July 29, 2010, 1:49 PM — LAS VEGAS -- Radio frequency ID tags embedded in U.S. passports can be read hundreds of feet away, potentially making it inexpensive and easy to pick American tourists out of crowds for illicit purposes, a demonstration at Black Hat 2010 showed.
Using off-the-shelf gear he bought in stores and on eBay for less than $2,500, researcher Chris Paget pieced together a system that he says has read the tags at 217 feet, but he believes the same apparatus set up under better conditions could read them at 1,000 feet. He says he's willing to give it a whirl during the Black Hat conference if someone can get him access to a rooftop.
The same RFID chips are used in Canadian passports and in New York State drivers' licenses, he says. They are also used for inventory control at Wal-mart.
Paget says he is uncertain what personal data is included on the chips, but at the very least it would be possible to figure out based on batch numbers gleaned from these devices who issued the IDs and hence where the holder is from. The U.S. government says the chips contain all the information printed on the passport, including a digital copy of the photo.
Security expert Bruce Schneier has written about the passport chips in his blog. "It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily -- and surreptitiously -- pick Americans or nationals of other participating countries out of a crowd," Schneier wrote.
He imagined scenarios where if the tags were common enough so that people wore more and carried more than one, malls could scan customers for these IDs as they enter, creating a digital ID fingerprint for shoppers and then track exactly where they go while in the mall. This could provide valuable marketing data, he says.
In general RFID chips get turned on by power in radio waves sent at them, and they use that power to respond with a signal picked up by a receiver associated with the transmitter. "The tag needs a burst of power to turn on, then drops down in power," he says.