Jennifer King, a master’s student at UC Berkeley School of Information, has been studying RFID and the govenment’s approach to using this technology in passports and immigration documents. Her case-study of the upcoming e-passports which incorporate RFID tags shed some needed light on this complex and controversial issue.

King started out by provinding a basic overview of current RFID technology. RFID systems consist of two parts: the RFID chip (also called “tag” and “contactless smartcard”), and the reader. There are two different types of RFID tags, passive tags that are powered by the reader and active tags that include their own power source. Most of the tags being used today and those that will start appearing in consumer applications are passive tags.

The most common use today for RFID tags is in tracking products through the supply chain, and this application of RFID shows a lot of promise for increasing efficiency. Wal-Mart currently uses RFID tracking on it’s pallets, but not on individual items, though that level of tagging and tracking will be coming soon. King mentioned that it’s likely that with consumer products the burden of removing (or “killing”) RFID tags on products if desired will fall on the consumer.

As part of King’s master’s work she has developed as case study on the controversial e-passport initiative, which involves putting RFID tags in U.S. passports. By the end of this year all new passports issued in this country are supposed to have RFID tags. This is the result of the Enhanced Border Security and Visa Entry Reform Act of 2002. While I knew this was happening and was aware of the controversy around enabling U.S. passports to be seen by RFID readers, but one thing King mentioned that I didn’t know was that by 2008 passports will be required for U.S. citizens to visit our two closest neighbors, Mexico and Canada.

King chose to study the e-passport RFID application because it’s a non-conumer focused use of RFID, it involves real-world examples that may impact people now (unless you stop travelling), and is also a good example of the kind of problems RFID can solve.

Some of the reasons for choosing RFID for this application are that it can provide better document security (passports become harder to counterfeit), it can facillitate the inclusion of biometric data, many of the ICAO member countries are adopting it, and there was intense lobbying by the RFID smartcard industry. Initially, the only biometric data included in passport RFID tags will be a scan of your passport photo, but we can expect fingerprints and other biometric data to be added on the future.

The original specs for the project were that the RFID chip contain all the data of the ID page of a passport, and to be digitally signed, but NOT encrypted. This is one point of controversy, as many privacy advocates would prefer to see this data securely encypted (and the reasons given for not doing that are pretty weak). The tags in passports is to conform to the ISO 14443 RFID specification, which specifies the radio frequency power and signal interface (13.56 mHz) and the initialization, anti-collision, and transmission protocols to be used.

The security vulnerabilities that have raised the most ire are the possibility of eavesdropping and “skimming” RFID-enabled passports, the surreptitiously reading of data off of a passport in a public place. Many people have expressed concern that this ability to possibly identify U.S. citizens in hostile countries could be a scary security issue for Americans.

This issue received much media attention and caused a huge public outcry. Combiend with the State Department’s realization that these tags could be read from greater distances than originally thought, the decision was made to redesign the proposed system mid-project to make it less susceptible to eavesdropping and skimming. The State Dept. now admits that these tags can be read up to 10 feet away, but others including King, think the range is even greater. (At DefCon 2005 an RFID chip was read at a distance of 69 feet, but the type of chip wasn’t specified, and King doubts it was an ISO 14443 chip. The NIST has claimed to read a 14443 chip at 30 feet though.) Part of the work King is involved in are experiments to try and determine an accurate range for these RFID tags, though that part of the research is not yet complete.

The changes the State Dept made to e-passports was to include anti-skimming material in the new passport covers and adding some basic access control to the data, so that a PIN number thatg is generated from the machine-readable portion of the passport is required to communicate with the RFID chip. Kind admits this is a significant improvement to the security of e-passports.

King pointed out that RFID hacking is not as easy as you might think, and some of the reasons why are also issues that are confounding the U.S. government as they try to implement this program. In particular, not all ISO 14443 readers can read all ISO 14443 chips, which was a disturbing discovery. The proprietary OS of the chips and readers make it harder for hackers and researchers to work on these systems, and King also noted that they had a lot of trouble building and modifying antennas for their research. The modifed equipment they’ve been working on is also not easily portable (60 foot antennas, etc), but King points out that all of these hurdles could be changed by increased demand.

King ended her talk with another U.S. government implementation of RFID, one that makes the e-passport program look like a glowing success. The US-VISIT RFID program is attaching RFID chips to i-94 documents, in an effort to better track when people leave the country via some means other than air travel.

Unfortunately, the most common was to do that is by car travel, and since cars are large metal boxes, they act as big faraday cages, and make the reading of RFID signals very problematic. Unless a user in a car holds the document up to the window, it likely won’t be read by an RFID reader. King points out this is a pretty flawed implementation of RFID, as any system that depends heavily on users “doing the right thing” is unlikely to work well.

The U.S. government has spent over a billion dollars on the US-VISIT RFID program so far, and industry experts have dismiised the effort has a very flawed RFID implementation. King points out that the success of RFID applications like this that rely on human interaction require user-centric design, something that has been missing so far in the govenment’s work with RFID. As far as she can tell the e-passport program has not included any user testing or privacy impact assessments, and this is a problem.

King wrapped up by mentioning that the Real ID Act of 2005 mandates that by 2008 all state-issued ID cards must contain machine-readable technology with defined data elements, and it’s very likely that RFID will be the technology used. (California is already trying to pass a law prohibiting RFID use in state IDs). King reiterated that users matter a lot in these kind of systems and programs, and implementers and developers need to keep the users firmly in mind. Also, it’s clear that privacy and security issues can’t be taken lightly. King believes secure and private RFID systems can be developed if more time and money are spent on these issues.