Alleged RFID Flaws in e-Passports Create Ability to Track People with Them

Computer scientists in Britain have uncovered weaknesses in electronic passports issued by the U.S., UK, and some 50 other countries that allow attackers to trace the movements of individuals as they enter or exit buildings. The so-called traceability attack is the only exploit of an e-passport that allows attackers to remotely track a given credential in real-time without first knowing the cryptographic keys that protect it, the scientists from University of Birmingham were quoted in the media this week. What’s more, RFID data in the passports cannot be turned off, making the threat persistent unless the holder shields the government-mandated identity document in a special pouch. “A traceability attack does not lead to the compromise of all data on the tag, but it does pose a very real threat to the privacy of anyone that carries such a device,” the authors wrote. “Assuming that the target carried their passport on them, an attacker could place a device in a doorway that would detect when the target entered or left a building.” To exploit the weakness, attackers would need to observe the targeted passport as it interacted with an authorized RFID reader at a border crossing or other official location. They could then build a special device that detects the credential each time it comes into range. The scientists estimated the device could have a reach of about 20 inches. “This would make it easy to eavesdrop on the required message from someone as they used their passport at, for instance, a customs post,” the authors wrote.Consider sending a Tweet about security challenges in new electronic passports. Tweet at http://twitter.com/securitymag