What are the dangers of using radio frequency identification (RFID) tags?

In this expert response, Joel Dubin discusses the dangers associated with radio frequency identification (RFID) tags, and how users can protect themselves.

I am one of the "lucky" ones who just got my renewed passport and there is an encrypted chip in it. I can zip through customs, which is good, but the identification of Americans on a chip isn't comforting. What are the dangers of this, and how can I protect myself against them?

Your concerns about the radio frequency identification (RFID) tag in your new passport are legitimate, and you're not alone. RFID tags, in general, have been controversial within IT security for other uses besides just passports.

But the technology itself is fantastic. As you correctly note, it'll make going through immigration and customs a breeze when returning from overseas travel. And for tracking inventory in a warehouse, livestock on a range or other non-human objects, RFID has streamlined processes and saved money. It's just when it's used for tracking people or for paying bills where problems arise with privacy and security.

The difference in these situations is the possibility of identity theft or fraud. Unlike other transactions, like those on the Web, for example, RFID broadcasts radio signals openly in the air where they can be intercepted. Generally speaking, other wireless devices share this problem. But RFID tags on passports and credit cards carry nothing but personal data and funds and are unusually unencrypted, making them even easier targets for identity thieves and fraudsters.

The other problem with RFID chips versus, say, embedded smart chips is that as wireless devices they don't need to be near the reader to be read. Smart chips, on the other hand, need to be put next to, or into, a reader, so they aren't as susceptible to being sniffed in the open.

On a credit card, someone could conceivably cut out the chip, and the card would still function. But altering a passport not only invalidates it, but is also illegal.

A vocal opponent of RFID passports has been security guru Bruce Schneier, who has railed against RFID chips on his blog since the passports were first released in 2006.

Schneier has mentioned cases where researchers have been able to clone passport chips, including a demonstration at Black Hat in 2006. The exploit took the researcher only two weeks to develop. He was able to order an official RFID passport reader right from the manufacturer in Germany to sniff data from his own passport and embed it on a sample blank passport.

To make matters worse, the same researcher claimed he could have built the same device on his own for about $200 by attaching an antenna to any commercial RFID reader.

Schneier has commented that such tricks would allow criminals to steal identities, forge digital data onto other documents or even clone entire bogus passports. One solution, which Schneier suggested in response to a report about cloning of UK passports in November 2006, would be to send an email or SMS message to a user every time their passport is being used, which would block a criminal from using someone else's passport.

Unfortunately, there isn't much that can be done besides shielding your passport and keeping it as far away as possible from prying eyes and suspicious devices.

Next Steps

Learn why removing the radio frequency identification (RFID) chip from your credit card might be a bad idea.

Joel Dubin examines why RFID credit cards can cause credit card fraud and identity theft.

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing