The U.S. State Department announced Monday that the first passports containing radio frequency identification chips with their personal information and biometric data are now arriving in the hands of Americans, while privacy advocates have raised red flags about the security of the information on the chips.
Production has started at the Colorado Passport Agency and will be expanded to other production facilities over the next few months, the State Department said, and it expects to expand the program to all passport offices by the end of 2007.
A contactless RFID chip in the rear cover of the passport contains the same data as that found on the biographic data page of the passport: name, date of birth, gender, place of birth, dates of passport issuance and expiration, passport number, as well as a digital image of the passport holder.
The State Department said that the passport and the RFID chip contain several security features to prevent forgeries as well as to protect the privacy of the information on the chip.
Metallic anti-skimming material incorporated into the front cover and spine of the e-passport book prevents the chip from being skimmed, or read, when the book is fully closed; Basic Access Control (BAC) technology, which requires that the data page be read electronically to generate a key that unlocks the chip, will prevent skimming and eavesdropping; and a randomized unique identification (RUID) feature will mitigate the risk that an e-passport holder could be tracked. To prevent alteration or modification of the data on the chip, and to allow authorities to validate and authenticate the data, the information on the chip will include an electronic signature (PKI).
The Department of State is confident that the new e-passport, including biometrics and other improvements, will take security and travel facilitation to a new level. — U.S. Department of State
The passports conform to International Civil Aviation Organization standards for e-passports which contain RFID chips, and hackers in Germany and the Netherlands have already created copies of the RFID chips used in those countries’ passports, which use the same standards.
Others worry that counterfeiters and terrorists will be able to copy information from one passport to another, or alter the information on an existing passport. The State Department refutes that possibility as well, saying that the digital signature technology employed in the new passports would indicate if information has been added, tampered with, or copied from one chip to another — setting off a red flag for a customs officer at a port of entry. — ABC News
Yet the hack, demonstrated at the Black Hat Briefings August 3, works. It is possible, the hackers demonstrated, to make an identical copy of the RFID chip in a passport which will fool the computer into thinking the original passport had been presented.
The Electronic Privacy Information Center in December urged officials to drop use of the chips (PDF). Citing assessments made by the U.S. Department of Homeland Security in its own internal documents, the advocacy group argued that the process of monitoring e-passport scanners requires too much attention from border inspectors and could actually distract them from screening the travelers themselves for suspicious activity. — CNET News.com
State Department officials and industry executives said that the information on the e-passport RFID chip could not be altered due to the use of encryption technology.
But it’s only a matter of time before that too is broken.