September 19, 2017

Radio Passports: Bad Idea

An AP story nicely summarizes the controversy over the U.S. government’s plan to add RFID chips to U.S. passports, starting in 2005.

The chips will allow the passport holder’s name, date of birth, passport issuance information, and photograph to be read by radio. Opponents claim that the information will be readable at distances up to thirty feet (about nine meters). This raises privacy concerns about government monitoring, for example of attendance at political rallies, and about private monitoring, especially overseas.

I would certainly feel less safe in certain places if I knew that anybody there could remotely identify me as a U.S. citizen. I would feel even less safe knowing that anybody could get my name and look me up in a database or Google me.

A U.S. government representative says that there is “little risk” to privacy “since we plan to store only currently collected data with a facial image.” In other words, they’re going to take information currently available only to people to whom I hand my passport, plus some extra information, and make it available to everybody who comes near me. Gee, that makes me feel much better.

There is some discussion of encrypting the information, or requiring the passport holder to enter a PIN number to unlock the information. Either of these is some help, but unless the system is designed very carefully, it could still allow dangerous leakage of information.

What I don’t understand is why passports should ever be readable at a distance. Passports should reveal their information only to people or devices who can make physical contact to the inside of the passport. Certainly that’s enough for the immigration agent at the airport, or for any official who asks to inspect the passport. If the officials are doing their jobs, they’ll want to see the physical passport and hold it in their hands anyway.

Oddly, the government’s response to concerns about remote passport reading is to try to limit when the passport can be read remotely. They propose storing the passport in a conductive plastic bag that blocks radio signals, or building a conductive screen into the passport’s covers so that it can be read remotely only when the passport is opened. Either approach adds unnecessary risk – the passport might be read by somebody else when it’s opened.

The right solution, which opponents should advocate, is to remove radio tags from passports altogether, and replace them with contact-readable electronic information.

Comments

  1. Max Kington says:

    as suggested by a collegue of mine, I’ve just registered, http://www.wiremeshbags-for-broadcasting-passports.biz,

  2. I assume that the argument for remotely readable passports is exactly the same as the argument for RFID tags on supermarket merchandise: customs and immigration people hope eventually to be able to herd people past readers and pull over only the few they want to talk to further, letting the rest through without so much as a passport swipe. Off the top of my head, I don’t see why such a system can’t be made quite secure and private, with the right technology. Whether it will be made secure and private, of course, is another matter.

  3. How long before some enterprising terrorist creates bombs or guns automatically triggered by RFID devices?

    I guess if USA uses it’s political clout to force this on other nations too (just like with biometrics) then it gets a tinsy bit more difficult select targets. Although in many areas, the terrorists might just assume anyone carrying a passport is a western tourist…

  4. John Marquiss says:

    Dan, the problem with remotely readable passports is the fact that it is very, very hard if not impossible to prevent some form of information leakage or tracking and forging exploits.

    The card can be probed without my consent, even if the data can not be read.

    Even if it was protected by a metallic bag or cover there is still a risk of leakage. The cover could be damaged in a way that is not easily detected yet renders the cover ineffective.

    When I remove it from its pouch or open it there is no way to allow only the intended person to read it, anyone in the area with the necessary device could read it at that moment as well.

    The fact that you can get a signal that you may or may not be able to read automatically puts me in the group of countries that have remotely readable passports.

    The characteristics of the signal and formatting of the message narrows down the list even more.

    Any clear information used to identify an issuer in order to find a decryption key provides at the very least, the issuing country and possibly more specific information.

    Even if an encryption method can be found that does not require any clear information for key selection that string of encrypted data still uniquely identifies me. Unless close inspection, or some feature directly supplied by me (fingerprint, pin, passcode, encryption key, what-not) is paired with the signal, by forging the signal exactly you could be me. If close inspection is required why not just read the card directly to avoid the other problems mentioned?

    Again, since the encrypted data uniquely identifies me, even though you can not read it you can still use it as a key for a database you build on your own linking data you collect from direct observation to that key. Then you can track me just by remotely following that key.

    That is just a quick list of remotely readable identification that I can come up with off the top of my head.

  5. For what it’s worth (not much) an aluminized chip bag (e.g., Fritos from a snack machine) is effective at blocking operation of a proximity badge, and blocking calls to a cell phone. An anti-static memory chip bag failed these tests.

  6. John Marquiss says:

    Thought I would add an other possible attack because this one is rather interesting in the fact that it is an exploit of the behavioral aspects of holding an electronic passport. With out any detection or reading devices it is possible to observe that someone is from a country using remotely readable chips in their passport.

    For those of you familiar with E-Z Pass or I-Pass or other such electronic toll systems you know that someone has an electronic toll tag just by observing the fact that they used an electronic toll lane with out needing the ability to read their tag. Similarly, by watching people at points of entry for distinctive behavior tied to the use of an electronic passport it is possible to determine that they hold this type of passport and could mark them as a target for someone looking to exploit this group of people.

    Some of the behavioral clues could be:

    Use of a special queue

    Not providing the passport for inspection while at the counter

    Providing unique identifiers at the counter not normally used with traditional passports

    Different behavior by the agents, consulting a computer terminal more frequently or at different times than with traditional passport holders etc.

  7. John, as far as I know, there is nothing inherent in RFID technology that precludes passports that only respond to digitally signed challenges from authorized readers, sending public-key encrypted data that can only be decrypted by the authorized reader. I believe other privacy concerns could similarly be taken care of by applying a few extra design tricks. Of course, the resulting system would need more than your standard RFID tag–but then, a passport is more than your standard supermarket item, and hence its RFID tags presumably don’t need to be quite as simple and cheap.

    As for the issue of people recognizing that you’re using the “RFID passport lane”–well, that would likely be true of electronic vs. paper passports, as well. In fact, anyone entering the US today via a major airport has to reveal whether or not they’re a US citizen. (Then again, you reveal a lot of bits of information about yourself merely by showing your face in public.)

    Again, whether a secure, privacy-preserving RFID passport system can be implemented is a different question from whether such a system will be the one chosen, if RFID passports become a reality. I’m just pointing out that “remotely readable” is not synonymous with “privacy-decimating”.

  8. Nate Lawson says:

    There is no way for this to be secure against “remoting” man-in-the-middle attacks. In this case, someone stands next to you with a transceiver and a cohort walks through customs with a fake passport. When the reader sends a challenge to the attacker’s cohort, his equipment forwards it on to your passport (miles away). Responses follow the reverse path.

    No crypto can protect against this and all RF systems are vulnerable. Distance restrictions for the reader mean nothing since it’s the _attacker’s_ transmitting power that matters.

  9. Nate: I’m assuming that (1) passport holders would be able to–and normally would–leave the remote responsiveness feature of their passports disabled, except when passing through checkpoints, and (2) detectors would be used to sniff out attempts to probe passports in the vicinity of checkpoints, where passports are likely to be enabled for remote response.

    There’s still the possibility that a passport holder could voluntarily enable his or her passport far away from a checkpoint, allowing an intruder who physically resembles him or her to pass through using a relay. But it would probably be easier and safer–for “cover story” purposes–for such a collaborator simply to hand the passport to the intruder, and later report it stolen.

  10. With the increasing violence abroad towards US citizens, having a remote readable RFID is an invitation to robbery, kidnapping and murder. It will also allow perfect state sponsored tracking of US passport holders. Any country a US citizen enters will be able to reference your passport’s RFID with your name, even if they are not in on the program. As for encryption and challenge response systems, those won’t prevent the unique signature of a US citizen from being detected, even if the person isn’t uniquely identifiable.

    As for the proposal to put foil in the outside of the passport so the passport could only be read when open, that would probably only reduce the signal an not eliminate it. Also, foil in a passport would mean that you couldn’t pass through a metal detector with your passport, causing havoc at security checkpoints and an opportunity for bad actors to steal passports.

    RFID=Really Friggin Insane Design

  11. Scott Turner says:

    In this discussion it is important to note that RFID chips are passive devices, they contain data with the purpose of transmitting it when activated. There is no on/off switch. The chip is inert until an external EM source excites the chip to emit a short duration low energy radio frequency (RF) signal that any RF receiver in the proximity of the RFID chip can record.

    In this case, the passport holder has no control over when or even any notification of the information in their passport being read. Anyone with even a basic understanding of the technology could exploit it to, at the very least identify a given group of passport holders in public. Not a very comforting proposition for US travelers in countries where kidnapping and/or terrorism is a significant risk.

  12. John Marquiss says:

    Also because RFIDs are passive they can’t, to the best of my knowledge, store dynamic information or perform computation.

    As such even if they only responded to a coded signal from an authorized reader they are highly susceptible to replay attacks. I only have to listen to the signal broadcast by an authorized reader and then repeat it later to probe the passport.

  13. In my experience, RFID tags are never off; they’re constantly transmitting data. Even out here, in the middle of nowhere, with no cell tower coverage, they’re always on. 🙁

  14. My understanding is that the limitations described above are characteristic only of inexpensive low-end RFID devices, and that there’s nothing inherent in the technology that precludes more sophisticated (and obviously more expensive) features, including computation, data retention, selective activation, and so on.

    The standards that are being developed these days do not include such features, but these standards (again, as I understand it) are geared towards the expected first and largest-scale application of RFID tags–inventory control for general merchandise–and have therefore been developed with low cost and simple functionality, rather than privacy and security, in mind.

  15. David Locke says:

    There are two types of RFID systems. Passive and active. The active ones can actually stop broadcasting when switched off. Most of the RFID systems used in clothing and such are passive.

    Their use in clothing gave rise to the privacy issue and has slowed down adoption of the technology. Encryption is proposed, but it is still experimental.

    The problem with encryption is that it cannot work unless it is coupled with physical security of the the item involved. You cannot encrypt known content, so header data

  16. David Locke says:

    Sorry about the inadvertant posting of the previous message. I’m continuing it below.

    You cannot encrypt known content like header data if you expect your keys to remain secret. You also cannot provide an encrypted message to anyone and expect it to remain encrypted. In the passport application, I could ask you your name and then use your answer to crack your encryption.

    The NSA used to use supercomputers to crack the codes of foreign goverments. They could go at it by analysing the content or by brute force. A few years ago 256 DES was cracked by a community of hackers who partitioned the solution space and went at it with the brute force approach. It took a little over two weeks to crack the message.

    Imagine how long a passport, a highly structured document, would last today with 64-bit multiprocessors in a socially partitioned solution space. Not very long even with stronger encryption methods.

    In the clothing application, all you would have to do is go buy the article and scan it. The fact that the size and style info was encrypted just means that you would look for the same encrypted signal and associate it with the appropriate item, which would then reveal the size and style.

    If one was having an affair, it would be far easier to see if someone was dressed the same before and after even without size and style info just be comparing the encrypted signals before and after. You wouldn’t have to know what the encrypted signals meant. Being different would be telling enough.

    So encryption is overblown as a solution. Encryption is successful when used for short-term tactical security. It has never worked strategically or over long periods of time.

    The reason we change our passwords quarterly or more frequently is that it keeps encryption, authentication, and verification tied to short-term tactical solutions where the technology actually works. As computers get even faster and more parallel, and our networks allow even more social participation, we will have to change our keys more frequently.

  17. David Locke says:

    Passive RFID isn’t a chip. It’s a two pieces of paper that have a foil antannae sandwiched between them. The shape of the foil modifies the externally provided microwave signal, so that the signal when read carries a numeric key, which is all that is needed.

    Borders and B&N both use passive RFID tags in their books. Some of those tags fall out. Those RFID tags are read at the door sensors and compared with purchase data. Inventory status is tied to the tag, and is immediately updated. So use Book Sleuth before and after to see what happens. It’s unclear to me whether register data is marking the inventory record as sold, or if the door readers do it. The register data is the more likely source, but it is updated rapidly enough that the transaction is complete by the time you reach the door.

  18. Uncle Sam says:

    This is all very complicated – US Citizens could be “chipped” at birth – then they can be scanned by a reader at customs. We do it to our dogs here – it is practcally painless and saves on carrying a bulky passport.
    But seriously – identity theft crimes are somewhat more scary than being noted by some “people” as a possible terrorist insurgents – your credit card reveals all to those watching. Something that imposes on your human right to privacy should be a choice not an abitrary decision by a Govenment Department.