U.S. set to issue passports with RFID chips

Computerworld - The U.S. Department of State is on track to start issuing passports with radio frequency identification (RFID) chips next week, despite warnings from some security experts that such systems could be accessed or tracked by hackers.

The new program will start in the Denver passport office and be rolled out across the country over the next several years. All American passports are expected to include RFID chips containing personal information by 2017.

State Department personnel have successfully tested the electronic passports over the past year, said Frank Moss, deputy assistant secretary for passport services.

Moss contended that electronic passports improve security by making it harder to forge or alter official documents. All personal information on the chip must precisely match that in the printed portion of the electronic passport. "In the past, it could have been possible to put a new photo inside [a stolen passport] or find someone who looks like the holder," Moss said.

Additionally, if an electronic passport is stolen, the chip has a unique identifying number that can be tracked by law enforcement agencies worldwide, he said.

Moss said that extra memory space on the RFID chip may be used in the future to store biometric information such as a fingerprint image. However, he said no decision has yet been made on how to use the extra storage space.

Some security experts have expressed concern over the use of a chip that doesn't require contact with a scanner. The new passport can be read about four inches from a scanner.

Given the fast pace of technology changes, and the 10-year life of a passport, it's inevitable that the RFID chip will become hackable and that technology will be built to access it from long distances, said Bruce Schneier, founder and CTO of Counterpane Internet Security Inc. in Mountain View, Calif. The new passport could eventually allow for surreptitious access and tracking, he said.

Schneier contended that the State Department could have used an RFID chip that requires contact with a reader. "I can think of no benefit for a contact-less chip," he said. "The question is, if there is no good reason for RFID, why are they pushing so hard for it?"

Other experts downplayed such potential flaws. "The only vaguely legitimate arguments I have heard against E-passports is that they might permit someone two feet away from you to learn that you are American and blow you up, or permit someone two feet away to learn whatever might be stored on the E-passport," said Michael Shamos, a professor who specializes in security issues at Carnegie Mellon University in Pittsburgh.

"It's a balancing of risks. The E-passport will be much more difficult to forge and thus ought to reduce the prospect of terrorists getting hold of valid ones," he said.

The passive 64Kb RFID devices in the new passports will be supplied by Infineon Technologies North America Corp. of San Jose and Amsterdam-based Gemalto NV, Moss said. The E-passports meet specifications laid down by the Montreal-based International Civil Aviation Organization (ICAO), a United Nations standards body.

The ICAO has been pushing for its 189-member countries to adopt machine-readable passports by 2010.