Disabling the RFID in the New U.S. Passports

slashchuck writes "Along with the usual Jargonwatch and Wired/Tired articles, the January issue of Wired offers a drastic method for taking care of that RFID chip in your passport. They say it's legal ... if a bit blunt. From the article: 'The best approach? Hammer time. Hitting the chip with a blunt, hard object should disable it. A nonworking RFID doesn't invalidate the passport, so you can still use it.' "

Tinfoil Passport Cover?

[ToteAdler]

Is it possible to make a passport cover that will block the signal when it's in the cover but USC&I can still use thier RFID thing when you take it out?

Re:Great idea!

[ScrewMaster]

Well, it remains to be seen just how reliable (or otherwise) these things are ... my feeling is that there's going to be a substantial failure rate. It's one thing to require RFID to speed the process of verifying an identity or to make it nominally more accurate. However, if you invalidate a passport because of a malfunctioning chip you're going to have BIG problems. People sit on things, they flex them, they drop things on them, they otherwise break them. It's what people do, whether they mean to or not.

Let's face it, you're gonna see a certain percentage of RFID passports that just don't work, for whatever reason. What do you do? Lock those people up? No, you just treat the passport like a traditional non-RFID-equipped passport. Well, if you're a properly-trained security person maybe you actually look at the traveler and make sure the picture matches. Maybe you do your job, because if the RFID isn't working you can't just doze through the interview and let the machine do the work. You should be on your toes anyway, because the one time you aren't is when the technology will let you down. And they (yes, they) know that.

And you can bet your boots that any (ahem!) undesirables will have properly-functioning RFIDs anyway. As always, it's us ordinary folk that will get busted for not dotting our I's and crossing our T's (not that most of us have any way to test the goddamn things anyway, except by trying to travel somewhere and seeing what happens.)

Personally, I think the Feds ought to focus more on people skills (i.e., well-trained, well-paid security forces with an effective organization to back them) and less on failure-prone, unproven technology.

Re:Lots of F.U.D. spread around

[eglamkowski]

Why do you have to be canadian to safely say the US government is stupid? I'm an US citizen and I'll say: my government is stupid. And insane. It hasn't given a damn about the constitution in what, 150 years at least? It's been all downhill since :-p

But not to worry, we're rapidly approaching the point where Our Robed Masters (i.e. the courts) will run the whole show anyways, so pretty soon it just won't matter who sits in Congress or the Oval Office. For some things they already do have the power, they just haven't been able to seize all the power for everything. Yet. But they're working on it!

Re:They do NOT say it's legal

[ScrewMaster]

That's not the question. I don't think our Federal Government is as much concerned about "proving" things as it should be, not anymore. The real question is: what is the penalty for being accused of tampering with your passport.

I would think that "tampering" would be more along the lines of "falsification". Destroying the RFID is really more defacement than tampering. At worst that would make the tag useless, at best make it more secure, and only means the passport works the way passports have always worked, requiring visual identification. It doesn't give the holder a different ID or allow him to do anything he otherwise could not.

Anybody got an RFID detector?

[mmurphy000]

Does anyone make a handheld RFID detector? Not something to read the tags, but just to note their presence, kinda like the rudimentary keychain WiFi detectors? I'd love to have something that I can use at home to find these little buggers as they start invading everything, so I can choose which to keep, which to somehow enclose (e.g., passport), and which to hammer into oblivion.

For my purposes, a simple meter showing strength of reflected RFID signal would probably suffice, so one can slowly pan over an area to watch for needle jumps. An audible signal (think Geiger counter or metal detector) could work too, though a headset jack would be nice in that case.

Anyone who disables the tag, is a terrorist.

[krygny]

"Does anyone have an argument in favor of the technology's implementation here?"

Soundly thrash, arrest, incarcerate, try, convict and execute anyone with a malfunctioning passport tag. Problem solved.

So what's the point of this "Security device"?

[Zadaz]

If my passport is perfectly valid without it then why does it exist? It's certainly not preventing counterfeiting if they can just skip that step.

Re:microwave it

[Anonymous Coward]

this is correct--there are NO rfid tags in US bills. They cannot be detected from a difference.

Geez, people get so paranoid.

And speaking of paranoia, why bash the RFID chip in the passport? It contains very little personal information, and any info that is in it could be stolen even easier by an old-fashioned pickpocket. There is no *reason* that a data thief would want to steal the chip info, and no *damage* they could do to you if they did. Hammer away, if you wish--and let your paranoia buy you prison time or a longer wait at customs.

Re:No Hurry

[swillden]

Yeah, because stopping you, scanning your passport, then letting you on through was SO much faster than stopping you, sliding your passport through a stripe reader, and letting you through.

Umm, you missed the point. The intent of the smart card chips isn't to speed up processing,it's to increase security without slowing processing down too much. However, once the smart chips are in place, the normal processing flow for a chip-bearing passport will involve reading the chip data. What happens when the chip fails to respond? Well, that will be an exceptional circumstance that will take the bearer of that passport out of the normal, expedited flow and into another process that scrutinizes the passport and its bearer more closely.

Once the system is well-established, such that the vast majority of passports have working chips, having a broken chip will slow you down.

Oh, and current and future US passports don't use a magstripe reader. The thing they swipe your passport through a scanner that reads the printed data. I think it's an optical scanner, though it might be magnetic if the information is printed with magnetic ink (much like the numbers on the bottoms of checks used to be -- though I think those aren't magnetic any more either).

Re:Somebody doesn't grok RFID...

[canavan]

passive (powered by the magnetic field generated by an RFID reader).

Passive RFID tags are not powered by magnetic, but by electromagnetic fields, more precisely essentially the same radio frequency they use to send back their data - they use the same antenna for sending and receiving.

someone with even a basic knowledge of physics knows that the power requirement to maintain an adequate magnetic field increases exponentially with distance.

Since we determined that radio is used to power the tags, everyone with a basic understanding of physics should know that the field strength diminishes with something like x^-3 and not y^-x, which would make it a cube law matter, and not exponential. Additionally, the same directional antenna that can be used to read the tag's signal can be used to direct the radiated RF energy to the tag.

one has to remember that tags operating on the same frequency will tend to interfere with each other, reducing the chance of getting a good read.

Sorry, but that's wrong again. RFID tags only send an answer when they are specifically addressed. The inventory control tags allow for a binay search to find all tags, e.g. you start by asking if any tag have addresses <2^31. If any answer, you check < 2^30 and between 2^31 and 2^30, etc. until you know the individual addresses of all tags in your range. Only after you have the right adress you will start actually reading their data, anything before that is just to detect their presence. Whether or not passport tags even give away their presence if one doesn't provide the (printed) secret key in the request, I do not know.

Re:Somebody doesn't grok RFID...

[Anonymous Coward]

For an isotropic (directionless) transmitter/receiver pair, the power requirement is distance^4. That is not exponential.

By using a directional transmitter and receiver, the power requirement is distance^4/transGain/recGain. Both the power/sensitivity requirements and interference from non-targetted RFID's decrease. A gain of 6 changes a 2" range into 1'. Antenna gain of 60 increases that to 10' range... all with standard equipment. However, this assumes that the passport is broadside to the attacker; as others note, it will generally be partially closed and facing away; both effects increase the power requirements.

Kids, beware of people using pringles-can antenna near the airport. and don't wave your passport around all the time.

Re:No Hurry

[Dare nMc]

Doesn't this strike anyone as ironic? The RFID is of no value for official use without first having to read something printed on the inside.

took me some time to grasp the advantage. I think the obvious advantage of the rfid chip is for the entering country to keep a complete record for post/off site processing. It does no good to the US customs for US citizens to give back the info. We already have that in our databases, + more for anyone "interesting" just from their SSN.
Essentially the RFID passport is a Tit for Tat jester. To tell the EU, etc we'll force our citizens to give you their data in a nice tight bundle, so that you will return the favor with your citizens data on Entry to the US.
obviously easier for a untrained agent to beam all passport data to a offsite FBI agent, then you can have one central surveillance office.

Re:Violation of Privacy

[Helldesk Hound]

Actually you did - implicitly by virtue of your citizenship in the USA.

The republic known as the United States of America passed a law requiring such device to be used. You are as responsible for the laws in the USA as any other USAan citizen is.

And as a citizen of the USA you implicitly agree to be bound by the laws as approved by the majority of it's citizens.

You don't like it? Get the law changed, or emigrate to some other English-speaking country.

It's worth noting that the USA has recently passed several sets of laws (to do with monitoring & detaining people) that are very similar to those laws that were enacted in Germany in the years immediately prior to the Second World War.

Wake up USA. Wake up!

Re:They *will* be forged

[swillden]

Oh yes he will. They will inevitably leak. It's only a matter of time until someone bribes or blackmails a government employee or steals one of the machines used to sign the data and program up the chip.

Very, very, very unlikely. I have significant experience with how such signing keys are managed. A few years ago I built a key management system to protect the keys to protect billions in credit transactions. The project was considered important to national security, so I had design reviews with the NSA. I know what the NSA required of my designs, and I'm sure that the passport system will also benefit from their input. They're seriously good at this stuff.

The keys will almost certainly be generated in, stored in and used only by hardware security modules, themselves stored in the most secure areas of the already highly-secure passport production facilities. There will be no way to ever get the keys into the clear. The HSMs won't be in easily movable machines, and multiple senior officials will have to authenticate in order to clone the keys to another HSM, and under no circumstances will the HSMs be allowed to leave the facility. Further, once installed there will be no reason to ever move them at all, and plenty of physical security will be in place to assure that they're not moved.

The keys won't be stolen. That's easy to assure when you have such a small number of extremely important keys that don't have to ever be moved.

What almost certainly will happen is that corrupt passport issuance officials will create real passports, issued through the normal channels, with bogus names and identification data. That sort of risk is self-limiting, though.

Re:No Hurry

[Jah-Wren Ryel]

Your answer says nothing about why RFID was chosen over another technology like 2D barcodes - you know, the OP's question about "why not just print the data in the first place."

Current state of the art gets about 64K plus error correction on a piece of paper the size of one passport page. That's plenty for passport use.

Furthermore, this focus on forgery is completely short-sighted. All it will do is change the business of forging passports from one of making them up on the spot to one of collecting copies of thousands of valid ones so that the forger can more easily provide a dupe that closely matches their client. Since a passport is suppossed to last for 10 years, there will always be a lot of leeway in interpreting the "biometrics" that are stored there.

It would not surprise me in the least to see a black-market in databases of passport dupes spring up - any place that "holds" yours passport, like a hotel, will be an easy point of vulnerability - desk clerks don't make much money, especially in 3rd world countries. 50 cents per valid dupe would be extremely cost effective and more than enough incentive.

The real goal is supposed to be increased security, but all this system does is re-arrange the pieces on the chess board - and line the pockets of a bunch of government contractors.