Like a punch-drunk boxer swinging wildly in the hopes of hitting his opponent, government agencies continue to stumble stupidly ahead in implementing “homeland security” technology that is riddled with known, demonstrated flaws.
One of the latest debacles in this seemingly endless parade of bad ideas is the U.S. “e-Passport,” the new, legally-required passport that contains a tiny computer chip coupled to a radio that broadcasts private passport information to an e-Passport reader. e-Passports began to be issued by the State Department earlier this year, and the Department of Homeland Security (DHS) announced on September 27 that e-Passport readers have now been installed at San Francisco International Airport. These are the first e-Passport readers to be installed in anticipation of the Congressionally-mandated October 26 deadline that they be installed at all U.S. ports of entry.
The problem with this seemingly wonderful idea is that e-Passport technology was hacked and cracked long ago.
Based on Radio Frequency IDentification (RFID) technology, the same technology that Wal-Mart and other companies use to identify mass product quantities, e-Passports were originally said to be readable only at a distance of 10 centimeters or less. This myth was quickly dispelled as researchers demonstrated homemade antennas and readers that worked at a distance of 50 feet, which could allow criminals to secretly and remotely read e-Passport information. DHS responded with a lame e-Passport “shield,” which consists of metal fibers impregnated in the e-Passport’s cover. Even so, the e-Passport’s signal is still detectable at distances much greater than 10 centimeters. The situation is so bad that third-party companies have begun selling special e-Passport covers, which are essentially nice looking solid metal boxes to hold your e-Passport.
Even worse is the “Basic Access Control” protection scheme that e-Passports employ, which was cracked by Dutch security firm Riscure in February. Data between the e-Passport and reader was remotely captured, loaded onto a computer, and cracked in two hours, revealing the digitized photograph, fingerprint, and all text data that was stored on the e-Passport. This was demonstrated on the Dutch TV program, “Nieuwslicht.”
Then, in July, VeriChip’s human-implantable RFID technology was cracked and cloned in front of a live audience by researchers at the HOPE computer conference in New York City. Finally, putting icing on the moldy e-Passport cake, demonstrations in August at the Las Vegas BlackHat and Defcon security conferences by German researcher Lukas Grunwald, held in front of live audiences (including FBI and DHS officials), showed how easy it is to crack and clone an e-Passport, thereby allowing criminals to created forged documents.
Numerous experts have issued warnings against e-Passport technology. Yet, in spite of the overwhelming evidence, government agencies plod onward with e-Passport deployment, seemingly determined to “make it so,” with a “homeland security” scheme that makes about as much sense as banning nail clippers and shampoo. I’m reminded of the famous quote from the old “Pogo” comic strip: “We have met the enemy, and he is us.”