Thursday, August 03, 2006

RFID Passports and Security Technology

RFID stands for Radio Frequency Identification. It's a technology that uses a small microchip that sends out a radio signal with identifying information. A special radio receiver picks up the signal and translates the information into a human readable or computer usable format. People are excited about RFID technology and envision it being used for all sorts of applications (product labels in stores, toll road collections, patient identification, etc.).

So what does this have to do with security? Well, the U.S. and other governments are in the process of incorporating RFID technology in their passports (businesses and organizations are also eyeing the technology for identification cards). Proponents say this makes passports more difficult to forge because all of the information about a person, including a digital picture, is embedded in a chip. The immigration agent uses a scanner that picks up the radio signals from your passport and then all of your personal information is displayed on a computer monitor; which is attached to a database that is automatically queried to see if you're on a bad person list.

However one of the concerns brought up by computer security professionals, is this technology makes it incredibly easy for anyone who has temporary access to your passport to download all of the information on the passport chip without you even knowing it (the data is not encrypted and is easily be read with the right type of equipment).

This concern has now moved from theory to practicality. A German security consultant appears to have found a way to easily clone passport chips. He's demonstrating the technique later in the week at this year's Black Hat conference in Las Vegas (one of the premiere get-togethers for computer security types).

My point here is there's a trend to rely on technology to address real or imagined security issues without understanding the vulnerabilities of the technology. Slick sales pitches, complexities behind the technology that are difficult for the average person to understand, and a desire to find what appears to be a simple and easy to use solution can often expose an organization to increased levels of risk by blindly adopting a security technology.

As a security practitioner you need to watch out for this. You may not be an electronics or computer guru, but you're certainly capable of asking critical questions and doing a bit of Googling on a technology before you endorse its use.


Post a Comment

<< Home