The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
70°F
Current Conditions
Clear sky
View complete weather report

Color Scheme

Subscribe now

Some question security of smart passports

Jane Engle Los Angeles Times

In a scary video on YouTube, an explosion in a trash can – which appears to be wirelessly triggered by a passport equipped with a computer chip – blows away a dummy.

Two caveats: First, that’s not a real passport. And second, even Kevin Mahaffey, the Los Angeles security consultant who made the video, calls it “a far-out scenario.”

It is unlikely that terrorists or others could steal your identity or attack you through the new computer chips in U.S. passports, many experts say. But that hasn’t stopped the rumors from ricocheting around the Internet and elsewhere.

Sorting fact from fiction is tough when it comes to the “smart” chips, tiny integrated circuits that are being embedded in U.S. passports, part of ongoing efforts to improve border security.

The chips use radio frequency identification, or RFID, a wireless technology with various applications.

The chip on your passport stores your name, gender, birth date and place; your passport number, its issue and expiration dates; and a digital version of your ID photo.

It broadcasts this data when its antenna is activated by signals from a government reader at a border crossing.

The security of this broadcast is the crux of the debate. The State Department says the chip’s range is about 4 inches, and that it cannot be read when the passport book is fully closed.

But with the right equipment, some critics initially said, people several feet away or farther could secretly access the data and use it to identify Americans, track their movements and steal their personal information.

The chip also could be copied or altered to make phony passports, some skeptics contended.

Responding to concerns, the State Department added security features:

“To block radio signals, it put metallic material in the passport’s front cover and spine.

“To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip’s data. (Officials note that Social Security number and address are not on the chip.)

“To prevent tracking, it installed a “randomized unique identification” system that presents a different ID to a reader each time the chip is accessed.

“To counter fraud, it installed a digital signature that flags chips that have been altered.

These measures have at least partly mollified some critics, including Ari Juels, chief scientist and director of RSA Laboratories in Bedford, Mass., who analyzed earlier versions of the embedded-chip passport and found them wanting.

“At the moment, the security protections in U.S. passports are pretty good,” Juels says.

Bruce Schneier, chief technology officer of the BT Counterpane security company in Santa Clara, Calif., says he’s pleased with the final version of the passport.

But both men say RFID technology is potentially vulnerable. And other experts claim they have found flaws.

The unconvinced critics include Mahaffey, a co-founder of Flexilis Inc., a mobile security company that made the video of the exploding trash can.

If your passport book falls open by even half an inch, Mahaffey says, a nearby person could wirelessly detect that you are an American and, conceivably, trigger a bomb as you pass by – although the likelihood of the latter is “very low,” he conceded.

(The State Department disputes the validity of his video, which Mahaffey says featured a mock passport that he fabricated using similar materials to an authentic one.)

Another expert, Lukas Grunwald, chief technology officer with the German security company DN-Systems Enterprise Internet Solutions, says he was able to copy data from an RFID chip on a German passport and transfer it onto another passport.

Although the digital signature on U.S. chips could detect such fraud, Grunwald says his demonstration suggested that criminals might be able to use the chips to introduce malicious viruses into the inspection system.

In the end, given the new technology and its complexity, it’s impossible to know whether the RFID chip is 100 percent safe, experts say.

“We know that there are counterfeiters out there,” says Michael Holly, chief of the international-affairs staff in the passport-services directorate of the State Department.

“I don’t think anyone will say … the document is foolproof.”