Web spreads worries over passport security

The Baltimore Sun

In a video on YouTube, an explosion in a trash can, which appears to be wirelessly triggered by a passport equipped with a computer chip, blows away a dummy.

Two caveats: That's not a real passport, and even Kevin Mahaffey, the Los Angeles security consultant who made the video, calls it "a far-out scenario."

It is unlikely that terrorists or others could steal your identity or attack you through the new computer chips in U.S. passports, many experts say. But that hasn't stopped the rumors from ricocheting around the Internet.

Sorting fact from fiction is tough when it comes to the "smart" chips, tiny integrated circuits that are being embedded in U.S. passports. They're part of efforts to improve border security that, starting Jan. 31, also will tighten document requirements for traveling from Canada to the U.S.

Here's how the chips work:

They use radio frequency identification, or RFID, a wireless technology with various applications.

The chip on your passport stores your name, gender, birth date and place; your passport number, its issue and expiration dates; and a digital version of your ID photo. It broadcasts this data when its antenna is activated by signals from a government reader at a border crossing.

The security of this broadcast is the crux of the debate. The State Department says the chip's range is about 4 inches and that it cannot be read when the passport book is fully closed.

But with the right equipment, early critics said, people several feet away or farther could secretly access the data and use it to identify Americans, track their movements and steal their personal information. The chip also could be copied or altered to make phony passports, some said.

Responding to concerns, the State Department added security features:

To block radio signals, it put metallic material in the passport's front cover and spine.

To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip's data. (Officials note that Social Security number and address are not on the chip.)

To prevent tracking, it installed a "randomized unique identification" system that presents a different ID to a reader each time the chip is accessed.

To counter fraud, it installed a digital signature that flags chips that have been altered.

These measures have at least partly mollified some critics, including Ari Juels, chief scientist and director of RSA Laboratories in Bedford, Mass., who analyzed earlier versions of the embedded-chip passport and found them wanting.

"At the moment, the security protections in U.S. passports are pretty good," Juels said.

But Juels said RFID technology is potentially vulnerable. And other experts say they found flaws. The unconvinced critics include Mahaffey, a co-founder of Flexilis Inc., a mobile security company that made the video of the exploding trash can.

If your passport book falls open by even half an inch, Mahaffey said, a nearby person could wirelessly detect that you are an American and, conceivably, trigger a bomb as you pass by -- although the likelihood of the latter is "very low," he conceded. (The State Department disputed the validity of his video.)

Another expert, Lukas Grunwald, chief technology officer with the German security company DN-Systems Enterprise Internet Solutions, says he was able to copy data from an RFID chip on a German passport and transfer it onto another passport.

Although the digital signature on U.S. chips could detect such fraud, Grunwald said his demonstration suggested that criminals might be able to use the chips to introduce malicious viruses into the inspection system.

In the end, given the new technology and its complexity, it's impossible to know whether the RFID chip is 100 percent safe, experts said.

"We know that there are counterfeiters out there," said Michael Holly, chief of the international-affairs staff in the passport-services directorate of the State Department. "I don't think anyone will say ... the document is foolproof."

Jane Engle writes for the Los Angeles Times.

Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad