RFID Chips in Passports Proven to be Insecure

February 14, 2006 – ACCESS has been concerned for months that the State Department’s plan to include RFID chips in passports has not been well thought out. The original plan would have placed an RFID chip in every passport which would have contained unencrypted data about the passport holder. After a storm of protest, the State Department revised the standard to include some encryption. Now, a Dutch television news program has along and broken that encryption in less than two hours. The ramifications of this to passport holders are anything but positive.

 

The news program hired the research firm Riscure to see if they could break the RFID encryption in a prototype of a new Dutch passport. The encryption standard that the Dutch are using is identical to the one that the United States plans to use.

 

According to the Practical Nomad, Riscure was able to intercept data contained in the passport using an RFID reader. Although the data was encrypted, Riscure was able to read the entire data stream and store it on the hard disk of a laptop computer. Once the data was stored, it took them less than two hours to hack into it and read it in an unencrypted form.

 

The ramifications of this are disturbing. The data that will be included in passports includes the passport number itself, and a stream of personally identifiable information including the nation issuing the passport and the name and picture of the passport holder, along with other personally identifiable information. Once the data stream has been intercepted, a resourceful crook would be able to make slight manipulations to it, imprint it on a new RFID chip, and then make a counterfeit passport.

 

Beyond counterfeiting, there are even more disturbing elements to this story. The Dutch passport used exactly the same chip set and encryption standards as the US Government is using. The data contained on the passport RFID chip can be read from distances of greater than 30 feet. At that distance, US citizens could easily be singled out and targeted by terrorists or kidnappers in their travels. Someone interested in this type of crime could simply walk down the hall of a hotel and read passport data without ever having a need to enter the room. It would only take them a matter of hours to determine which hotel guests were Americans and what rooms they were staying in.  In this day and age, that information can present a real danger if winds up in the wrong hands.

 

Intercepted data could be used to steal the identity of the passport holder. Just as importantly, an American Passport identifies the holder as a US Citizen. With a forged passport that contains accurate data, anyone can gain entry to the country, open a bank account, get a driver’s license, or even register to vote.

 

Use of RFID in passports is unnecessary. Designers could just as easily have encrypted data on a magnetic strip. This type of data storage would have required physical contact with a passport in order to read it; a significantly more secure setup.

 

But not only did the United States make an internal push to use RFID, it also pushed a variety of other nations to adopt a particular standard and then use it. Unfortunately, this new standard appears to be fatally flawed (which is something that we warned about more than six months ago), and if implemented could actually weaken both national and personal security.

 

The State Department has been forced repeatedly to delay the wide-scale distribution of RFID in passports. Originally, they had hoped to deploy the system last year. Now, they are pushing for a late 2006 implementation. ACCESS is hoping that better encryption will be added to the data stored in passports, and would very much like to see RFID chips eliminated entirely.

 

Technorati Tags : privacy, privacy+law, private, identity+theft, terrorism, terrorist, state+department, department+of+state, RFID, radio+frequency+identification