Daily Archives: August 4, 2006


More wasted security money

The US government has decreed that starting later this year all new passports issued shall be equipped with an RFID chip. The premise is that the information in the passport would be electronically stored on the RFID chip, thus making it more difficult to create bogus passports. There is some major flaws with this idea. An RFID chip can be read without actually making contact with it. That’s becasue the RF stands for radio frequency. Most of these chips are passive so they don’t require power, so they aren’t transmitting. But a reader with enough power can detect the data on the chip from a distance. So someone sitting in an airport with a reader could sniff the data from the passport of every traveler walking past them and they would never know it. This might not be such a problem if the data on the chips was at least encrypted. However, the standard for passport RFID chips doesn’t require encryption. That means everything stored on the chip is in plain text.

This week at the Black Hat computer security conference a German security consultant Lukas Grunwald, is demonstrating how an RFID passport can be cloned in a matter of minutes. He will show how an RFID passport can be read, the data extracted and copied to a new blank passport with relatively little effort or cost. The data can also be copied to a smart card like that used by many companies for security. So not only is the RFID passport not helpful it may actually be counter-productive to security. How much do you want to bet a friend of Shrub has a big investment in the RFID business? I would say it is a safe bet that friends of Bush will profit handsomely from this whole e-passport fiasco, while the taxpayers will pay handsomely.