Here is a short piece on how a researcher, Chris Paget, bought a $250 RFID reader on eBay and used it to clone ePassports while driving 30 miles an hour near Fisherman’s Wharf in San Francisco. I fully recognize that this demonstration doesn’t represent a method for fabricating complete paper-in-hand cloned passports. Cloning is just the first step, but it is a big step. More importantly, it is a step that the State department has is somewhere between impossible and unlikely. The following is a passage from the privacy impact assessment (PIA) of TDIS – the Travel Document Issuance System:
The Department of State has taken extensive measures to prevent a third-party from reading or accessing the information on the chip without the passport holder’s knowledge. This includes safeguards against such nefarious acts as “skimming” data from the chip, “eavesdropping” on communications between the chip and reader, “tracking” passport holders, and “cloning” the passport chip in order to facilitate identity theft crimes. These safeguards are described in detail on the Department of State website.
Apparently those safeguards aren’t very strong.
I invite you to read the State Department’s FAQ on e-Passports. Notice the incredibly defensive tone in the opening of the answer to the question, “Will someone be able to read or access the information on the chip without my knowledge (also known as skimming or eavesdropping)?” Also notice the tacit acknowledgment that passport RFID chips can be cloned.
Mr. Paget intends on driving around DC this weekend to see what he can clone, and with a macbre sense of humor, I look forward to reading his results.
Until then, I’ll keep my paper passport.
4 thoughts on “I’ll keep my paper passport, thanks”
This reminds me when I worked for a cell phone company in Mass and we used to have an ESN reader that we would need to grab from time to time to change phones, phone service, etc. One day I was out with one of my techs reprogramming 50 phones on an account I just won, and driving down 128 I must have grabbed 20 phone numbers. I could have cloned any phone and the number would be mine and the phone charges someone else’s problem.
I wonder if the technology in the RFID stuff is similar where by it can/does transmit stuff all the time and you just need to grab it out of the air.
I too will keep my paper Passport when I renew it this year…
Keep in mind when you renew you get an e-Passport.
Sounds like Paget is cloning Passport Cards (http://travel.state.gov/passport/ppt_card/ppt_card_3926.html), not the Electronic Passport. I’m not saying the Electronic Passport is any better, though Paget does:
“Paget says the RFID chip technology found in traditional passport books, however, is better because it has encryption and authentication features. He suggests the federal government replace the e-passport RFID chips with the RFID chips used in the passport books. “
I’d be interested to know how many Passport Cards are out there. I didn’t think they were that widespread, but I don’t have a lot of hard data on that.