August 24, 2016

avatar

Why Use Remotely-Readable Passports?

Yesterday at CFP, I saw an interesting panel on the proposed radio-enabled passports. Frank Moss, a State Department employee and accomplished career diplomat, is the U.S. government’s point man on this issue. He had the guts to show up at CFP and face a mostly hostile audience. He clearly believes that he and the government made the right decision, but I’m not convinced.

The new passports, if adopted, will contain a chip that stores everything on the passport’s information page: name, date and place of birth, and digitized photo. This information will be readable by a radio protocol. Many people worry that bad guys will detect and read passports surreptitiously, as people walk down the street.

Mr. Moss said repeatedly that the chip can only be read at a distance of 10 centimeters (four inches, for the metric-impaired), making surreptitious reading unlikely. Later in the panel, Barry Steinhardt of the ACLU did a live demo in which he read information off the proposed radio-chip at a distance of about one meter, using a reader device about the size of a (closed) laptop. I have no doubt that this distance could be increased by engineering the reader more aggressively.

There was lots of back-and-forth about partial safeguards that might be added, such as building some kind of foil or wires into the passport cover so that the chip could only be read when the passport was open. Such steps do reduce the vulnerability of using remotely-readable passports, but they don’t reduce it to zero.

In the Q&A session, I asked Mr. Moss directly why the decision was made to use a remotely readable chip rather than one that can only be read by physical contact. Technically, this decision is nearly indefensible, unless one wants to be able to read passports without notifying their owners – which, officially at least, is not a goal of the U.S. government’s program. Mr. Moss gave a pretty weak answer, which amounted to an assertion that it would have been too difficult to agree on a standard for contact-based reading of passports. This wasn’t very convincing, since the smart-card standard could be applied to passports nearly as-is – the only change necessary would be to specify exactly where on the passport the smart-card contacts would be. The standardization and security problems associated with contactless cards seem to be much more serious.

After the panel, I discussed this issue with Kenn Cukier of The Economist, who has followed the development of this technology for a while and has a good perspective on how we reached the current state. It seems that the decision to use contactless technology was made without fully understanding its consequences, relying on technical assurances from people who had products to sell. Now that the problems with that decision have become obvious, it’s late in the process and would be expensive and embarrassing to back out. In short, this looks like another flawed technology procurement program.

Comments

  1. The biggest flaw might be inviting public comment too late in the process. In this Internet-connected world, even governemnts have to learn that most of the experts on every single topic are outside of their organization.

  2. I would suspect that that’s the very reason *why* they only invite public comment now.

    We don’t want the public to mess up our plans, do we?

    The world’s democracy (that was never really good) is in a very sad state.

  3. avatar Ryan Frederick says:

    I am looking in to getting a passport, and as I understand it, the passport application is sent to the central office and the passport is mailed to me. Here is my big concern, when is the RFID chip activated? When it gets into my hands, or is it readable while it traverses our mail system? I see this as a hugh problem when anybody with a reader can scan a postal truck for passports and take what they want, thus sacrificing hope you had that the technology was safe. How is this issue addressed?

  4. avatar Cypherpunk says:

    I am baffled by suggestions that contact-based passports would be superior. Isn’t it obvious why that idea won’t work?

    Passports are exposed to a rough and tumble environment. They are typically carried in purses, backpacks and luggage. Any device relying on physical contacts is going to be exposed to dirt and moisture, not to mention electrostatic discharge. It will be very difficult to design a system that can reliably read physical contacts off something like a passport.

    RFIDs are completely self contained and sealed. They don’t need any electrical entry points and will be immune to environmental hazards, static discharges, and other problems a contact based system will suffer.

    RFIDs are a vastly better solution and perfectly appropriate for this task. Contact-based systems are non-starters. This should be obvious.

    And BTW about this distant-reading demo from the ACLU: do we know that this was really the right kind of chip? There are two kinds of RFIDs in use, the WalMart type which can be read from several feet away, and these (which the government prefers to call contactless chips) which are designed to be read from only a few inches. How reliably do we know that Steinhardt had the right kind of chip? Was it really an e-passport or just some chip he showed up with?

    Signal strength with these devices goes as the inverse fourth power of distance (because they are passive). If they are designed for 10 cm and he is at 1 m, that means that he would have needed an amplification factor of 10,000. It just doesn’t seem plausible to me that a 1 square foot antenna could do that. And suggestions that the range could be further increased should bear in mind that fourth power ratio. It’s very, very difficult to increase the range significantly.

  5. avatar Anonymous says:

    I predict a booming business in mylar passport-holder bags.

  6. Detection distances have routinely been extended by modifying RF equipment (i.e. Tinkering!) Take Bluetooth for one. Public perception was that it can only go about 10 meters (30 feet). Some equipment is specified for 100 meters. Yet we showed that Bluetooth can be detected and attacked at a distance of over 1 mile (about 5300 feet). I’m sure some of the same techniques like a powerful transmitter and sensitive receiver could be used on RFID technology to scan a “contactless chip” from a greater distance than originally anticipated. Think outside the box, people.

  7. avatar PseudoLogic says:

    I did not realize the ilustrious Frank Moss was amongst us. Welcome Sir!
    I just don’t know why the handle “Cypherpunk” was necessary.

  8. Cypherpunk, you’re obviously not familiar with smart cards which is what the article refers to. They have to put up with the same rough environment and do so quite well, better than magstripe.

    Here is more info on the durability of smart cards:
    http://www.cs.uct.ac.za/Research/DNA/SOCS/rchap4.html

  9. The assumption that the signal strength will drop in an inverse fourth relationship is only accurate if one also assumes that both the transmitter and reciever are omni-directional. I’m no radio-antenna engineer but even my trivial research into extending my 802.11 wireless network demonstrates that the biggest benefit comes in changing the signal from omni-directional to a point-to-point signal. With just such a change signal range can be multiplied significantly with no increase in transmission power neccessary.

    I have to agree that state-of-the-art SmartCard technology has to contend with all of the environmental factors mentioned on a regular basis and, *amazingly*, shows an astounding adoption rate.

  10. That mylar bag should be aluminized (I assume that is what you meant). Should work. A typical “anti-static” bag such as computer cards come in will probably work. No doubt Gucci will have one on the market without delay.

  11. avatar dr2chase says:

    Regarding bags that block radio signals; we (me, colleague who shall remain nameless) tested this with our building access cards and our cell phones. An anti-static bag for computer chips was demonstrated to NOT block the signals. However, an (aluminized) anti-moisture bag for corn chips (specifically, Fritos) successfully deactivated both my cell phone (GSM) and my access card, even pressed directly against the reader.

    It is a small help to know that effective RF shielding is available in many snack vending machines, and that the shield itself is a mundane enough item that it will not attract attention.

  12. dr2chase:
    Thanks for adding the results of your test. I wasn’t sure the conductivity of the anti-static bag was good enough, though I was quite sure the aluminized bag would do the trick. Gucci take note.

  13. Sounds like it’s time to microwave your passport. Even if you could scan these RFID chips at not more than 10cm, a scanner either side of a toilet cubicle at an airport would probably be sufficient to collect a large number of ids in only a few hours.

  14. avatar An insider says:

    Contactless chips use near field inductive coupling to derive power from a reader. The near field/far field boundary dictates the maximum distance that a contactless chip can be inductively powered (approx 1m). Any conductive plane surrounding an antenna will absord an inductive powering field, so a foil lined passport holder would block any attempt at covert reading. The real concern is when data is read ligitimately from a reader (e.g. at passport control), there will be fortuitious far field emanations that can be detected at several hundred metres. You wouldn’t want that data to be unencrypted.

  15. I’m not sure why this question about remote reading is controversial. As a non-engineer, I guess it seems like a fairly straightforward empirical question. Being somewhat risk averse, I look at stuff done by Westhues, or Avi Rubin, et. al. and I’m sufficiently convinced that contactless is a dangerous way to go.

  16. “You wouldn’t want that data to be unencrypted”

    RFID is passive, so the information would need to be stored in an encrypted state (no SSL style calculations and a unique private key stored only on the card that would be possible with a smart card). However, the key to decrypt is going to need to be in every passport reader around the world, or that stored information will be useless.

    Keeping that key private for any length of time is going to be impossible. (stolen passport reader, corrupt official in any number of coutries that have one of the passport readers) Once that key is cracked or stolen, you can’t change the key, because that would require re-issuing everyone passports and updating the official readers around the world. You could concievably use the new key for all new passports, but that is hardly much of a help.

    I doubt that encrypting the information is going to be all that helpful long term.

  17. Did anyone ask what would happen at re-entry if, say, the chip was exposed -accidentally, of course- to a high power rf field and was damaged?
    Would the holder be allowed through, or subjected to a full cavity body search, arrested and denied entry?

  18. Cypherpunk,

    I assume that the contacts would be inside the cover of the passport, and so would be less subject to wear and environmental factors than smartcard contacts are.

    Steinhardt said, before doing his demo and again to me afterward, that the contactless chip he used in the demo was exactly the one specified in the proposed passport standard.

  19. I do not understand why we need to change the passport at all.

    Current passports already have a bar code which is already being read when you enter the US, and other countries.

    Presumably this barcode contains your passport number. This is all the US Government needs to get all of the info on your passport.

    I’m only guessing, but this passport number must be a key field in a database table somewhere that has all of this information stored.

    Am I missing something here?

  20. avatar Cypherpunk says:

    Okay, so the contacts are inside the cover. How are they to be, well, contacted? Would there be a handheld wand that has to be positioned and pressed against the contacts? That sounds difficult and slow to me. Or would there be a slot that you would slide the cover into, holding the pages out of the way, like a smart card reader? That too would be awkward and clumsy, manipulating the book and pages in that way, not to mention issues of cover stiffness and cleanliness.

    A passport is a book. It is not like a smart card that can be engineered with a simple rectangular form factor, made of hard plastic and pressed into a spring loaded slot. RFIDs are far more versatile and can fit into any form factor passport while being immune to environmental damage.

    Ed Felten’s speculation that the real reason for this design is surreptitious reading by governments is completely unfounded and built on the assumption that RFIDs are a poor engineering solution to the problem. To me it is obvious that contactless is going to be far more reliable and fast than any contact based system.

    Even the otherwise critical analysis of e-passports at http://eprint.iacr.org/2005/095 agreed, “Our supposition is that ICAO guidelines favor RFID chips over contact chips because wireless data transmission causes less wear and tear than physical contact.” I am baffled why other people continue to deny this obvious truth.

  21. avatar scarhill says:

    Cypherpunk wrote:
    Ed Felten’s speculation that the real reason for this design is surreptitious reading by governments is completely unfounded and built on the assumption that RFIDs are a poor engineering solution to the problem.

    Did you RTFA? The last sentence sums it up rather well, “In short, this looks like another flawed technology procurement program.” Nothing there about surreptitious reading. Why attribute to malice what can be explained by stupidity?

    I’m not a smartcard expert, but theyare being used for mass transit payment (see http://www.oystercard.com/). Are you seriously arguing that passports are a more demanding environment than that?

    Jim

  22. This is all crazy. I heard a story on NPR about this, in which a guy had a great idea: how about we just use 2D barcodes? They won’t degrade, they can store a ton of information, and closing your passport really does make them impossible to read. You could even print them in special ink to obscure them a little (e.g. protect them from pocket cameras and whatnot). Anything made of metal is just asking for trouble.

    Apparently they are going to give these to diplomats first, to try them out. I think that’s great — hopefully the vulnerabilities will become apparent once some ambitions folks (e.g. the Bluetooth guys) take a whack at them. I only hope that those issues don’t become apparent in a way that puts someone in actual danger.

  23. avatar Cypherpunk says:

    Jim, I did read the FA, where Felten wrote, “Technically, this decision is nearly indefensible, unless one wants to be able to read passports without notifying their owners — which, officially at least, is not a goal of the U.S. government’s program.” I characterized this as speculation that the government’s purpose was to allow surreptitious reading, which I think is an entirely fair and accurate interpretation of the comment.

    As far as the Oyster card, the web site asks us to look after our card:

    – Do keep your card safe at all times.

    – Do keep the card in its protective wallet.

    – Don’t touch more than one smartcard on the reader at any one time.

    – Don’t bend, scratch or write on your Oyster card.

    – Don’t hold your Oyster card next to coins, studs, zippers, mobile phones, PDAs, digital diaries or pagers when using it.

    – Don’t keep your Oyster card in your back pocket – it may get damaged if you sit on it.

    It doesn’t sound particularly robust to me.

  24. Prof. Felten’s post doesn’t mention this, but the 2D barcode idea above was also mentioned by one of the panelists. Seems like a pretty efficient system to me.

    The government guy claimed that the chips would only be used to store the same data as is currently on the front page of your passport. However, at another panel, someone described the plan for the new French national id card. It sounded like some kind of smartcard system and it’s supposed to contain 2 fingerprints in addition to the other card data.

  25. I am not an engineer or an expert on passports, but it seems that the rationale for using a barcode is to provide convenience in recording the fact that a passport has passed through a control point. Since a barcode is so easily reproduced, can a barcode actually do anything to enhance security, that is to say the validity of a passport? Isn’t the same true of RFID? Stored digital information can be infinitely replicated. If encryption is intended to secure RFID information, then surely encrytion standards must be a nightmare for uniform and widespread utility of this technology. It seems that RFID can provide little meaningful passport validation and serves also only as a convenient means of monitoring passport usage.

  26. on the rationale for rfid: it will make reading the passport less effort (if the wearer gets to know or not…) so maybe the plan is, to read it *much* more often?

  27. “Sounds like it’s time to microwave your passport.”

    This is specifically forbidden by the proposed regulations:

    “The proposed rule … would include a damaged electronic chip as an additional basis for possible invalidation of a passport…. Under the proposed rule, a passport that contains a damaged, defective, or otherwise nonfunctioning electronic chip … may be invalidated by the Department of State…. If the damage were caused deliberately, the passport would be invalidated upon discovery.”

    This is only one of many contradictions in Moss’s claims. For example, his sample RFID passports don’t comply with the ICAO standard that is supposed to be their rationale.