Thursday, November 03, 2005

Wired News: Fatal Flaw Weakens RFID Passports

Bruce Schneier has a great article at Wired News on the new RFID enabled passports that the US Government is introducing. It chronicles the security problems and the (half way) solutions offered by the US State Department. It is very interesting reading, both for those interested in the actual project and those interested in problems that can arise in projects with privacy issues that require a high level of technical expertise:

Wired News: Fatal Flaw Weakens RFID Passports

"...The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn't have enough of the expertise it needed to do this right.

Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don't know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny.

The State Department's plan to issue RFID passports by October 2006 is both precipitous and risky. It made a mistake designing this behind closed doors. There needs to be some pretty serious quality assurance and testing before deploying this system, and this includes careful security evaluations by independent security experts. Right now the State Department has no intention of doing that; it's already committed to a scheme before knowing if it even works or if it protects privacy."

No comments: