Passport to a Void Promise

Analysis: Solving the wrong problem in the wrong way is a stupid tech trick.

A U.S. Government order for "several million" RFID chips puts Infineon Technologies on the pointy end of the international push for standardized electronic passports. Infineons Aug. 21 announcement has driven home the scale of this massive rollout, with 15 million logo-bearing U.S. e-passports expected to be issued in their first year of general use.

The potential benefits and risks of e-passports must be weighed against their certain cost—$97 each. Proponents claim greater speed and certainty of identification. A chip will store an encrypted digital photo, enabling comparison against the face of the bearer. Printed data will also be digitally encoded, signed to prevent alteration.

Drawbacks include possible ease of reading the digital information surreptitiously. The intended maximum reading distance is on the order of 4 inches, suggesting that the data could be accessed through clothing.

We commend the need to scan a printed code in the passport before its on-chip information can be used. We note, though, that multistage attacks combining a long-lensed camera and RFID (radio-frequency identification) reader are all too plausible.

We also note that a passport may be false rather than forged. A genuine passport may be obtained using a fake birth certificate, for example. A passport with a failed e-chip remains a valid travel document, making claims of added security moot if a miscreant has the wit to disable the RFID device.

Designers of security systems must not assume that crackers will play by the rules. Its pointless to have the equivalent of a locked front door if an attacker can cut a hole in the roof.

Technology Editor Peter Coffee can be reached at


Check out eWEEK.coms for the latest news, views and analysis of technologys impact on government and politics.