The Canadian Flag On Your Backpack Will Fool No One
That’s right, the US State Department loves wireless storage so much they are putting it in your passport, according to CNN Money, in the form of a 64 KB RFID chip. That’s four times the memory of my first computer. The chip can be easily read with non-standard equipment from as far away as 160 feet.
Just How Stupid Is It?
I give it a Threat Level: Red. Passports have a 10 year life, so the bad guys who want your info – or your scalp – will have 10 years of technology advances to refine their technique. Expect RFID scanners built into briefcases to be on sale next year at spy shops. They’ll get smaller and cheaper. You’ll get older and slower.
But The Data Is Encrypted
Heh. Encryption works best on unstructured data. Back during WWII, the Bletchley Park wizards broke the German Naval Enigma code – which they’d suddenly changed when someone suspected it had been broken – when they realized that each submarine’s transmission contained an unchanged weather code. What’s in a passport: name, birthdate, birthplace, date of issue, height, weight, eye color, photo. Gosh, who could figure that out? It took security pros using a PC two hours to crack the Dutch version last year.
Then: Z-Hunting. Now: RFID Crack & Track
Criminals in Florida used the Z plates on rental cars to target tourists for mugging, theft, abduction and occasionally murder. Organized criminals, like the ones commit cyber-crimes like identity theft and website extortion DOS attacks clearly have the Mojo to crack and track RFID passports.
Solution 1
The easiest solution would be for State to drop the whole stupid idea. That won’t happen, since most of elected officials, when not flat-out auctioning themselves for campaign contributions, are painfully ignorant about science and technology.
Solution 2: Use A Hammer
Use a hammer to crush the chip. We’ve all heard that sticking an RFID chip in a microwave will kill it – but not without risk. According to the Spychips FAQ:
Q: Can I microwave products to kill any hidden RFID tags they might contain?
A: While microwaving an RFID tag will destroy it (a microwave emits high frequency electromagnetic energy that overloads the antenna, eventually blowing out the chip), there is a good chance the the tag will burst into flames first. The difficulty of destroying a hidden RFID chip is one reason we need legislation making it illegal to hide a chip in an item in the first place.
They recommend either disconnecting the antenna – which would likely be a problem since the cutting would look like tampering – or physically crunching the chip. With some care the crunch job shouldn’t have to leave any marks.
Solution 3
A Frito’s corn chip bag. Anti-static bags don’t work, but informal tests suggest the aluminized corn chip bags block RFID effectively.
Stay Tuned
I’m sure Passport RFID destruction techniques will be explored and documented on the web in the next few months. Sadly, some courageous individuals will likely be prosecuted for “tampering” with their passport.
State could have used either smart cards or laser cards. Instead some fast-talking salesman and (probably) semi-corrupt congressmen gave us a poor solution that we’ll all be living with for years to come.
Look to Mitretek (http://www.mitretek.org) for some of the influence on this decision. I worked there a few years back when the Dept. of State was deciding whether to go with 64k or 128k on the card. The Dutch passport was the only chipped passport back then, I think – I didn’t realize that the encryption could be broken so quickly (not that I looked into it).
FYI, smart cards were panned because of their cost and 2D barcodes don’t really hold enough data (if you want to store biometric data, such as a face picture, on the chip). Look to the Dept. of Defense Common Access Card for a massive smart card roll-out.
Cheers.
Chris, thanks for the perspective. When I lived in Europe I had to have a bank account – with a smart card – to get paid. No seemed concerned there, so the cost issue never occurred to me. Not that I think cost should be a determinant – people pay for passports after all – so as long as it is reasonable why worry?
The bottom line is that remote observation is a problem – whether it is one’s passport, phone calls, internet surfing or presence in public spaces. It is not a question of “if” this information will be used for oppressive and evil purposes, only when. Sad, but several thousand years of history confirms it. Only after some unlucky people get targetted, tortured and killed will most Americans wake up to the current stupidity will our passports get fixed.