The United States government began issuing new electronic passports this week that include radio frequency identification technology (RFID) to store citizens’ personal information.
The U.S. State Department referred in its announcement to the use of biometric technology and “a contactless chip,” the latter a controversial device that will be embedded in each of the new passports.
At the Black Hat hacker conference in Las Vegas last month, a security consultant demonstrated a hack of such a passport and also described a relatively simple and inexpensive process for cloning one. The demonstration troubled many who have questioned the necessity for RFID technology, which transmits data wirelessly, in such personal documents.
Multiple Measures
The State Department, however, highlighted its “multi-layered” approach to protecting the new e-passports and mitigating the chances of the electronic data being “skimmed” — i.e., intercepted or stolen.
First, the government said a metallic material in the passport cover and spine will prevent skimming when the passport is not open.
Second, the e-passport relies on Basic Access Control (BAC) technology, which requires that a special key on the passport be electronically read prior to data access being granted.
The U.S. also said a randomized unique identification (RUID) feature of the new e-passports will diminish the risk that its holder could be tracked.
Finally, an electronic signature, or PKI, will prevent alteration or modification of the information on the chip and will allow authorities to validate and authenticate it.
“The Department of State is confident that the new e-passport, including biometrics and other improvements, will take security and travel facilitation to a new level,” said a Department statement.
Defeating the Purpose
In response to longstanding criticism over the privacy and security risks of passports using RFID technology, the government has said the new e-passports are consistent with global specifications from the International Civil Aviation Organization (ICAO). More importantly, officials have indicated there will be some exchange of information required prior to RFID transmission of data, according to Electronic Frontier Foundation (EFF) Senior Staff Attorney Lee Tien.
The added measures may help alleviate some security concerns. However, Tien told TechNewsWorld, if an exchange of information or other personal contact is required, it would defeat the purpose of the RFID technology.
“It’s a solution in search of a problem,” he said.
Inherent Risk
Tien and other RFID researchers and security experts have questioned the need for RFID in passports.
The over-the-air signals that will be transmitted from the passports may provide all the incentive that attackers need to attempt hacking the technology.
“For people who know what they’re doing, [such a hack] is not really hard,” Tien said.
Tien also expressed concern that the e-passport rollout may breed more trust in unattended transactions, which may actually serve to increase privacy and security dangers.