nfc

Just thought I'd pass on the latest in the e-Passports travesty. While there are a number of companies participating in the electronic passport program, all it takes is one vendor making dumb and predictible mistakes to disclose the encryption methodology.

Global RFID Passport Encryption standard cracked in 2 hours

On top of the cracking of the global passport standard, a researcher disclosed at a RSA conference how to use a cell phone to read RFID tags. While the tag technology is different than that in passports, it's only a matter of time before cell phones can be used to skim passport info.

disclaimer: I work in the RFID industry, so I do have a vested interest in RFIDs success. Sadly, the electronic passport technology is a joke. There are significantly more secure technologies available, but they add additional cost and complexity to implement.

DH

I could see that terrorists will use it to sort out and target a particular nationality.

Superguy

Makes me glad I'm getting my passport now without the chip.

Wish I could convince my wife to do the same.

Doppy

Big surprise here. Passports should either use contact or two dimensional barcodes.

wth

I've had such concerns about the new RFID passports. I read somewhere that a carrier or holder lined with the right material (aluminum?) could prevent casual reading of the RFID chip. Perhaps nfc has some insight.

It wouldn't address times when you have to remove a passport from its holder, but it would prevent someone reading it from one's pocket, purse or backpack.

alex0683de

F***! I knew it, and I have no choice but to get one of the new chip-equipped passports when I have to apply for a new one in December (I'm German, and we were the first country to roll this stuff out and make it mandatory).

Hmm, it's either get one of these unsecure passports or stop travelling...

Tough choice, but I suppose I'll just have to take the risk! Wish me luck!

alex0683de

My guess would have been lead.

Maybe I could get that sewn into my passport cover. Might make it a little heavy though, but "baaaah, anything for security", right?

sse2k

We knew this one was coming!

I've had my current passport for a couple of years now, so I don't have the tags inside. However, my fiancee just got hers in the mail, and I'm not sure if I can tell if one is inside. In comparing hers to mine, hers has what looks like security foil (a la new $20 bills), inside the back spine, that comes to the surface at some points. Is this the chip?

alex0683de

Apparently, the chip would be in the front cover. At least it is for the European variants...

nfc

A thin layer of aluminum, such as aluminum foil, wrapped around an RFID tag will shield it from being read. This is a concept known as a Faraday shield. The shield prevents radio waves from reaching the RFID chip. In the case of the electronic passport chips, they are passive tags which means they are powered by the signal received from an RFID reader. Preventing radio waves from reaching the tag, results in the tag never powering up. Besides aluminum foil, there are a number of other materials, including composites and innovative mesh, that effectively shield tags.

After numerous complaints, the specifications for the electronic passports were changed to include shielding in the passport itself. The chip is supposed to only be readable when the passport cover is open. In reality, if a passport is stuffed into a purse or travel bag, it might not be perfectly closed. Thereby, opening up the passport to skimming techniques.

As the number of RFID tags increases in our everyday world, I'm willing to bet that someone begins selling passport holders with embedded shielding materials. Extending the product line to include liners for purses, backpacks, briefcases and wallets isn't too big of a leap.

Hope this explanation helped. RF technologies are pretty complex due to their basis in physics. However, I'm always amazed by how sophisticated technologies can be defeated by something as low tech as aluminum foil.

nfc

For a serious secure application, I prefer contact also. However, since contact is rarely used in the US, it was never in play for the electronic passports. There are ways to have secure contactless communications, but the passport standard was set at a level far below the true capabilities of RFID technology. That said, the RFID tags being used can only be read at a limited distance, 0-2 inches. Some pretty serious technology is required to increase the read distance to where a passport can be skimmed without it being apparent.

Two dimensional barcodes are nice, but they're fairly limited in the amount of information that can be stored. The newer RFID tags can store a significant amount of information. Printed barcodes are also more easily damaged and rendered unreadable than a RFID tag. They also have to be aligned just right to be read, where one of RFID's benefits (and potential security risk) is that it's non line of sight. The more rapidly a passport can be read, the faster immigration lines will move ^

Flaflyer

Not that I am planning a change of careers into the klepto field, but it hits me that if this works for the security tags inside small expensive products then having a foil lined pocket or purse. . . .

nfc

Yep. That's one way to defeat the tags. The other is the use of a high powered 'zapper', putting out significant electromagnetic energy, that will actually kill the tag. A couple of months ago, a group of hackers published how to do this. It's similar to the nuclear arms race, as merchants work to improve anti-theft methods, the criminals get creative and eventually overcome the methods.

MisterNice

Shoplifters have been easily defeating store tags for years by using aluminium foil lined shopping bags. Your EasyPass thingee can be shielded using the metal coated envelope should one wish to pay tolls by cash.

MisterNice

par

if the passport smart chip technology relied on secrecy as the method for securing the passports then they are doomed. As anyone skilled in the art of cryptography, the only algorithm or apparatus that is secure is the one whose implementation is publicly available and still is secure. This is why the government has no qualms about openly specifying how assymetric encryption should work for secure data encryption in order to meet federal standards.