The New Zealand Department of Internal Affairs (DIA) is not concerned about reports from the U.K. that say RFID (radio frequency ID) chips in passports can be cracked in as little as 48 hours.
British newspaper The Guardian reports it was able to access the data stored on RFID cards in Britain’s newly launched smart passports.
However, the DIA says there isn’t enough information contained within the New Zealand passports’ chips to create counterfeit travel documents.
DIA passport manager David Philp confirms that it is possible to access the information stored on the RFID chips and use it to make a clone. However, the RFID chip in the e-passports currently issued in New Zealand is just one security feature out of more than 50 contained in the passport.
Having just a cloned chip isn’t sufficient to create a counterfeit passport, Philp says, and adds that such an endeavour is quite involved. While New Zealand passports are “highly desirable,” the DIA has seen very few credible counterfeited ones, he says.
While the general design goal of the e-passport is to lock the holder’s identity to the document in a secure manner, Philp says that there has to be a balance between risk management and customer service.
The passport has to be readable around the world in a reasonable amount of time and ideally in more situations than just immigration.
Philp gives airport check-ins as one example of where RFID-equipped passports should be readable.
Making the e-passport harder to read is possible, Philp says, but it would make immigration processing take longer and inconvenience people.
Researcher Peter Gutmann at the University of Auckland’s department of Computer Science is sceptical that the RFID chip provides any real security benefit. In fact, Gutmann goes further and says in his technical background paper, Why biometrics is not a panacea, that RFIDs in passports “are a disaster waiting to happen.”
German and Dutch passports have already been compromised, according to Gutmann, and this can be done remotely as well. He points to successful attacks by Dutch RFID security specialist Harko Robroch, who has intercepted passport and reader device communications from five meters away. Gutmann says eavesdropping on the reader was possible up to 25 meters.
In comparison, the Guardian article says U.K. passports are readable 7.5cm away, a far shorter distance than Robroch’s interception, but enough in situations such as public transport, where people are close together, to siphon off the data stored in the RFID chip.
However, Gutmann’s worst-case scenario for RFIDs in passports occurs not when they’re being compromised for counterfeiting purposes, but are used to identify the holder. The RFID chip could be used to trigger explosive charges and Gutmann points to a study that shows the current U.S. passport design caused a small, non-lethal explosive charge concealed in a rubbish tin to detonate.
Terrorists could then target specific nationalities automatically, says Gutmann.