Technology

Jesse Brown on the problems with Canada's new ePassport

And why the Canadian Passport Office's defence of them is just plain silly

Elvis Lives! As a cloned ePassport.

Forget that Canada’s new ePassports come with a hefty price-bump. Forget as well that they glorify a storied Canadian feminist who also happened to be a bizarre racist. The real problem with our new enhanced travel documents lies in their enhancement. Namely, each one includes an RFID (radio frequency identification) chip, a technology traditionally used to track cattle and Walmart goods.

RFID passports are notoriously insecure. In 2006, German hackers cloned them. In 2008, a hacker from the group called THC (the hacker’s choice) also cracked RFID passports and whipped one up belonging, it seemed, to one Elvis Aaron Presley. The anonymous hacker had it scanned at a self-serve kiosk at the Amsterdam airport.  Sure enough, Elvis lived.

In 2009, ethical hacker Chris Paget bought a cheap RFID sniffer (you can get them online) and amped it up with signal-boosting antennas. He stuffed the whole kit (assembled for under $250) into his car and took a drive around San Francisco. Soon he had the personal passport data of two strangers, which he could have then cloned if he’d wanted to. Luckily, all Chris wanted was to prove that this kind of thing could be done, so that the world would think twice about issuing ePassports. This part of his experiment failed.

The Canadian Passport office is doing somersaults to explain how theirs isn’t that kind of RFID. For one thing, they explain, it’s not a tracking device, because it is “passive, which means that it does not have a power source. It cannot transmit signals over long distances”. This is just silly. All (Update: Many) RFIDs are “passive” in the sense that they don’t emit signals on their own. When an RFID reader (sniffer) is pointed at an RFID tag from an appropriate distance, it emits an electromagnetic field that charges the tag, which then sends a signal. So no, it’s not like a self-powered GPS chip that constantly communicates its whereabouts.  But yes, it can and is used as a tracking chip that tells you it’s there when it comes into contact with a reading device. Whether you’ve tagged cows or boxes or Canadian citizens with RFIDS, you did so explicitly to track them, and others could potentially track them as well.

But don’t worry, says our Passport office, because our new ePassports can only be sniffed at very close range; 10cm, they say.  But in a subsequent demonstration, Chris Paget displayed techniques for long-range RFID sniffing, from distances of over 200 feet. Might these techniques be used to extend the range of transmission on our new passports? To the question “Can someone read the information on my ePassport without my knowledge?” the Passport office is careful not to commit to anything definitive, saying instead that this is “extremely unlikely”. After all, they explain elsewhere, “the personal information stored on the chip is privacy protected by basic access control (BAC),” which they call a “secure mechanism”. But BAC was hacked in 2006.

Since all of these breaches were publicly known years ago, the Passport office had a chance to subject our new ePassports to rigorous testing before issuing them. Sure, hackers are always finding new vulnerabilities, but at least known bugs can be tested for.  Ideally, the results of such testing would be included in the information provided by the Passport office, but there’s no sign of anything like that on their announcement website.  I asked them if they had done any independent security testing at all, and they said they’d get back to me. They haven’t yet, but if they do, I’ll update this post with their answer.

One thing they will be unable to assure me is that the ePassport is totally secure. That’s reasonable-  a 100% fraud-proof passport is an impossibility, with or without an electronic element.  Adding a potentially hackable chip may bring Canada in line with international standards, but doing so in the name of increased security is dubious. While RFIDs make passports harder to counterfeit through traditional methods, they invite all kinds of new malfeasance from crooks and fraudsters. Of course, the real danger may not lie in illegitimate uses of the ePassport, but in their intended application.

The ePassport’s RFID chips also contain digital copies of Canadian travellers’ passport photos, explicitly collected to be read by facial recognition software. This software is arguably more hackable and less reliable than RFIDs, but let’s put that aside for now.  Whether it works or not, facial recognition is the first toe our government is dipping into the world of biometrics, and the establishment of a national biometric database is a major undertaking, fraught with privacy, safety, and civil liberty concerns, and we’re entering into it without much conversation.

Professor Andrew Clement of the University of Toronto’s Faculty of Information has been ringing alarm bells on biometrics for years. I asked him about the ePassports, and he had this to say:

“While the 10cm readability remains a 3rd party sniffing concern, in my view the creation of massive, on-line databases of biometric facial images in combination with facial recognition techniques, all done without any substantive independent threat, risk and social impact assessment nor public debate, is overall a much bigger concern.”

Follow Jesse on Twitter @JesseBrown