I’ll keep my paper passport, thanks

Here is a short piece on how a researcher, Chris Paget, bought a $250 RFID reader on eBay and used it to clone ePassports while driving 30 miles an hour near Fisherman’s Wharf in San Francisco.  I fully recognize that this demonstration doesn’t represent a method for fabricating complete paper-in-hand cloned passports.  Cloning is just the first step, but it is a big step.  More importantly, it is a step that the State department has is somewhere between impossible and unlikely.  The following is a passage from the privacy impact assessment (PIA) of TDIS – the Travel Document Issuance System:

The Department of State has taken extensive measures to prevent a third-party from reading or accessing the information on the chip without the passport holder’s knowledge. This includes safeguards against such nefarious acts as “skimming” data from the chip, “eavesdropping” on communications between the chip and reader, “tracking” passport holders, and “cloning” the passport chip in order to facilitate identity theft crimes. These safeguards are described in detail on the Department of State website.

Apparently those safeguards aren’t very strong.  

I invite you to read the State Department’s FAQ on e-Passports.  Notice the incredibly defensive tone in the opening of the answer to the question, “Will someone be able to read or access the information on the chip without my knowledge (also known as skimming or eavesdropping)?”  Also notice the tacit acknowledgment that passport RFID chips can be cloned.

Mr. Paget intends on driving around DC this weekend to see what he can clone, and with a macbre sense of humor, I look forward to reading his results.

Until then, I’ll keep my paper passport.

Chains of trust, questionable origins

If I wanted to print US Dollars at home, I’d need the printing equipment, the paper stock on which to do it, and the magical ink.  To thwart me, the government controls access to the printing plates, blank paper stock, and ink.  This, of course, hasn’t stopped people from trying to print money, but their produced fake money can be detected as fake because they do not have access to the real plates, stock, and ink.  Because the government tightly controls access to the original materials and the flow raw materials into the printing process, our money can be trusted.  (Financial crisis and the government’s predilection to just print heaps of dollars not withstanding.)

The government has not implemented the same model in the case of identification systems: passports and REAL ID driver’s licenses.

Consider this article from the Washington Times.  The raw materials to make a new RFID passport, namely, the blank covers with RFID chips in them, originate in Thailand.  They are then shipped here for printing and binding.  The control over access to this supply-line seems to be very weak.

The new RFID passports are part of a chain of trust.  Border Control allows me to re-enter the country if the passport is trustworthy and valid.  Cloning passports has been demonstrated to be a trivial process.  So one trustworthy passport can become an infinite number of trustworthy passports.  The chain of trust extends from me and the INS at the airport, back to the passport issuance office, to the State Department, to Thailand, and back to Europe where the RFID chips are made.  If any link along the chain cannot be trusted, then the entire chain of trust breaks.  And this seems to be the case.

This is similar to REAL ID.  In this case, municipal Departments of Motor Vehicles are responsible for protecting access to blank REAL ID stock.  That, in and of itself, isn’t any different than what happens today.  By transforming the driver’s license from a piece of plastic that says I am allowed to drive, into a proof of citizenship, REAL ID extends the chain of trust in new ways.  DMVs have been and are relatively weak targets.  This breaks this newly extended chain of trust.

The government, if it wants to establish and extend chains of trust, it must control the flow of raw materials into the process and must ensure that each step is trustworthy.

And if you think I am picking on the government, here’s a third example that doesn’t involve the US government.  It appears that credit card readers we altered during their construction.  These altered readers were indistinguishable from their unaltered peers.  These altered readers sent account data to unknown people in Pakistan.  Swipe a card to pay for groceries and off your data goes.  In this case, the last stop in the payment card chain of trust was effected.  If I cannot trust the card reader not to send my account information to someone I do not know, do not have a relationship with, and inherently do not trust,  then I will stop swiping my cards and just order things online or pay cash.

A system designed to broker trust must consider the extent of its chain of trust.  Each link in the chains must be fully vetted and strengthened.  Until I see evidence of that, I am still going to keep hold of my non-RFID passport.