RFID Chips - the Loss of Civil Liberties

In part two of this RFID series we'll cover the vulnerabilities of the RFID chip, how technical gurus are trying to warn government bodies and the public about security issues, and how you can protect yourself from possible identity theft.

With the onslaught of technology in the last 30 years, you'll be hard-pressed to find someone who doesn't have at least a general idea of who a hacker is supposed to be, and what they could possibly do to you. Most people feel that, outside of banking and big-business sites, they're mostly protected on the Internet; they've learned to control their own personal information and downloading habits (or have a program to make these choices for them). With banks and top-tier companies hiring the best minds they can find to combat, and attempt to stay ahead of, the game, life as a hacker can't be getting easier. Or can it?

RFID: first generation biometrics
The introduction of the biometric passport, which contains a radio-frequency identification (RFID) chip, was hailed as the future of secure documentation. Upon introduction in the UK, however, the chip encryption was broken in under 48 hours, according to a Steve Boggan report for The Guardian. Other security breeches include research into copying the data from the chips while the passport was in the post. Both of these discoveries chilled the open support for these passports and added fuel to the fire for those who were opposed.

How can it be so easy? In the first generation of biometric passports, one fatal back door was left wide open: attempts to contact the chip do not have a limit on them so the incredible encryption on them is all but useless. With an infinite amount of attempts to crack the code, this seems akin to the Americans getting the Enigma machine during World War II. On the other hand, a spokesman for the Home Office told The Guardian, "What use would my biometric image be to you? And even if you had the information, you would still have to counterfeit the new passport - and it has lots of new security features. If you were a criminal, you might as well just steal a passport."

This may be of cold comfort to travelers and experts who believe the Home Office is turning a blind eye to a serious problem. The RFID has been cloned by Lukas Grunwald, founder of DN-Systems Enterprise Solutions in Germany, using equipment not unlike that used by Steve Boggan (author of The Guardian's special report) and his security consultant Adam Laurie (although the Guardian correspondent and consultant did not clone the data citing legal reasons). Both 'attacks' were done for testing and legal with both Grunwald and Boggan alerting the public and authorities to this possible security crisis (in short: don't try this at home).

Although many pro-RFID groups mention, repeatedly, that the chips cannot be read by satellite and some even say that a distance of 2.5cm is the limit, in Boggan's experiment it took four seconds to read the chip once the encryption was broken (in under 48 hours) at a distance of approximately 7.5cm. Additionally, a Dutch team claims to have contacted the chips at 30cm, and still others say that with a modified reader, distances of 60-90cm are possible. Considering how crowded airports and other public areas and transportation can be, even a few centimeters is enough space, not taking into consideration the possibility of someone who works at a checkpoint who could steal the information with you standing there watching them do it but still have having no knowledge of the data being stolen.

To add injury to insult, in March 2006 a bug was reported by Ars Technica regarding an RFID-related buffer overflow vulnerability in airport terminals that could be exploited by a specially-made RFID chip. The ramifications of this include mucking about with the baggage and passport information which leaves personal details unprotected.

Richard Stallman and FIDIS stand up to RFID supporters
Richard Stallman, founder of the Free Software Foundation, went to the World Summit on the Information Society (WSIS) in 2005 and was given a security pass with an RFID chip. Objecting to the idea that he could be tracked while walking around the grounds of the summit, Stallman covered his RFID-chipped pass in a roll of aluminum foil, although he willingly unwrapped it for all security checkpoints and wore it around his neck like the other delegates present. After his speech at the summit, however, the UN security awarded Stallman's non-violent protest by not allowing him to leave the room.

In the September 2006 Budapest Declaration on Machine-Readable Travel Documents (MRTDs) released by the Future of Identity in the Information Society (FIDIS), the EU-supported organization stated, "By failing to implement an appropriate security architecture, European governments have effectively forced their citizens to adopt new international MRTDs which dramatically decrease security and privacy and increase the risk of identity theft. Put simply, the current implementation of the European passport uses technologies and standards that are poorly conceived for its purpose."

Others have spoken out about the RFID-chip identity cards, passports, and so on, but this has not seemed to deter the governments that stand by their decisions. With incoming legislation to push forward national identity cards in the UK which use the same biometric systems, one might wonder who is trying to win support from the corporate sector who have secured lucrative contracts. It seems Big Brother might be watching, but that's all he's doing since this might leave citizens all over the world open to attacks unless something is significantly changed.

What could be done with the information?
Facial recognition systems which are routinely used in several countries with security cameras checked against a database sounds like an answer until you realize they are not used at border checks or airports, not to mention "the technology throws up between 20 and 25% false negatives or false positives. It isn't reliable," Grunwald added. Facial recognition by humans is notoriously flawed as well, and with the security of the RFID chip likely considered strong, they would be more likely to trust the information before them instead of their own eyes.

Once more biometric data is added to these chips, if the security is not significantly enhanced in some way, criminals would have your fingerprints or other specific data which can be forged. Once automated checkpoints are added and the human element of border checks are phased out, you could be traveling while staying at home and someone under your name could commit crimes of all sorts. Now find a good lawyer and plenty of witnesses that you were actually at home watching Survivor.

As well as the threat of criminals and hackers, there is also the Orwellian threat of governments around the world tracking, databasing, and observing your every move. With all of your actions being stored somewhere, online purchases will tie in with your work history, where you like to hang out on Friday night will be cataloged along with how fast you were driving, and ultimately your civil liberties will be eaten away until you might find yourself sitting at dinner, burping, and receiving a call from your neighborhood council asking you to please say "excuse me" after doing so.

You name it, they'll tame it
Given the supposed security of these passports and the fact that local ID cards will soon have RFID chips (U.S. and UK, as well as other countries), it is extremely concerning how easy and effective the tools to toy with these are. The threat is not only on a personal level, but a global one with the possibility of supply chain disruption for any organization who uses the chips to track and handle their inventories and shipments.

The Golden Reader Tool (GRT) is a software application which is freely available for reading passports which conform to the International Civil Aviation Organization (ICAO) regulations which include an RFID chip. The GRT was developed in 2004 for the Bundesamt f�r Sicherheit in der Informationstechnik (BSI - translated as the German National Office for Information Security) and is widely used in ePassport functionality testing.

An RFID-zapper was created by German privacy activists which uses a standard film camera which microwaves the chips using a small, but strong, electromagnetic field. This will cause the capacitator to blow and deactivate the chip. Similar constructions are made of other household items, and all run on your average AA batteries. Although the German group had a 'higher cause' for their protest, this sort of construction could possibly be used to overload chips on a larger scale depending upon the goals of the people behind this and their contact with the items.

There is also the issue of RFID chip readers being easily accessible to the public with prices between USD 100 and GDP 250 for them online without any sort of corporate or government identification required to receive them.

Protect your identity
If you're an American citizen with a new passport, you can relax because the U.S. government has added a layer of foil to the covers to deter skimming attempts by rogue scanners when the cover is closed. Or can you? Take out your passport and look at it. Can you see any gaps of the cover? If your passport is the new biometric type, it's likely broadcasting your information between the stamps for say, Holland and Japan. If you're in the EU, the biometric passports have not yet received this anti-skimming treatment to the cover, so they're left wide open. What can you do?

After the countless entries I have read on the Internet, most of which addressed the opinions of being either for or against the RFID chips, ePassports, and so on, the best method I have thought of to avoid data theft and a prison sentence (tampering with a passport is punishable with 25 years) is a little home project involving the material of your choice, one solid stitch, and tin foil to make a slip cover. In part three of the RFID series, I'm going to give you some ideas of how to make one with my tech advisor, Richard Stallman. It won't stop a postman or mail thief from stealing your data, but it'll give you some comfort on the road (and maybe be a bit trendy, too).