Spy Blog: "Contactless RFID Biometric Passports in the UK - same risks as US RFID Passports"
April 01, 2005
"There has been some comment online regarding the privacy and security risks of the forthcoming United States Biometric Passports, and the Department for Homeland Security's plans for Federal Employee Smart ID Cards, as outlined by this Wired article and the RFID Kills website.
However it should be remembered that the United Kingdom Passport Service is planning to issue very similar Biometric Passports, to the same International Civil Aviation Organisation standards for Machine Readable Travel Documents at almost the same time as the United States."
"Privacy International have published an analysis of the Passport Service's 5 year plan and the confusion with the controversial National Identity Register and ID Card scheme."
"As Stefan Brands writes,"remember, the privacy activist is nowhere near as technically sophisticated as you are but can smell a universal identifier from a mile away" "
"RFID Contactless Biometric smartchips, embedded in a United Kingdom passport will introduce exactly the same risks to personal privacy and safety a sthe United States RFID Biometric Passport, making us more vulnerable to criminals and terrorists than using the alternative and well understood contact smarcards, e.g. like Chip & PIN credit cards etc. We have been pointing these sort of risks with RFID tags, especially if they are ever used by our military armed forces, for over two years now, but only recently have some of the media started to pick up on these potential risks."
"Even if strong encryption is incorporated at some point in the message exchange protoocol between the Passport chip and the reader device, the initial part of the handshake will be unencrypted and easily recognisable as a United Kingdom or United States passport,
Even if strong encryption is used, there is simply no way to protect against man-in-the-middle attacks by rogue passport reader equipment which an attacker has placed between a genuine Passport reader and the victim's RFID passport, which cannot communicate with the genuine Reader , because of the alleged "security feature" of a restricted range for the normal operation of the RFID radio link."
Cross posted from Spy Blog
Posted by wtwu