RealTime IT News

U.S. E-Passports Hitting Market

The first generation of electronic passports is debuting now at a port of entry near you.

After four years of intensive debate and security analysis, the U.S. government began rolling out biometric passports in August that contain an embedded RFID  chip holding a digital photograph and the bearer's personal data.

Over the next 12 months, an estimated 15 million U.S. citizens will be issued passports containing the RFID chip. As current passports expire, the technology will be loaded on renewals and in a decade all U.S. passports in circulation will carry RFID chips.

Another milestone in the transition to biometric passports comes Thursday, the deadline for U.S. ports of entry to have the capability to compare and authenticate data in e-passports issued by Visa Waiver Program (VWP) countries.

The VWP allows visitors from Great Britain, France, Germany, Japan, Australia and 22 other countries to visit the United States without having to obtain a visa. All are now issuing e-passports to their citizens.

"So far, everything is going according to plan," Frank Moss, deputy assistant secretary for passport services at the U.S. Bureau of Consular affairs, told internetnews.com.

The e-passport program was delayed by more than two years over security concerns such as the ability of someone other than the State Department to read the chips (often called skimming) and the possibility of tracking individuals through the chips.

"We are confident we are issuing very secure passports because of the depth of security in the passports," he said.

To mitigate the threat of ID theft through skimming, the e-passport has a metallic mesh weaved into it cover that the U.S. State Department insists "makes it nearly impossible to access the chip when the book is closed."

In addition, the data on the chip is "locked" by a technology known as Basic Access Control (BAC).

The technology requires authentication before the data on the chip can be read. In the case of e-passports, a reader makes an optical scan of the machine-readable zone of the document (the inside-front cover) to generate required encryption keys.

"I am absolutely very confident that the new e-passport does not subject U.S. citizens to invasion of privacy or tracking," said Trace Wiley, director of e-documents at Texas Instruments.

Still, not everyone is entirely convinced.

According to a recent report published by mobile security firm Flexilis there is a "significant" problem with e-passports.

While admitting the mesh cover material of the e-passport effectively blocks easedroppers, the report states the shield design "permits tag communications when a passport booklet is open even a fraction of an inch as could be the case when it is carried in a pocket, purse or briefcase."

According to the report's author, Kevin Mahaffey, instead of disabling communications with a reader when the e-passport is slightly open, the shield merely requires a stronger reader activation field to power up the chip.

Although the data on the e-passport chip is encrypted, Mahaffey claims it is possible to "grab all the data" off the chip if the cover isn't completely closed.

Mahaffey contends the encrypted data can be utilized to "fingerprint" characteristics unique to each country's RFID, possibly leading terrorists to determine the bearer's country of origination.

"Taken to a logical extreme, this could enable what has been described as a RFID-equipped mine which only detonates in the presence of U.S. citizens," Mahaffey writes in the report.

Both the State Department's Moss and TI's Wiley dismiss that possibility.

"The reading range of these chips is very short, optimally about two inches," Moss said. "These are commercial chips and there is nothing uniquely identifying about the country [of origin]."

Wiley added, "I suppose it possible but it's not really a reasonable scenario."

There are also questions about the surplus memory on the chips.

"Right now, we are filling them up with zeros," Moss said, noting there is enough extra memory for digital fingerprints and iris scans. "But we've made absolutely no decision about future data on the chips."

Moss also said any such decision would be subject to the federal rule-making process, which requires public comment.