When is our government going to finally believe the myriad of electronics experts, who have not just speculated, but demonstrated that the new RFID enabled passports are a security and identity theft nightmare? These passports must be halted immediately!

I'm writing my Senators and Representative immediately to get the Bush Administration to wake up and stop the nonsense with the new RFID enabled passport unless they use encryption and/or some other technology which will protect my identity instead of broadcasting it to every crook and terrorist who happens to be nearby, and don't think they won't be nearby once this passport is in general use.

If you don't know how to contact your Senators and Representatives go to Contacting Congress (http://www.visi.com/juan/congress/)

Originally posted by by AP via CNN.com - August 6 2006
Researcher: New passports vulnerable
Defcon showcases latest discovered security weaknesses

LAS VEGAS, Nevada (AP) -- Electronic passports being introduced in the United States and other countries have a major vulnerability that could allow criminals to clone embedded secret code and enter countries illegally, an expert warned.

A demonstration late Friday by German computer security expert Lukas Grunwald showed how personal information stored on the documents could be copied and transferred to another device.

It appeared to contradict assurances by officials in government and private industry that the electronic information stored in passports could not be duplicated.

"If there is an automatic inspection system, I can use this card to enter any country," Grunwald said, holding up a computer chip containing electronic information he had copied from his German passport.

The research is the latest to raise concerns about the growing use of RFID, short for radio-frequency identification, which allows everyday objects such as store merchandise, livestock and security documents to beam electronic data to computers equipped with special antennas.

Countries such as Germany already use RFID in passports to help border officials guard against forgeries and automate the processing of international visitors. U.S. officials plan to start embedding RFID in passports in October.

A State Department spokeswoman said late Saturday she did not have enough information on the matter to comment.

The presentation was one of dozens delivered at the Defcon conference being held through Sunday in Las Vegas. The conference, attended by many of the world's best-known security experts, has become an annual showcase of the latest discovered weaknesses in computers, phone equipment and other machines.

To read the full article go to Researcher: New passports vulnerable (http://www.cnn.com/2006/TECH/08/06/passport.security.ap/index.html)

While I will write I'm fairly certain that the honorable Senators from Utah will choose to follow the President's lead. I know my Representative well enough that I may be able to convince him to push for the halt. Of course he doesn't have the greatest record at getting stuff through when you consider that every year he pushes for a repeal of the automatic pay raise that Congress gives itself and it has yet to pass.

I'll be renewing my passport shortly, so I'm curious as to know exactly when the new chips will be in the passports.

I choose "no- for any other reason" simply because while I'm plenty concerned I'm too lazy to write, and old enough (cynical enough?) to know that my writing my senator and lawmakers won't make a whit of difference, despite the fact that my brother volunteers for our dear and admittedly rabid (aren't they all rabid?) Congresswoman Johnson.

Besides, my Senator (old Lieberman) is in the process of losing the primary by 3 percentage points or so, and I suspect he has more important issues on his mind for the next three months. Looks like I'll have the choice of a very liberal Lamont, a moderate Lieberman running as an independent, or a very conservative and very unknown Republican this November- should be an interesting race to watch. Yes, I know that this belongs in the other forum, but the point is that my lawmakers have other stuff on their minds and I don't think that they would do anything more than have an aide write me a kiss-@$$ letter unless I actually ponied up some big kickbacks and bribes - er, "campaign contributions". <_<

In hindsight, I guess I should have chosen "no- they won't do anything about it anyway". Oh well- they won't, especially after the right company officials drop some well-placed cash around.

<div class='quotetop'>QUOTE(mercwyn @ Aug 8 2006, 01:34 PM) 33756</div>
While I will write I'm fairly certain that the honorable Senators from Utah will choose to follow the President's lead. I know my Representative well enough that I may be able to convince him to push for the halt. Of course he doesn't have the greatest record at getting stuff through when you consider that every year he pushes for a repeal of the automatic pay raise that Congress gives itself and it has yet to pass.
[/b]


Mercwyn- am I the only one on these forums that sees the great irony and hypocrisy in a club of millionaires voting themselves pay raises (can you say "conflict of interest"?) at the same time they publicly pander to the "little guy" and welfare moms everywhere? Give your Congressman a hug and heartfelt thanks for me.

All US Passports issued starting in October of this year will have the RFIDs implanted in them.

During the comment period about the RFID implants, out of the 2,335 comments on the plan that were received by the State Department, 98.5 percent were negative, but the Bush administration said they were going ahead with their plans anyway.

To address concerns about ID theft, the Bush administration said the new passports will be outfitted with "antiskimming material" in the front cover to "mitigate" the threat of the information being surreptitiously scanned from afar. Nothing apparently on the back cover, however. The problem is it's not clear, how well the technique will work against high-powered readers that have been demonstrated to read RFID chips from about 160 feet away.

"The shielding in the passport is a physical device that basically, when the passport cover is closed, it's very difficult to read the chip," a State Department official, who did not wish to be identified by name, said. It's now been 10 months since the announcement that they're going to use "antiskimming material" and the State Department was still either unable or unwilling to provide any details about the "antiskimming material" protection. The National Institute of Standards and Technology, which has been working to evaluate the chip's vulnerability to skimming, continues to provide no information, as well.

Privacy advocates have said that the anti-skimming device was a decent start. But if the cover of the passport happens to be open, all bets are off.

<div class='quotetop'>QUOTE(Ned @ Aug 8 2006, 11:47 PM) 33841</div>
"The shielding in the passport is a physical device that basically, when the passport cover is closed, it's very difficult to read the chip," a State Department official, who did not wish to be identified by name, said. [/b]

That sounds like a perfect new business opportunity for a slip in cover envelope for all who are concerned.

I've been concerned about the tags being used on items we purchase, but can also see how it is a help to merchants for inventory control. I'd like to see a home device of some sort that you could deactivate the tags on anything you have already bought and paid for.

Luckily, all our passports are good for quite a while yet, so the bugs should be worked out before we have to renew them.

Terry
from Bodo, Norway

There was an interesting article about the new "e-Passports" today in the Wall Street Journal.

To start, the State Department now says it's going to start rolling out these new passports next Monday, out of the Colorado Passport Agency. They will continue the roll out their issuance, over the next several months, until by the end of the year all new passports issued will be "e-Passports."

The State Department says it has addressed key privacy concerns by adding metal sheets to the document's cover. The metal fibers make the chip inactive and data unreadable when the passport is closed. Then when the passport is open it can only be read by a scanner within a few inches of the passport. It's interesting that earlier this week, electronics experts were able to read the passports from as much as 160 feet away.

The State Department further states that the chip will be protected by an electronic-access-code system. The only trouble is that system is easily hacked, according to security experts.

Furthermore, anytime the passport isn't closed tight with the cover in contact with the RFID chip, the chip is broadcasting. Think about how your passport is carried in a pocket, or purse, etc. More often than not the passport is not "tightly" closed. T's right, "That sounds like a perfect new business opportunity for a slip in cover envelope for all who are concerned." At the very least people are going to have to take care of their passport much more carefully.

I'm going to have some kind of cover, case, whatever, ready to go before I get one of those babies.

<div class='quotetop'>QUOTE(tdew @ Aug 9 2006, 12:52 AM) 33843</div>
That sounds like a perfect new business opportunity for a slip in cover envelope for all who are concerned.
Terry
[/b]

Replying to my own post!

Someone listened....

http://gearlog.com/blogs/gearlog/archive/2...9/18/21488.aspx (http://gearlog.com/blogs/gearlog/archive/2006/09/18/21488.aspx)

http://www.schneier.com/essay-125.html

<div class='quotetop'>QUOTE(weblet @ Sep 22 2006, 09:58 AM) 37570</div>
http://www.schneier.com/essay-125.html
[/b]
It sounds like Mr. Schneier has been reading the posts here at Tripso. His essay is right on the money.

Frankly, one of the things I've been thinking about is that I wouldn't be surprised if many US citizens try to temporarily disable the chip, and what would be the consequences of doing so.

The State Department says, "Any passport which has been materially changed in physical appearance or composition, or contains a damaged, defective or otherwise nonfunctioning electronic chip, or which includes unauthorized changes, obliterations, entries or photographs, ... may be invalidated."

But, I'd be willing to bet that once these new passports have been in fairly wide circulation that someone(s) will come out with a device to temporarily disable them such as a tiny field emitter which you could clip on to the passport, which puts out a cancelling wave field. Security agencies use these to stop "bugs" from properly functioning.

TDEW had a link in her post above for a wallet that will prevent the signal from escaping. It is made with Zinc which I imagine will be a no no at security checkpoints, so therefore you will have to put that in your carryon (which will no doub be searched because I do not believe zinc can be Xrayed) and leave you with your vulnerable passport for the duration of the security line which is exactly where anyone trying to get the info will be!

New 'e-passports' raise security issues
By Gregory M. Lamb | The Christian Science Monitor

A new generation of United States passports, equipped with short-range radio tags, are arriving in mailboxes across the country. More than 15 million Americans are expected to apply for and receive the high-tech document in the next year. Within a decade, every US passport will contain an RFID (radio frequency identification) chip.

But privacy advocates are voicing concerns that the passport makes Americans more vulnerable to attacks from thieves and terrorists - and perhaps will allow the government to snoop on them as well.

"It clearly is not a secure document," says Barry Steinhardt, director of the technology and liberty project at the American Civil Liberties Union. The new "e-passports," he says, provide "one-stop shopping for terrorists who want to single out Americans for kidnapping or worse."

The State Department, which issues US passports, insists that these kinds of concerns are groundless.

"It's the most secure passport we've ever issued," says Ann Barrett, acting deputy assistant secretary for passport services at the State Department. "It has the next generation of security features."

In August, Denver became the first regional passport office to issue the new passports. Other regional offices will switch over in stages in the weeks ahead. By February or March, all new passports will contain the RFID feature, Ms. Barrett estimates.

The tiny chip, embedded in the back cover of the passport, contains in digital form the same information printed on the biographical page of the passport: the person's name, date of birth, gender, place of birth, issue and expiration dates, and the person's passport photo. When the e-passport is opened and placed within a few inches of a passport "reader" at a US Customs station, it reveals its information.

By displaying the personal data in two forms, print and digitally, an e-passport should be much harder to alter or forge. The digital file is "locked" and unable to be changed even if accessed, the State Department says. Metallic shielding material in the cover and spine make the chip impossible to read illegally, or "skim," unless the passport is opened, and then only from a few inches away.

But not all privacy advocates and security experts have been won over. At a security conference in August, a German hacker showed how he could copy and transfer information from a German e-passport that employs similar RFID technology. And tests made by the American security company Flexilis show how the RFID signal can be read even if the e-passport is opened only a fraction of an inch, such as might happen while it was being carried in a purse or briefcase.

As part of an international agreement, more than two-dozen countries are converting to similar chip-bearing passports - an effort that has been pushed along by the US, Mr. Steinhardt says. All citizens of so-called "visa waiver" countries - those, who in most cases don't need visas to visit the US - must carry e-passports by Oct. 26. The Department of Homeland Security is in the process of installing e-passport RFID readers at airport security checks around the country.

Even though a thief might not be able to decipher the contents of an encrypted RFID chip, simply being able to learn that a person is carrying a passport constitutes a security breach, a Flexilis report says. It also may be possible to identify a unique property of the RFID signal that would indicate it came from an American passport. What if over the 10-year life of the passport, critics ask, remote RFID readers become more powerful and hackers become more expert at breaking in? A proposed worst-case scenario imagines using an American e-passport to set off a hidden bomb as it passes in close proximity.

"The security experts out there and the academic community that studies RFID have raised, I think, some very serious and legitimate questions about whether it's a good idea to have this information accessible in this way," says Katherine Albrecht, coauthor of "Spychips: How Major Corporations and Governments Plan to Track Your Every Purchase and Watch Your Every Move."

Unfortunately, she says, the State Department has gone ahead with the e-passport program despite receiving public comments that were more than 98 percent negative.

The proposal didn't receive the kind of open, public discussion that "I think would have led to more acceptance," says Ms. Albrecht, a privacy expert who has tracked how businesses and government use RFID tags for several years.

The apparel company United Colors of Benetton decided it was going to ship its clothing laced with RFID tags a few years ago, but changed its mind after a consumer boycott began.

"If it's a company, you can choose not to buy their products," Albrecht says. But if you need a passport, you'll have to carry the electronic version, like it or not. "You can't boycott the State Department," she says. "It's not like it's a free market where there's somewhere else to go if you don't like the policy."

As an extra layer of security, the e-passports first have to be touched to a conventional bar code-type scanner, the same kind used at grocery stores and on current passports, before the RFID chip can be read. This Basic Access Control "acts like a PIN number" to guard the chip, Barrett says.

But Steinhardt wonders, then, why bother with the contactless RFID scan? The State Department says the chip can contain more information than a bar code can, such as a digital photo. Some have speculated that it eventually may contain a fingerprint image, an iris scan, or other data as well.

Or does the chip have a more sinister purpose?

The State Department reneged on a promise to the ACLU that it could bring in independent experts to take a close look at the e-passport before it was issued, Steinhardt says. "There's clearly something else that they have in mind here, and we believe that they want the ability to track people without their knowledge," Steinhardt says. "That's the only explanation for why an RFID chip is in this passport."

Others who are familiar with RFID technology say the scenarios cooked up by e-passport opponents are far-fetched.

"A lot of these concerns, when you think about them in the real world, they start to become really silly," says Mark Roberti, editor of the RFID Journal. "Are there some scenarios where you could possibly skim some data? Well, yes, maybe. Anything's possible. But, logically, what's the real threat here?"

Terrorists, he says, have much easier ways to identify and attack Americans abroad than to try to employ e-passports. If they're close enough to skim the chip, they're close enough to read "United States of America" on the passport cover, he says.

"There's a lot of misinformation out there," Barrett says. "There are a lot of different RFID technologies, and we're certainly not using Wal-Mart inventory-tracking technology. It's a whole different technology."

For example, when read, the e-passport generates a random ID number. If someone is trying to track the movement of a passport by repeatedly scanning a chip, they'd get a different ID number each time.

"So they really wouldn't know it was you again," she says. "We really have put a lot of safeguards in place to protect the information that's on that ... chip."

If a government were to misuse the passport chip, say, to identify someone who had attended an antigovernment protest, Mr. Roberti concedes that "I think that is a legitimate concern."

The State Department's handling of the e-passport introduction has been "less than ideal and a negative for the RFID industry," he adds.

But the situation also been instructive. Companies that plan to use RFID tags to carry sensitive information need "to think about what data is on the tag, how it could be abused ... and then address those issues," Roberti says.[/b]