Why chips in passports and ID cards are a stupid idea

Have chip, will travel
Why chips in passports and ID cards are a stupid idea

(The Economist) A MONTH of tramping around Europe has given your correspondent a chance to see how effective the new e-passports are at border crossings. Between them, his family holds American, Japanese and British passports, each recently renewed. Unlike previous ones, the e-passports contain biometric data embedded in a radio-frequency identification (RFID) chip, along with the usual mugshot and optical bar-code.

Although all new passports conform, more or less, to standards laid down by the International Civil Aviation Organisation, each country implements the requirements somewhat differently. The new American passport sets the gold standard. It has additional features built into it that make it especially hard to counterfeit. The Japanese passport runs a close second, while the British version comes a poor third.

So far, the only biometric details stored in the new chipped passports are facial measurements, including the distance between the holder’s eyes and the positions of the nose, mouth and ears. The measurements—extracted from passport photographs using facial-recognition software—are digitally encoded and stored in the RFID’s memory along with a digitised photograph and personal details.

The two main justifications for adding chips to passports are that they improve security at border crossings and speed up immigration procedures. Your correspondent thinks this is poppycock.

Take speed. The immigration officer still has to open the e-passport, read its contents and then swipe its bar-code through an optical reader to get the bearer’s file up on a screen ready to ask a few questions. There, normally, the procedure would end.

Next, however, the e-passport has to be placed over an inductive reader that provides the radio-frequency energy to power up the passive RFID so it can spit out its data. Moments later, the chip’s contents appear on the screen, ready to be compared with those printed in the booklet. If the two sets of information agree, the passport is accepted as authentic.

In other words, all the chip does is confirm what is printed in the passport. What it does not do is prove the holder is the person he or she claims to be—no more so than a traditional passport did. If the person has a reasonable likeness to the photograph—and therefore similar biometric details—a stolen e-passport could readily be accepted. Or if the passport is a fake and the chip cloned, it could just as easily pass muster. As always, it will come down to the experienced eye of the immigration official—whether it’s a chipped passport or a traditional one.

How easy is it to clone an e-passport? The RFID chip is not supposed to divulge any data until the reading machine on the immigration official’s desk authenticates itself by presenting an encrypted digital key. This has to match another encrypted key that is generated from a string of data scanned into the system from the optical bar-code printed in the passport. Only when the two keys match can the chip be unlocked.

That, at least, is the theory. Unfortunately, not all countries have implemented the “passkey” part of the process as well as they might have done. Even the European Union admits that the security of its e-passports was “poorly conceived”. Indeed, no sooner had European authorities introduced the new chipped passports than a Dutch one was hacked live on television, with the participants gaining access to the owner’s digital photograph and personal details. Days later, a handful of British e-passports were given the same treatment.

Part of the problem is the encryption keys themselves. Because they depend on familiar groupings—such as passport numbers, places of birth and birth dates—they tend to be highly structured sequences that are quite easy to guess. That makes it possible for hackers to decode such keys in minutes rather than hours. Also, because RFIDs broadcast their encrypted contents over the air, eavesdropping is easy.

The official range of an e-passport’s RFID is supposed to be no more than ten centimetres (four inches). But with $100 worth of hobbyist gear, Israeli researchers managed to skim encrypted data off e-passports from several feet away. A student at Cambridge University in Britain went further, intercepting e-passport transmissions some 50 metres (160 feet) away.

That was enough for State Department officials in Washington, DC, to insist that American e-passports be fitted with metal sleeves to shield them, when closed, from prying electronic eyes. The measures seem to be reasonably effective, though e-passports that get wedged open slightly by keys or loose change can still be read electronically from a distance.

Slightly open passports could leave holders vulnerable to physical attack. Each country encrypts data in a characteristic way that terrorists could use to identify the nationality of the person carrying the chipped passport. To demonstrate the point, a firm called Flexilis used a partially opened American e-passport tucked in the pocket of a dummy to trigger an explosion as it passed a dustbin containing a small charge.

As vulnerable as e-passports are to electronic eavesdropping and cloning (which their non-chipped predecessors were not), they are nowhere near as bad as the new generation of chipped identity cards that are finding their way into people’s pockets. Since June 1st Americans re-entering the country by land or sea from Canada, Mexico, Bermuda and the Caribbean have had to carry at least an Enhanced Driving Licence or a PASS card—picture IDs the size of a credit-card with the bearer’s identification number stored in an RFID chip.

Certainly, chipped ID cards speed things up at borders. All you have to do is hold the little plastic card to the windscreen as you approach the checkpoint, and a scanner reads your unique identification number. Your file is immediately downloaded from a central database for the immigration officer to see on a screen. The officer can then wave you through or hold you momentarily for questioning.

Speedy they may be, but chipped ID cards are horrendously insecure. When prompted, they broadcast their unique identifier in plain text, without any form of encryption or authentication, to anyone who is listening. And because they are designed to be interrogated from distances of ten metres or more, they are a doddle to intercept. Making matters worse, they rely on the same RFID tags used by retailers, and can therefore be “locked” or “killed” remotely by wireless commands. The scope for identity theft, chaos or worse is unlimited.

Bizarrely, you can enter America on one of these pieces of plastic. What on earth were the authorities thinking? Embarrassed officials are now appealing to people carrying such ID cards to keep them safely tucked away in metal sheaths. Truth be told, shielding them merely reduces the range from which they can be read. The current record is 65 metres.

Meanwhile, the British government is scrambling to avert a similar fiasco. Earlier this month, the Home Office announced a change of heart, saying its proposed national ID card scheme would not now be compulsory. It also deferred ordering equipment for making the cards until autumn 2010—after the next election.

Britain’s opposition parties have gone further, promising to scrap the hated ID card system altogether, along with the central database that would hold comprehensive files on everyone in the land. With a change of government expected next year, Britons may yet be spared the insanities Americans are now having to put up with.