RFID tags in US Passports
Generally, I do not have a problem with RFID tags - the claims that these can be read remotely are laughable to anyone with a basic knowledge of electronics. You need to be within a foot or so and other tags cannot be near (they use the same power frequency and re-transmit their data on the same data frequency -- two RFID chips within range of the transceiver would jam each other)
McArtuhur at
The Misanthropist links to an article at
Schneier on Security which outlines a very good security concern.
I will take exception to one point though and mention something else:
bq. "...These chips are like smart cards, but they can be read from a distance. A receiving device can "talk" to the chip remotely, without any need for physical contact, and get whatever information is on it. Passport officials envision being able to download the information on the chip simply by bringing it within a few centimeters of an electronic reader.
bq. Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.
bq. Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily--and surreptitiously--pick Americans or nationals of other participating countries out of a crowd.
bq. It is a clear threat to both privacy and personal safety, and quite simply, that is why it is bad idea. Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 20 meters away. Improvements in technology are inevitable..."
First, a bit about RFID technology. There is no power source in the chip itself. It has what amounts to a simple crystal set tuned to one frequency and it receives this radio frequency (the "RF" in RFID), converts it to electricity and uses that to power the other side of the RFID chip. The "ID" side of the chip uses the small amount of juice to send a weak signal. It is transmitted in radio frequency domain but consists of binary data -- an identification or ID.
I could certainly dummy up something very easily and cheaply to get a valid signal from an RFID chip that was 20 meters away -- as long as no other chip was closer and I would have to use a large (meter long) antenna or flood the area with a
_lot_ of RF energy. The trope that technology is getting better ignores the fact that the RFID chip
_has_ to get enough received power to function and this requires a large antenna (focused on the chip in question) or a huge unidirectional broadcast of RF energy (and only able to receive the data from one RFID chip).
The point I take exception to is that very little data is stored on the chip. What is usually the case is that the chip has a unique 'number' stored on it and that number becomes a new identity number. The link to your personal data happens when this one number is entered into the agency's computer database and that number is used to call up your file. More data equals more power and we are dealing with a small and thin source here.
The idea that someone 'cruising the airport' and scanning people's passports and 'getting their identity' is bogus unless they already had a link into the immigration computer in which case, they would not need to hack the RFID chip at all, they could do this from the safety of their desktops and not bother lurking in airports with large Yagi antennas and strange boxes attached to car batteries...
Posted by DaveH at October 22, 2004 9:42 PM