Print 48 comment(s) - last by masher2.. on Aug 15 at 9:44 AM

Government officials insists new passports are secure

This week the US government plans to rollout new RFID passports to citizens nationwide. The new passports contain a chip which requires no power and contains duplicate information of what's printed on the passports. This way, government officials at air ports and other national borders can quickly verify the authenticity of printed information on the passports. DailyTech last reported that the US government planned to issue the new passports this month despite privacy concerns.

Despite the security benefits that the US government is boasting, security advocates and experts say that the new RFID passports present an increased level of danger for passport users. Because of the technology being used, remote RFID readers can read information off the passports for cloning or malicious use. The US government argues that this is no different than having someone steal a physical passport -- they wouldn't be able to use it anyway. Officials claim that the information be stored on the new passports are encrypted and cannot be copied and modified. Likewise, the information on the passports cannot be scrambled or changed because the chips are read-only.

The US State Department already has a fairly comprehensive Frequently Asked Questions website about the new electronic passports.  About half of the official Q&A from the State Department is with regard to security.  For example, the site claims "To prevent eavesdropping, Basic Access Control (BAC) is employed in the U.S. e-passport.  BAC is similar to a PIN used in ATM or credit card transactions.  In the case of the electronic passport, characters from the printed machine-readable zone of the passport must be read first in order to unlock the chip for reading.  Thus, when an electronic passport is presented to an inspector, the inspector must scan the printed lines of data in order to be able to read the data on the chip." 

Staff counsel at the Electronic Privacy Information Center in Washington said that "many of the advantages the industry is touting are eliminated by security concerns." However, a German security company has already demonstrated that information on the new passports can be copied and transferred to another device.  The State Department claims there is an anti-skimming technology in place to prevent this type of exploit specifically, though exact details of the counter-measure have not been revealed yet.

The new passports are being manufactured by Infineon Technologies, but production has not started yet. Other countries deploying new passport technologies include Japan, France and Canada. The new RFID passports are already being used in French international passports and Canada plans to introduce biometric passports sometime in 2007.  Japan's all-biometic passports are already being rolled out in select regions. The UK is still in the planning phases for its passports.

The new passports will cost roughly $97 per passport and includes a $12 security surcharge. The US government expects the technology to be fully deployed within the year. Those with regular passports will still be able to use them until the expiration date is reached.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By nerdboy on 8/14/2006 11:41:46 AM , Rating: 1
I wounder if the RFID in a passport will work like a warehouse RFID that can track packages anywhere in the world up to a 100 feet of where it is. Just a thought

By Nightskyre on 8/14/2006 11:52:27 AM , Rating: 2
Having previously worked for a large shipping company, I find your statement extremely unlikely with regards to anything that costs only $97. Clearly you must not understand what an RFID is. They are fundamentally different from, say, a GPS, which costs a lot more. Anything that would provide worldwide tracking would likely require satellite intervention, and you aren't going to find that imbedded in a piece of paper, or that crazy canvas stuff they make passports out of.

By gramboh on 8/14/2006 12:18:29 PM , Rating: 2
What he means is there is a potential to have a large network of passive RFID scanners which connect to a global database/network which updates/tracks your location as you move from place to place.

Big brother stuff, personally I disagree with it but it doesn't scare me as I live in Canada :)

By Furen on 8/14/2006 12:21:58 PM , Rating: 2
And, more importantly, it would require power. Tracking requires the device being tracked to respond to the satellites doing the tracking. RFID needs to be powered by a relatively short-ranged reader.

By masher2 on 8/14/2006 12:40:58 PM , Rating: 2
Satellite tracking isn't feasible, but terrestrial tracking certainly is. One thing I can see happening is installation of scanners at all domestic airport security checkpoints. So when a person enters the US with such a passport, not only are they scanned at port of entry, but their movements at every subsequent stop afterwards as well.

By Nightskyre on 8/14/2006 1:10:23 PM , Rating: 2
So, not to sound like I'm in favor of impinging our personal freedoms, but, really, so what?

If the government wanted to track our movement, they could just get the passenger list from the airline. Besides - Keep in mind, you don't need your passport to travel domestically. And, since the format isn't standardized globally, the best the government could do is track your leaving and entering the states - Something they already do with a much more archaic system.

By Dustin25 on 8/14/2006 1:10:58 PM , Rating: 2
It's all about thinking ahead. Many big name corporations are geared up to jump on the rfid bandwagon. They want rfid scanners in their entryways, their store shelves, and anywhere else they can be crammed. They want this for many reasons like theft prevention and inventory, but mostly they want it for the almighty power of information. Rfid will become the new tool in advertising. Credit cards and drivers licences will all have rfid and there's even talk of rfid in U.S. currency. There are already rfid refrigerators for your home. Think ten years ahead. Anytime you walk into a building the system will know what cards you are carrying and the name and address on those cards and will know how much cash you're carrying. They will even be able to know where you just came from based on the rfid databases that are being setup by corporations such as Wal-mart. With the advent of more and more products equipped with rfid readers for your home, they will be able to tell what room you are in in your own home. All of the above can and will be used to target advertisements at you and tech savvy criminals can use this info. Of course the government will want these corporate rfid databases linked to government computers. In a country with rfid scanners around every corner, you will have no privacy.

There is even a company that wants to set up rfid billboards. The board will scan drivers as they pass or at a red light and show targeted advertisements to them.

By Nightskyre on 8/14/2006 1:37:05 PM , Rating: 2
So, in other words, you're telling me that global companies that may or may not have their central offices in the States are held under the same set of restrictions (or freedoms) that the government is? I disagree with that.

Further, if there are RFid tags in money, now the companies have to pay the government money to access whatever encryption may be used on the money. More government income from business.

"Anytime you walk into a building the system will know what cards you are carrying and the name and address on those cards and will know how much cash you're carrying."

No, not really. When you swipe your credit card through a machine in a store, it doesn't transmit any address information, it transmits an account number. The same information the store would get from you using the card is the information they would/could get when you entered the store. The credit card companies would be in serious trouble if they started distributing customer's private information through a medium like an RFid on a credit card. Once again, this is an example of a paranoia over a new technology that is irrelevant because the information that is being transferred is already being transferred through another more archaic medium.

"With the advent of more and more products equipped with rfid readers for your home, they will be able to tell what room you are in in your own home."

This is, of course, assuming you carry your wallet when you take a shower, walk the dog, go to sleep, etc. It is also assuming your house is linked up to a central database somewhere, which is a HUGE assumption you are making that probably isn't true. Putting an RFid in a credit card is very different from saying "Hey, mister consumer, can I stick this box in your closet and plug it into your internet connection?"

"Of course the government will want these corporate rfid databases linked to government computers."

Aren't these the same types databases that the government can't obtain without a warrant or other such legal documentation that gives the government a reason to GET this information?

"There is even a company that wants to set up rfid billboards. The board will scan drivers as they pass or at a red light and show targeted advertisements to them."

You mean the billboard will show something I care about instead of local themepark X or three month-past festival show Y? Wow, that's tragic.

Finally, if there are any RFid tags anywhere, you could always just line your wallet with tin foil or find a more effective way to generate the Faraday effect.

And by the way. Who is this "They" that you always refer to? Aliens?

By Master Kenobi on 8/14/2006 1:39:53 PM , Rating: 2
Not to be patronizing, but do you really have any idea how screwed up our government is? Nobody trusts anyone, they all assume everyone else doesn't know how to do their jobs. Even if the NSA swore up and down you were ay XYZ Wednesday Night, and could call up RFID to show it. Whoever in the Justice Department that was working the investigation wouldnt be allowed to see that information because the two agencies dont trust each other, or dont talk to each other.

You are partially correct though, the only people that would care would be the advertising and corporate sector, the FBI would likely plug into the database and use it for surveilance on fujitives, criminals, terrorists and whatnot. No real harm there because the only time the FBI would query the system is when they know who they are looking for, its simply a matter of tracking them. Nothing wrong with that.

By Nightskyre on 8/14/2006 2:02:14 PM , Rating: 2
Once again, I refer to the Faraday effect. Additionally, unless your clothing is lined with RFid tags, you have no requirement to carry anything that is going to have an RFid tag in it. Until I see laws that mandate the carrying of an RFid equipped device, I still don't see the issue. I also don't care who talks to who in the government. Until we as citizens get to the point where we cannot restrict our personal use of RFid equipped devices, it is a moot point. Many if not most Americans are willing to sacrifice privacy for convenience. This is just another example of that.

The obvious dispute to this would be RFids in cash. If cash has RFids in it, how can we avoid them? In this case, I submit to you exhibit A - The nameless transaction. The whole point of cash is that it is a universal medium that does not contain personal information by which the second party of a transaction can identify the first. I can go into any store at any time with any number of bills of any denomination and purchase anything. Granted, large purchases could cause the raising pf an eyebrow or two, but the point stands.

By masher2 on 8/14/2006 4:55:30 PM , Rating: 2
> "unless your clothing is lined with RFid tags, you have no requirement to carry anything that is going to have an RFid tag in it. "

You mean, except for the RFID in your new passport, I assume.

> "I can go into any store at any time with any number of bills of any denomination and purchase anything. Granted, large purchases could cause the raising of an eyebrow or two"

It'll do more than "raise eyebrows". If you purchase anything with more than $10,00 in cash, it'll result in a form 8300 filed immediately to the IRS...and, depending on the circumstances, federal agents at your door asking questions.

By Burning Bridges on 8/14/2006 4:30:19 PM , Rating: 2
Minority report, anyone?

By Master Kenobi on 8/14/2006 1:25:24 PM , Rating: 2
Yea pretty much. This just makes it that much easier. In the long run this is cheaper than maintaining the archaic system we have now. Risk is minimal if its either checking against a database and has no real data on the tag, or they are using a 128-Bit AES or higher encryption, which would be just as easy to implement. And this helps to eliminate human error during the visual checking phase. It's bound to rub some the wrong way but I would have to say these people dont have security clearances. If they think a little RFID tag is "big brother", try going for a security clearance, your entire life is basically an open book, but you go through with it, because thats whats required. RFID tags are no less secure than receiving your bills in the mail with all of your personal and billing information on them.

By Dustin25 on 8/14/2006 2:32:08 PM , Rating: 2
Nightskyre is sitting in his car at a red light. The billboard in front of him has found that he is a frequent purchaser of Viagra and genital wart cream. The Walgreen's up the road is a paid sponsor of the billboard and has a special on just those products. So as Nightskyre is sitting there, the billboard begins to flash the words "Nightskyre, come get a great deal on Viagra and Jim's genital wart cure-all for everyday low low prices just five miles down the road on the right." This of course is just a joke and an exaggeration, but anyone who is cool with targeted advertisement needs to get their head examined. It's not about the advertisement, it's about how companies collect info for that advertisement that irritates me.

By Nightskyre on 8/14/2006 2:51:42 PM , Rating: 2
Is that so? Stop using your credit cards, don't use e-mail, and, oh goodness, please make sure you never ever use G-Mail, or anything Google related, for that matter.

Once again you're assuming a lot of things.

1. That billboard is emitting some serious radio waves if it can pick up my credit card's RFid tag in my wallet. Let's ignore for now the illegality of Walgreens collecting credit card information and pretend I have a "Frequent Savers" card instead. Oh, wait. Why do these (pre-existing) cards exist at virtually every store in the country? Because people are willing to give up privacy for convenience. I save 5% off my purchase and the company tracks what I buy. This is common now. They can, in turn, target me with ads. Hell, even now supermarkets print coupons that are based on what you just bought. Connecting this to my Stop'n'Shop card is just as easy.

So, we've now established that "frequent saver" cards must NOT be something Dustin25 has in his wallet, because he's afraid of companies gathering information about him.

2. Credit cards will have RFid's in them? If that billboard could pick up the RFid at LEAST 40-50 feet away, I'd be pretty impressed. By the time the billboard read my id and started to display the new sign (after accessing its non-local database) I'd be long gone, or gone very soon.

This is, as I mentioned, assuming we ignore the fact that retail companies cannot store my credit card information without my permission, AND that the credit card company has already provided its decryption software to the billboard company (the encryption can be done via hardware and wired into the card reader at the store, thereby retaining the credit card company's right to private encryption information)

And, since it seems to be ignored in, I dunno, every post I've made so far, holy Faraday effect, Batman.

By Knish on 8/14/2006 6:31:55 PM , Rating: 2
Is that so? Stop using your credit cards, don't use e-mail, and, oh goodness, please make sure you never ever use G-Mail, or anything Google related, for that matter.

Don't forget AOL either. Actually especially AOL :)

By masher2 on 8/14/2006 3:23:29 PM , Rating: 2
> "Keep in mind, you don't need your passport to travel domestically."

The point is, if you travel internationally, you're going to have your passport with you, even on the domestic portion of your travels.

> "since the format isn't standardized globally..."

US and Germany are already using the same basic system. How long until the rest of the world follows suit?

By nerdboy on 8/14/2006 3:19:57 PM , Rating: 1
There are diffenrt types of RFID tags, like Active Tags
Active Tags possess a battery thus powering a Tag with greater energy and signal strength and achieving greater distances. Tag costs are higher, $20 to $70, primarily due to the additional discrete electronic components necessary and the low quantity of Tags demanded by applications
Tags battery life last up to 5 years typical. I still do work for a very large shipping company and support RFID. oh and also Microsoft's working on software for an RFID-based system that would allow senders, receivers and shippers to automatically track a package's location through all stages of the shipping cycle.

protecting your data
By Mclendo06 on 8/14/2006 10:46:36 AM , Rating: 2
Would keeping the passport in a metallic ESD bag except for when you are at the passport desk prevent malicious individuals from reading the data off of it?

RE: protecting your data
By imaheadcase on 8/14/2006 10:52:12 AM , Rating: 2
Like the article said it does not matter if someone reads it, they can't do anything with the data from a passport.

RE: protecting your data
By masher2 on 8/14/2006 11:01:30 AM , Rating: 3
> "Like the article said it does not matter if someone reads it, they can't do anything with the data"

First of all, they can determine you're an American...which is a security risk in itself in many countries. One can even imagine detonators, automatically primed to set off explosive caches, as soon as someone carrying an American passport walks by.

Secondly, the security behind the US passports has already been cracked, allowing in theory at least a person to read the entire contents of your passport remotely:

RE: protecting your data
By TomZ on 8/14/2006 11:04:54 AM , Rating: 2
I agree with the above concerns, and I think RFID passports are a security risk, and a solution looking for a problem. It seems to expose citizens to all kinds of new potential threats simply in order to save a fraction of a second during passport processing. Why couldn't one of many alternative systems have been used, for example a barcode ID that brings up your identitiy information from a database?

RE: protecting your data
By rrsurfer1 on 8/14/2006 11:19:52 AM , Rating: 2
My guess is someone made a whole bunch of money selling this technology to the government... probably with heavy lobbying.

RE: protecting your data
By PrinceGaz on 8/14/2006 11:18:25 AM , Rating: 2
Okay so other people can determine that you are an American, but they can't use that data to create a passport for themselves so it doesn't impact on national security. The worst that might happen is that you could be kidnapped and/or killed, but national security is not compromised so there is nothing to worry about. I'm not worried about it anyway.

P.S. I am not American.

RE: protecting your data
By TomZ on 8/14/2006 11:47:51 AM , Rating: 2
I think the greater concern is with individual security, not national security. The ability to forge or duplicate passports is the same with and without RFID. What is different with RFID is potential problems with individual security.

RE: protecting your data
By imaheadcase on 8/14/2006 12:50:52 PM , Rating: 1
lol "see you are an american". Like the insignia or the plane ticket is not a clue. Or that your speak english? lol

Making mountians out of mole hills.

Btw they removed the data from passport, they did not read it.

RE: protecting your data
By Soviet Robot on 8/14/2006 2:00:52 PM , Rating: 2
Yeah :| Because only Americans speak english

RE: protecting your data
By masher2 on 8/14/2006 3:19:05 PM , Rating: 2
Or that Americans cannot speak other languages as well. Or that you continually speak while on a train, bus, or while on a crowded city street.

Seriously, its not that hard for most Americans to blend in reasonably well in a crowd in most foreign locations. That is, unless they have one of these new passports.

RE: protecting your data
By nilepez on 8/14/2006 5:43:12 PM , Rating: 2
He said detonators wired to go off if you're american. Maybe you're unusual, but most of us don't walk around the streets with our airline ticket stub in hand.

As for english, it sounds like you've never left the country. Hard as it is to believe, many, if not all foreigners cannot distinguish between the various english accents, including Britsh vs American. They certainly won't differentiate between Canadian and American.

The system will be cracked (I guess it already has) and identities will be stolen.

There is no security that can't be defeated and this is no exception.

RE: protecting your data
By Knish on 8/14/2006 6:30:25 PM , Rating: 1
He said detonators wired to go off if you're american. Maybe you're unusual, but most of us don't walk around the streets with our airline ticket stub in hand.

I am guessing you haven't travelled overseas much. I have an Israeli and a US passport. Whenever I travel, especially to Asia, I *always* have my passports with me.

1.) No one steals it from my hotel room
2.) If you get arrested or in trouble and need to go to the embassy, your passport is the only thing anyone will accept as far as identification
3.) Considering the turbulence in the world, if I had to get out of the country *fast* I am not going to screw around and go back to the hotel room -- I'm booking it to the airport and I already have my passports with me.

RE: protecting your data
By FITCamaro on 8/14/2006 3:19:42 PM , Rating: 2
As someone else said, the security has already been cracked. But even if it hadn't, eventually it would be. There is no encryption out there that is 100% crackproof. Sure it might just take a little longer, but it can and will be done. If major government systems like the FBI and CIA can be cracked, you can be damn sure something like a security key on an RFID chip will be.

RE: protecting your data
By Spinne on 8/14/2006 10:56:03 AM , Rating: 2
Probably, yes. Bthen every time you pass by a hidden passport reader, you'll have the marines stopping you to see what you're doing walking around with no passport.
On another note, let me guess, so far passports from different countries are not mutually readable, right? So if I did go to Japan or wherever, my electronic passport would be useless, right?

RE: protecting your data
By rrsurfer1 on 8/14/2006 11:31:40 AM , Rating: 2
Another good point. If they are going to do it, the tech should at least be standardized for use anywhere in the world. Easier said than done but I don't think there's really need for these passports at this time, so a bit of a delay for standardization would have been fine.

RE: protecting your data
By Master Kenobi on 8/14/2006 11:03:12 AM , Rating: 2
with such a small amount of data, one could toss a 256-bit AES encryption key on there and good luck to any hacker trying to break it.

Good thing I already got mine...
By Suomynona on 8/14/2006 10:13:51 AM , Rating: 2
I'm glad I got mine in May, so I'm covered until 2016. I get to see how all this pans out without having to worry about my info being stolen.

By BornStar on 8/14/2006 10:56:12 AM , Rating: 2
I'm pretty happy I got mine back in April. I want to wait as long as possible before I'm forced to get a new one.

RE: Good thing I already got mine...
By poohbear on 8/14/2006 11:00:43 AM , Rating: 2
jesus your passport lasts till 2016?!?! i got mine 2 years ago but it hardly lasts me 10 years.

By Nightskyre on 8/14/2006 11:48:29 AM , Rating: 2
The standard passport will expire either on your eighteenth birthday, or ten years from date of issuance.

Personal EMP device?
By kaborka on 8/14/2006 2:18:37 PM , Rating: 2
I think there will be a great market opportunity for someone to make a "personal EMP" device to fry RFID tags and anything else in the vicinity. ;-)

RE: Personal EMP device?
By Furen on 8/14/2006 3:02:24 PM , Rating: 2
An EMP device would be illegal under current FCC regulations, so there won't be much of a market there...

RE: Personal EMP device?
By TomZ on 8/14/2006 4:29:54 PM , Rating: 2
Nah, just make a small, enclosed device - no problem.

Smart or not...
By rrsurfer1 on 8/14/2006 10:03:21 AM , Rating: 2
Wonder if they did the smart thing and gave everyone a number that would link with a dbase for all the info... but my guess, knowing the government, is that they actually have all the info right on it in encrypted form - which is asking for trouble.

Based on the wording of this article it seems they chose to include the info itself.

RE: Smart or not...
By TomZ on 8/14/2006 11:01:43 AM , Rating: 2
Yes, that is what the article says, that all the identity data is contained within the passport itself.

Infineon technology making the US Passports?
By IDmagnet on 8/14/2006 9:26:06 PM , Rating: 2
Does anyone besides me think that it's a bit strange that a German company is going to me making the US passports? There are plenty of 'home based' companies in the RFID business that I think would be a lot more appropriate sources for something as sensitive as a passport.
Intermec, for instance, holds most of the significant RFID patents and are US based. Why didn't they get the contract?

By TomZ on 8/15/2006 9:25:57 AM , Rating: 2
I don't think it is strange. The technology/security used is openly published, so I don't think there is any security threat. Not that a German company would be any problem anyway. In addition, the contract did go to an American company (a US subsidiary of Infineon), and I don't think the US government generally has any problem sourcing from overseas vendors anyway, as long as they can provide the local support required for a contract like this.

In my google searches, I did not se where Intermec actually bid on the contract. The companies that bid are system integrators, and maybe Intermec's IP is incorporated into their proposed solution. I'm just speculating on this, however.

Blending in....
By jabber on 8/15/2006 6:04:27 AM , Rating: 2
"Seriously, its not that hard for most Americans to blend in reasonably well in a crowd in most foreign locations. That is, unless they have one of these new passports. "

Wow you should try that from the home crowd's perspective. Americans are usually very easy to spot abroad.

Clues -
1. Baseball caps with 'USS Whatever' or obscure baseball teams emblazoned on them.
2. White almost knee high sports socks with flip-flops or trainers.
3. Blue chequered trousers/elasticized waists/zipper jackets
4. T-shirts/sweatshirts with "We'll never forget" with a great big eagle and stars and stripes on it.
5. Whenever they speak to you, they have an impossible urge to tell you where they are from within 10 seconds.

That's just a few easy ones to get you started, there are more. I told this to a US buddy of mine before she came over to visit the UK and she didn't believe me. However, when I took her to London she could spot pretty much every US tourist once she got her eye in. It was good fun.

You don't need a RFID tag to find them. Yes it's not hard to blend in, though most it appears, don't want to which is fair enough.

RE: Blending in....
By masher2 on 8/15/2006 9:44:02 AM , Rating: 2
> "Wow you should try that from the home crowd's perspective. Americans are usually very easy to spot abroad..."

I've lived and worked abroad for many years. An American tourist may be easy to spot-- but Americans in general are not. Even in places where you cannot ethnically pass for a local, you easily pass for a foreigner of unspecified nationality.

Tourists don't tend to visit areas that are high security risks...but there are still plenty of Americans in places like Beirut or Baghdad. They need to blend in...and they can't do it while carrying an RFID passport.

Oh boy!
By MonkeyPaw on 8/14/2006 6:37:07 PM , Rating: 2
I can't wait until each state starts issuing RFID driver's licenses (which can be optionally instituted thanks to the HLS bill). Let the constant tracking of Humans begin!

"I modded down, down, down, and the flames went higher." -- Sven Olsen
Related Articles

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki