest meeting of the FIDIS “Future of Identity in the Information Society” Network of Excellence[1]) summarise findings from an analysis of MRTDs and recommend corrective measures which need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues.
EDITED TO ADD (11/9): Slashdot thread.
If you have a passport, now is the time to renew it—even if it’s not set to expire anytime soon. If you don’t have a passport and think you might need one, now is the time to get it. In many countries, including the United States, passports will soon be equipped with RFID chips. And you don’t want one of these chips in your passport.
RFID stands for “radio-frequency identification.” Passports with RFID chips store an electronic copy of the passport information: your name, a digitized picture, etc. And in the future, the chip might store fingerprints or digital visas from various countries.
By itself, this is no problem. But RFID chips don’t have to be plugged in to a reader to operate. Like the chips used for automatic toll collection on roads or automatic fare collection on subways, these chips operate via proximity. The risk to you is the possibility of surreptitious access: Your passport information might be read without your knowledge or consent by a government trying to track your movements, a criminal trying to steal your identity or someone just curious about your citizenship.
At first the State Department belittled those risks, but in response to criticism from experts it has implemented some security features. Passports will come with a shielded cover, making it much harder to read the chip when the passport is closed. And there are now access-control and encryption mechanisms, making it much harder for an unauthorized reader to collect, understand and alter the data.
Although those measures help, they don’t go far enough. The shielding does no good when the passport is open. Travel abroad and you’ll notice how often you have to show your passport: at hotels, banks, Internet cafes. Anyone intent on harvesting passport data could set up a reader at one of those places. And although the State Department insists that the chip can be read only by a reader that is inches away, the chips have been read from many feet away.
The other security mechanisms are also vulnerable, and several security researchers have already discovered flaws. One found that he could identify individual chips via unique characteristics of the radio transmissions. Another successfully cloned a chip. The State Department called this a “meaningless stunt,” pointing out that the researcher could not read or change the data. But the researcher spent only two weeks trying; the security of your passport has to be strong enough to last 10 years.
This is perhaps the greatest risk. The security mechanisms on your passport chip have to last the lifetime of your passport. It is as ridiculous to think that passport security will remain secure for that long as it would be to think that you won’t see another security update for Microsoft Windows in that time. Improvements in antenna technology will certainly increase the distance at which they can be read and might even allow unauthorized readers to penetrate the shielding.
Whatever happens, if you have a passport with an RFID chip, you’re stuck. Although popping your passport in the microwave will disable the chip, the shielding will cause all kinds of sparking. And although the United States has said that a nonworking chip will not invalidate a passport, it is unclear if one with a deliberately damaged chip will be honored.
The Colorado passport office is already issuing RFID passports, and the State Department expects all U.S. passport offices to be doing so by the end of the year. Many other countries are in the process of changing over. So get a passport before it’s too late. With your new passport you can wait another 10 years for an RFID passport, when the technology will be more mature, when we will have a better understanding of the security risks and when there will be other technologies we can use to cut the risks. You don’t want to be a guinea pig on this one.
This op ed appeared on Saturday in the Washington Post.
I’ve written about RFID passports many times before (that last link is an op-ed from The International Herald-Tribune), although last year I—mistakenly—withdrew my objections based on the security measures the State Department was taking. I’ve since realized that they won’t be enough.
EDITED TO ADD (9/29): This op ed has appeared in about a dozen newspapers. The San Jose Mercury News published a rebuttal. Kind of lame, I think.
EDITED TO ADD (12/30): Here’s how to disable a RFID passport.
It was demonstrated today at the BlackHat conference.
Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country’s e-passport, since all of them will be adhering to the same ICAO standard.
In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker—Walluf, Germany-based ACG Identification Technologies—but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.
He then launched a program that border patrol stations use to read the passports—called Golden Reader Tool and made by secunet Security Networks—and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.
Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader—which can also act as a writer—and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.
As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.
The result was a blank document that looks, to electronic passport readers, like the original passport.
I’ve long been opposed (that last link is an op-ed from The International Herald-Tribune) to RFID chips in passports, although last year I—mistakenly—withdrew my objections based on the security measures the State Department was taking.
That’s silly. I’m not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.
Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won’t be perfect. And a passport has a ten-year lifetime. It’s sheer folly to believe the passport security won’t be hacked in that time. This hack took only two weeks!
The best way to solve a security problem is not to have it at all. If there’s an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there’s no RFID chip, then the security problem is solved.
Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can’t do, I am opposed to the idea.
Crossposted to the ACLU blog.
In Beyond Fear, I wrote about profiling (reprinted here). I talked a lot about how smart behavioral-based profiling is much more effective than dumb characteristic-based profiling, and how well-trained people are much better than computers.
The story I used was about how U.S. customs agent Diana Dean caught Ahmed Ressam in 1999. Here’s another story:
An England football shirt gave away a Senegalese man attempting to enter Cyprus on a forged French passport, police on the Mediterranean island said on Monday.
Suspicions were aroused when the man appeared at a checkpoint supervising crossings from the Turkish Cypriot north to the Greek Cypriot south of the divided island, wearing the England shirt and presenting a French passport.
“Being a football fan, the officer found it highly unlikely that a Frenchman would want to wear an England football jersey,” a police source said.
“That was his first suspicion prior to the proper check on the passport, which turned out to be a fake,” said the source.
That’s just not the kind of thing you’re going to get a computer to pick up on, at least not until artificial intelligence actually produces a working brain.
Recent articles about a proposed US-Canada and US-Mexico travel document (kind of like a passport, but less useful), with an embedded RFID chip that can be read up to 25 feet away, have once again made RFID security newsworthy.
My views have not changed. The most secure solution is a smart card that only works in contact with a reader; RFID is much more risky. But if we’re stuck with RFID, the combination of shielding for the chip, basic access control security measures, and some positive action by the user to get the chip to operate is a good one. The devil is in the details, of course, but those are good starting points.
And when you start proposing chips with a 25-foot read range, you need to worry about man-in-the-middle attacks. An attacker could potentially impersonate the card of a nearby person to an official reader, just by relaying messages to and from that nearby person’s card.
Here’s how the attack would work. In this scenario, customs Agent Alice has the official card reader. Bob is the innocent traveler, in line at some border crossing. Mallory is the malicious attacker, ahead of Bob in line at the same border crossing, who is going to impersonate Bob to Alice. Mallory’s equipment includes an RFID reader and transmitter.
Assume that the card has to be activated in some way. Maybe the cover has to be opened, or the card taken out of a sleeve. Maybe the card has a button to push in order to activate it. Also assume the card has come challenge-reply security protocol and an encrypted key exchange protocol of some sort.
Defending against this attack is hard. (I talk more about the attack in Applied Cryptography, Second Edition, page 109.) Time stamps don’t help. Encryption doesn’t help. It works because Mallory is simply acting as an amplifier. Mallory might not be able to read the messages. He might not even know who Bob is. But he doesn’t care. All he knows is that Alice thinks he’s Bob.
Precise timing can catch this attack, because of the extra delay that Mallory’s relay introduces. But I don’t think this is part of the spec.
The attack can be easily countered if Alice looks at Mallory’s card and compares the information printed on it with what she’s receiving over the RFID link. But near as I can tell, the point of the 25-foot read distance is so cards can be authenticated in bulk, from a distance.
From the News.com article:
Homeland Security has said, in a government procurement notice posted in September, that “read ranges shall extend to a minimum of 25 feet” in RFID-equipped identification cards used for border crossings. For people crossing on a bus, the proposal says, “the solution must sense up to 55 tokens.”
If Mallory is on that bus, he can impersonate any nearby Bob who activates his RFID card early. And at a crowded border crossing, the odds of some Bob doing that are pretty good.
More detail here:
If that were done, the PASS system would automatically screen the cardbearers against criminal watch lists and put the information on the border guard’s screen by the time the vehicle got to the station, Williams said.
And would predispose the guard to think that everything’s okay, even if it isn’t.
I don’t think people are thinking this one through.
There’s a good write-up from The Register.
Two points stand out. One, the RFID chip in the passport can be read from ten meters. Two, lots of predictability in the encryption key—sloppy, sloppy—makes the brute-force attack much easier.
But the references are from last summer. Why is this being reported now?
This article talks about a not-a-passport ID card that U.S. citizens could use to go back and forth between the U.S. and Canada or Mexico. Pretty basic stuff, but this paragraph jumped out:
Officials said the card would be about the size of a credit card, carry a picture of the holder and cost about $50, about half the price of a passport. It will be equipped with radio frequency identification, allowing it to be read from several yards away at border crossings.
“Several yards away”? What about inches?
Note: My previous entries on RFID passports are here, here, here, and here.
Sidebar photo of Bruce Schneier by Joe MacInnis.