August 14, 2006 4:43 PM PDT

RFID passports arrive for Americans

A first wave of U.S. passports implanted with radio tags will soon begin making their way into the hands of American travelers despite lingering privacy and security concerns, federal officials said Monday.

Not long after researchers at a pair of security conferences in Las Vegas demonstrated potential risks associated with the new documents, the U.S. State Department insisted the documents are tamperproof and said it had begun producing them at the Colorado Passport Agency, which serves applicants from that state and the Rocky Mountain region.

The agency said it plans to issue the documents through the nation's other passport facilities within the next few months, as part of its original plan to make all future passports electronic by October. It was unclear how many e-passports would be mailed out this year, although a State Department representative said Monday that the agency expects to distribute a total of 13 million passports by year's end.

The new passports, which have been undergoing testing for several months and have already been issued to some U.S. diplomats, will be equipped with radio frequency identification (RFID) chips that can transmit personal information including the name, nationality, sex, date of birth, place of birth and digitized photograph of the passport holder. They employ a "multilayered approach" to protect privacy and reduce the possibility that passersby can skim data from the books, the agency said.

"The Department of State is confident that the new e-passport, including biometrics and other improvements, will take security and travel facilitation to a new level," the agency said in a statement.

State Department officials claim that a layer of metallic antiskimming material in the front cover and spine of the book can prevent information from being read from a distance, provided that the book is fully closed. The document will also employ a cryptographic technique called Basic Access Control, which means the RFID chip unveils its contents only after a reader successfully authenticates itself as being authorized to receive that information.

State Department spokesman Kurtis Cooper dismissed recent concerns raised by security researchers that the passports could nevertheless be "cloned"--that is, copied and used in a forged passport. The agency is confident that other security features built into the book would foil would-be imposters, he said.

The cloning technique demonstrated at the Las Vegas events is simple: It requires only a laptop equipped with a $200 RFID reader and a smart card programmer. The laptop's software scanned information from the RFID chip and wrote it to the smart card, which can then be embedded in a fake passport.

Security researchers have not, however, figured out how to alter the personal information, which is protected with a digital signature designed to enable unauthorized changes to be detected. Creating a fake passport therefore would be most useful to anyone who can forge the physical document and resembles the actual passport holder.

"The digital photograph of the passport holder embedded in the data page and the digital signature on the data, combined with our human U.S. border inspection process, would prevent someone from using a forged passport to gain entry into the United States," Cooper said in a telephone interview.

The industry responsible for manufacturing the chips also said there wasn't much to be concerned about. "Even if someone could copy the information on your e-passport chip, it doesn't achieve anything, because all of the information is locked together in such a way that it can't be changed," Randy Vanderhoof, executive director of the Smart Card Alliance, said in a statement.

Since its inception, the idea of RFID-equipped passports has generated a great deal of ill will from privacy and security experts. By the time the State Department announced, last October, new regulations governing the documents, 98.5 percent of the 2,335 comments were negative.

The Electronic Privacy Information Center in December urged officials to drop use of the chips (click here for PDF). Citing assessments made by the U.S. Department of Homeland Security in its own internal documents, the advocacy group argued that the process of monitoring e-passport scanners requires too much attention from border inspectors and could actually distract them from screening the travelers themselves for suspicious activity.

CNET News.com's Declan McCullagh contributed to this report.

See more CNET content tagged:
RFID, passport, e-passport, smart card, agency

9 comments

Join the conversation!
Add your comment
Oh well
Oh well, time to break out the alfoil for creating artificial faraday cage shielding from unwanted scanners!

Whoever manufatures and sells, Faraday cage style Passport Holders will make a fortune from 'tech savvy users' from this day forward!
Posted by heystoopid (691 comments )
Reply Link Flag
RFID Already in the 20
Put a 20 dollar bill in the microwave and jeffersons eye will burn out no every single one of them. Thats becauses their is a tiny RFID chip in there already. Simple fact is, you people need to wake up. The goverment is no longer looking out for we the people. its looking out for its deep deep pockets and will step on everyone to fill them. if you dont want to be tracked(even though you already are), just put the passport in the microwave. There is a VERY LARGE hidden message in regards to putting RFID Chips in passports. I hope that the general population will take the time and do some research to find out why they are REALLY doing this. OH wait, we are American... i forgot. That means we do nothing and expect everything. Okay well excuse me while i go fill my 8mpg yukon on my way to the anti oil price rally....
Posted by Zupek (85 comments )
Link Flag
Passports are not "tamperproof"...
In fact, cloning the tag is simple. Simple
enough that cracking the tag and data checksum
info should be presumed to have already been
worked out by a third party (the methods are
known to a good number of developers of the
system and shared with many countries). Saying
otherwise is wishful thinking and downright
irresponsible.

Yes, you should put your passport in a shielded
sleeve (the state department has even alluded to
that) lest it be cloned or used improperly to
identify you or your nationality to a third
party without your knowledge. The "skim coating"
isn't 100% effective.

I'm not sure what the value proposition is. I
don't see it making passports harder to forge,
quite the contrary. Doubly so if the state
department is deluded into thinking the system
can't be cracked -- because that means that they
aren't fully prepared for the crack when it
comes.
Posted by Zymurgist (397 comments )
Reply Link Flag
I'm sure terrorists will love these
Guess I'll go to jail for mutilating my passport since the first thing I'll do is microwave mine to destroy the RFID chip.

Think about how silly this is, if you want to blow up americans, all you'll have to do is query the RFID chips until you get the right number of answers. The idea that the foil in the folder will keep the chip from being read is silly, eventually it will wear out and then voila, instant way to distinguish americans electronically.

How stupid.
Posted by captainoverboard (4 comments )
Reply Link Flag
Subject to Failure BIG TIME
Anybody who has the appropriate code to tell the passport to divulge it's inner personal information will be able to divulge the inner secrets.

Not sure in the least if you ask me.

Now if it had a finger-print recognition system such that authentication is not left up to a third party, but only by the holder of the passport... now that would be another story.

And why use BAC (Basic Access Control) When AES and other PROVEN encryption methods are available?

PROVEN is the operable word here!

There are secure methods and then there are other methods... why they've chosen the other methods... nobody knows... especially things as unsecure as RFID!!!

IT WILL BACKFIRE BIG TIME!!!

Just glad my Passport was renewed prior to this security blunder!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Hard to find working link to Infineon
Why is it so difficult to find a working link in C/net, to the Infineon company ? As being the selected new supplier of RFID, for passports, you'd think research on Infineon would be made easier.
Posted by infojoe (2 comments )
Reply Link Flag
Old passports no longer valid?
Will I be able to keep my passport or will I be issued a new one?
Posted by Caligrl1025 (2 comments )
Reply Link Flag
It has been almost 3 years since the news of e-passports and the privacy risks that are imposed to the general public. why hasn't anything been done? yes we have faraday cages, our encryption that is useless because it only crypts the conversation between a reader and a chip, as oppose to the public's perception that our information can not be read, it actually only prevents your information from being altered let's say from javascript...most importantly, i feel congress's real id act and the company inferion that makes the chips for the passports leaves it up to the public to protect themselves by offering a mere alluninum foil cover. kind of like throwing us in a body of water without a life jacket and saying sink or swim! it isn't fair because i do love our country, i love being a human being.
i don't like feeling like a piece of meat from these companies who do not even want to research more or find an alternative technology that beats rfid chips. security and rfid do not mix. we need LAT or Look Aside Technology that is a nonhieracal approach. Is it right the safety of consumers is a political issue? why must politics interfere with everything....moeww.
Posted by moewme (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.