Unsafe RFID passports being delivered now

The U.S. State Department has begun issuing passports with embedded RFID chips containing biometric data to U.S. diplomats, and will begin issuing them to all U.S. citizens by the end of 2006.

The RFID chips in the new new “e-passports” contain a digital image of the traveler, as well as the person’s name, date and place of birth, gender, passport number and dates of passport issuance and expiration.

While the RFID chips are encrypted, privacy advocates are concerned that the encryption may be weak, and that criminals could read the passports from several feet away. The passports contain an anti-skimming device which, in theory, protects the RFID chip from being read while the passport is closed, but when the passport is open, it’s open season on your data, say those concerned about the technology.

“The dangers of ‘skimming’ already have been the subject of serious public concern,” the American Civil Liberties Union wrote in April 2005 comments to State over its proposal to use radio frequency identification chips in e-passports.

Low-frequency RFID chips be read from up to 20 feet, but the department has maintained e-passports would include chips that only can be read from “approximately four inches” away from the source.

To eschew concerns over privacy and safety, the department said the front covers of e-passports have a built-in anti-skimming device. It is akin to “wrapping them in tin foil to prevent the radio frequency signal from getting through,” said Jay Stanley, communications director at the ACLU’s Technology and Liberty Program.

The e-passports also are equipped with an encryption feature to prevent the interception of information by a third party, or what the department calls eavesdropping.

“It is certainly an improvement” over State’s initial e-passport proposal, Stanley said. But the use of radio frequency technologies still creates a potential problem of security and identity theft. Questions remain over whether the chips still can be read without other people’s knowledge and if the technology can be used as unique identifier even if it is encrypted, he said. — National Journal’s Technology Daily

The passports will continue to cost $97 for the foreseeable future, but President Bush last month authorized the State Department to raise the price of passports through 2010.

The 27 countries which participate in the U.S. visa waiver program must also update their passports by October 2006 to provide biometric data.

I haven’t seen one of these new biometric passports, as no U.S. diplomats have offered to provide me access to one to read its RFID chip, so I haven’t been able to make any determination about what encryption techniques might be used on them or whether they are susceptible to being broken. However, The Register reported that the encryption technique used in the Dutch passports, which is the same as that used in U.S. passports, was broken in under two hours.

In other words, these new biometric passports aren’t at all safe. The minute you open it up, there goes all your biometric data to anyone who’s listening. It’s enough to create fake passports in your name, conduct identity theft, and even more.

One thought on “Unsafe RFID passports being delivered now

  • February 26, 2006 at 6:59 pm

    Too late ‘ one technology firm in Ohio is already requiring its employees to get tagged with an RFID chip in their biceps in order to gain access to their data centers.

    I’ll be damned if I EVER work for such a company.

Comments are closed.