Passport 'Smart' Chips Generate Security Concerns

Jan 15, 2008 3:53 PM

In a video on YouTube, an explosion in a trashcan, which appears to be wirelessly triggered by a passport equipped with a computer chip, blows away a dummy.

Two caveats: That's not a real passport, and even Kevin Mahaffey, the Los Angeles security consultant who made the video, calls it "a far-out scenario."

It is unlikely that terrorists or others could steal your identity or attack you through the new computer chips in U.S. passports, many experts say. But that hasn't stopped the rumors from ricocheting around the Internet according to reports from The Baltimore Sun.

Sorting fact from fiction is tough when it comes to the "smart" chips, which are tiny integrated circuits that are being embedded in U.S. passports. They're part of efforts to improve border security that, starting Jan. 31, will also tighten document requirements for traveling from Canada to the United States.

The chips use radio frequency identification, or RFID, a wireless technology with various applications. A chip on a passport stores a person's name, gender, birth date and place; passport number, its issue and expiration dates; and a digital version of an ID photo. The chip broadcasts this data when its antenna is activated by signals from a government reader at a border crossing.

The security of this broadcast is the crux of the debate. The State Department says the chip's range is about 4 inches and that it cannot be read when the passport book is fully closed.

But with the right equipment, early critics say, people several feet away or farther could secretly access the data and use it to identify Americans, track their movements and steal their personal information. The chip could also be copied or altered to make phony passports, some say.

Responding to concerns, the State Department a number of added security features.

* To block radio signals, it put metallic material in the passport's front cover and spine.

* To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip's data. (Officials note that Social Security number and address are not on the chip.)

* To prevent tracking, it installed a "randomized unique identification" system that presents a different ID to a reader each time the chip is accessed.

* To counter fraud, it installed a digital signature that flags chips that have been altered.

These measures have at least partly mollified some critics, including Ari Juels, chief scientist and director of RSA Laboratories, Bedford, Mass., who analyzed earlier versions of the embedded-chip passport and found them wanting.

"At the moment, the security protections in U.S. passports are pretty good," Juels told The Baltimore Sun.

But Juels said RFID technology is potentially vulnerable. And other experts say they found flaws. The unconvinced critics include Mahaffey, a co-founder of Flexilis Inc., the mobile security company that made the video of the exploding trashcan.

If your passport book falls open by even half an inch, Mahaffey says, a nearby person could wirelessly detect that you are an American and, conceivably, trigger a bomb as you pass by -- although the likelihood of the latter is "very low," he concedes. (The State Department disputed the validity of his video.)

In the end, given the new technology and its complexity, it's impossible to know whether the RFID chip is 100 percent safe, experts say according to The Baltimore Sun.

"We know that there are counterfeiters out there," says Michael Holly, chief of the international-affairs staff in the passport-services directorate of the State Department. "I don't think anyone will say ... the document is foolproof."

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue