I told you RFID didn't belong in passports!


A recent RISKS issue contains this item contributed by the editor, Peter G. Neumann:

Using inexpensive off-the-shelf components (a Motorola RFID reader and antenna, and a PC) ... Chris Paget ... built a mobile platform in his spare time that can clone large numbers of the unique RFID tag electronic identifiers used in U.S. passport cards and next generation drivers licenses. While driving around San Francisco for 20 minutes, he was able to harvest two passport tags without knowledge of their owners from up to 30 feet away.

Read the rest of the RISKS item over at the archive, or a complete article over at SecurityFocus.

Given the huge security risks that ought to be self-evident here, what justifies the use of a technology like RFID that can be read at a distance without the awareness of the document holder?

The only sensible approach in the first place was to use an optical technology such as a 2-D barcode symbology if it really was necessary to put more information into the electronic record than just the passport number itself. Printed inside the cover (or on the back of a card) it would be immensely more difficult to read at a distance, and since the cover would normally not be left open, it would rarely be possible to get the content without the holder knowing. Even better, because the symbol is visible the owner would be more likely to know that the threat exists, and avoid leaving it laying out open to the symbol in plain view.

In contrast, the RFID tag is invisible to the owner and can be read without opening the document (or without even removing it from a pocket or wallet).

Until the world comes to its senses, wrapping your passport in copper foil may well be the only sensible action. Of course, you will then have to explain yourself to the nice TSA agent at the security checkpoint...


No comments: