Fatal Flaw Weakens RFID Passports

Fatal Flaw Weakens RFID Passports
By Bruce Schneier

02:00 AM Nov. 03, 2005 PT

In 2004, when the U.S. State Department first started talking about embedding RFID chips in passports, the outcry from privacy advocates was huge. When the State Department issued its draft regulation in February, it got 2,335 comments, 98.5 percent negative. In response, the final State Department regulations, issued last week, contain two features that attempt to address security and privacy concerns. But one serious problem remains.

Before I describe the problem, some context on the surrounding controversy may be helpful. RFID chips are passive, and broadcast information to any reader that queries the chip. So critics, myself included, were worried that the new passports would reveal your identity without your consent or even your knowledge. Thieves could collect the personal data of people as they walk down a street, criminals could scan passports looking for Westerners to kidnap or rob and terrorists could rig bombs to explode only when four Americans are nearby. The police could use the chips to conduct surveillance on an individual; stores could use the technology to identify customers without their knowledge.

RFID privacy problems are larger than passports and identity cards. The RFID industry envisions these chips embedded everywhere: in the items we buy, for example. But even a chip that only contains a unique serial number could be used for surveillance. And it's easy to link the serial number with an identity -- when you buy the item using a credit card, for example -- and from then on it can identify you. Data brokers like ChoicePoint will certainly maintain databases of RFID numbers and associated people; they'd do a disservice to their stockholders if they didn't.

The State Department downplayed these risks by insisting that the RFID chips only work at short distances. In fact, last week's publication claims: "The proximity chip technology utilized in the electronic passport is designed to be read with chip readers at ports of entry only when the document is placed within inches of such readers." The issue is that they're confusing three things: the designed range at which the chip is specified to be read, the maximum range at which the chip could be read and the eavesdropping range or the maximum range the chip could be read with specialized equipment. The first is indeed inches, but the second was demonstrated earlier this year to be 69 feet. The third is significantly longer.

And remember, technology always gets better -- it never gets worse. It's simply folly to believe that these ranges won't get longer over time.

More:
Story location: http://www.wired.com/news/privacy/0,1848,69453,00.html

if they get away with this. What's next, a chip under our skin?

That is planned.

One of the crooks is an executive there. Name escapes me. but look at this: http://www.4verichip.com/verichip.htm

Is RFID Technology Easy to Foil?
"Any conductive material can shield the radio signals," said Matt Reynolds, a principal at ThingMagic, which develops RFID systems. "There are all kinds of ways to render the tags inoperable."

http://www.wired.com/news/privacy/0,1848,61264,00.html?tw=wn_story_related

Is your money tagged? Wanna microwave it?
http://www.prisonplanet.com/022904rfidtagsexplode.html

An example: Now tell me how water ice and isopropyl alcohol can just set there and get down to -62°
"One team filled a cooler with ice and isopropyl alcohol, a liquid that has an absurdly low freezing point. The result was that beer cans submerged in the soupy goo quickly cooled to minus 62 degrees Fahrenheit."

Another: This could conceivably work mountain top to mountain top with highly directional antennas and even then maybe, depending on atmospherics.
"The second record set this year at DefCon was pulled off by some teens from Cincinnati, who broke the world record they set last year by building a device capable of maintaining an unamplified, 11-megabit 802.11b wireless Internet connection over a distance of 125 miles (the network actually spanned from Utah into Nevada)"
http://blogs.washingtonpost.com/securityfix/2005/08/both_black_hat_.html