Fatal Flaw Weakens RFID Passports

[David Farber <dave () farber net>]

Fatal Flaw Weakens RFID Passports
By Bruce Schneier
Story location: http://www.wired.com/news/privacy/0,1848,69453,00.html

02:00 AM Nov. 03, 2005 PT

In 2004, when the U.S. State Department first started talking about  
embedding RFID chips in passports, the outcry from privacy advocates  
was huge. When the State Department issued its draft regulation in  
February, it got 2,335 comments, 98.5 percent negative. In response,  
the final State Department regulations, issued last week, contain two  
features that attempt to address security and privacy concerns. But  
one serious problem remains.

Before I describe the problem, some context on the surrounding  
controversy may be helpful. RFID chips are passive, and broadcast  
information to any reader that queries the chip. So critics, myself  
included, were worried that the new passports would reveal your  
identity without your consent or even your knowledge. Thieves could  
collect the personal data of people as they walk down a street,  
criminals could scan passports looking for Westerners to kidnap or  
rob and terrorists could rig bombs to explode only when four  
Americans are nearby. The police could use the chips to conduct  
surveillance on an individual; stores could use the technology to  
identify customers without their knowledge.



Security Matters
RFID privacy problems are larger than passports and identity cards.  
The RFID industry envisions these chips embedded everywhere: in the  
items we buy, for example. But even a chip that only contains a  
unique serial number could be used for surveillance. And it's easy to  
link the serial number with an identity -- when you buy the item  
using a credit card, for example -- and from then on it can identify  
you. Data brokers like ChoicePoint will certainly maintain databases  
of RFID numbers and associated people; they'd do a disservice to  
their stockholders if they didn't.
The State Department downplayed these risks by insisting that the  
RFID chips only work at short distances. In fact, last week's  
publication claims: "The proximity chip technology utilized in the  
electronic passport is designed to be read with chip readers at ports  
of entry only when the document is placed within inches of such  
readers." The issue is that they're confusing three things: the  
designed range at which the chip is specified to be read, the maximum  
range at which the chip could be read and the eavesdropping range or  
the maximum range the chip could be read with specialized equipment.  
The first is indeed inches, but the second was demonstrated earlier  
this year to be 69 feet. The third is significantly longer.

And remember, technology always gets better -- it never gets worse.  
It's simply folly to believe that these ranges won't get longer over  
time.

To its credit, the State Department listened to the criticism. As a  
result, RFID passports will now include a thin radio shield in their  
covers, protecting the chips when the passports are closed. Although  
some have derided this as a tinfoil hat for passports, the fact is  
the measure will prevent the documents from being snooped when closed.

However, anyone who travels knows that passports are used for more  
than border crossings. You often have to show your passport at hotels  
and airports, and while changing money. More and more it's an  
identity card; new Italian regulations require foreigners to show  
their passports when using an internet cafe.

Because of this, the State Department added a second, and more- 
important, feature: access control. The data on the chip will be  
encrypted, and the key is printed on the passport. A customs officer  
swipes the passport through an optical reader to get the key, and  
then the RFID reader uses the key to communicate with the RFID chip.

This means that the passport holder can control who gets access to  
the information on the chip, and someone cannot skim information from  
the passport without first opening it up and reading the information  
inside. This also means that a third party can't eavesdrop on the  
communication between the card and the reader, because it's encrypted.

By any measure, these features are exemplary, and should serve as a  
role model for any RFID identity-document applications.  
Unfortunately, there's still a problem.

RFID chips, including the ones specified for U.S. passports, can  
still be uniquely identified by their radio behavior. Specifically,  
these chips have a unique identification number used for collision  
avoidance. It's how the chips avoid communications problems if you  
put a bagful of them next to a reader. This is something buried deep  
within the chip, and has nothing to do with the data or application  
on the chip.

Chip manufacturers don't like to talk about collision IDs or how they  
work, but researchers have shown how to uniquely identify RFID chips  
by querying them and watching how they behave. And since these  
queries access a lower level of the chip than the passport  
application, an access-control mechanism doesn't help.

To fix this, the State Department needs to require that the chips  
used in passports implement a collision-avoidance system not based on  
unique serial numbers. The RFID spec -- ISO 14443A is its name --  
allows for a random system, but I don't believe any manufacturer  
implements it this way.

Adding chips to passports can inarguably be good for security.  
Initial chips will only contain the information printed on the  
passport, but this system has always envisioned adding digital  
biometrics like photographs or even fingerprints, which will make  
passports harder to forge, and stolen passports harder to use.

But the State Department's contention that they need an RFID chip,  
that smartcard-like contact chips won't work, is much less  
convincing. Even with all this security, RFID should be the design  
choice of last resort.

The State Department has done a great job addressing specific  
security and privacy concerns, but its lack of technical skills is  
hurting it. The collision-avoidance ID is just one example of where,  
apparently, the State Department didn't have enough of the expertise  
it needed to do this right.

Of course it can fix the problem, but the real issue is how many  
other problems like this are lurking in the details of its design? We  
don't know, and I doubt the State Department knows either. The only  
way to vet its design, and to convince us that RFID is necessary,  
would be to open it up to public scrutiny.

The State Department's plan to issue RFID passports by October 2006  
is both precipitous and risky. It made a mistake designing this  
behind closed doors. There needs to be some pretty serious quality  
assurance and testing before deploying this system, and this includes  
careful security evaluations by independent security experts. Right  
now the State Department has no intention of doing that; it's already  
committed to a scheme before knowing if it even works or if it  
protects privacy.

- - -

Bruce Schneier is the CTO of Counterpane Internet Security and the  
author of Beyond Fear: Thinking Sensibly About Security in an  
Uncertain World. You can contact him through his website.




Ads by Google
Passport Services
Get New Passports, Renewals, and
Replacements. Fast & Reliable Svc!
www.AmbassadorPassportandVisa.com       Passport Renewal-Same Day
US Passport & Visa Services
Make Your Trip, Member BBB and ASTA
www.americanpassport.com        Brooks Software
Real-Time Enterprise (RTE)
Applications for Mfg. Advantage
software.brooks.com     Pet Recovery Services
Register your pet for free today!
Additional services also available.
www.24petwatch.com
Note: Ads will not appear when the page is printed
Wired News: Staff | Contact Us | Advertising | RSS | Blogs | Subscribe
We are translated daily into Korean and Japanese
© Copyright 2005, Lycos, Inc. All Rights Reserved. Lycos® is a  
registered trademark of Carnegie Mellon University.
Your use of this website constitutes acceptance of the Lycos Privacy  
Policy and Terms & Conditions


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/