Interview: RFID passports and the security danger

November 3, 2006, 2:17 PM UTC
Fortune


Passport

In case you haven’t heard, the U.S. government plans to insert RFID (radio frequency identification) tags into passports and other official documents, as a way of verifying who people are. These plans have been much derided, with tech security folks warning that such a system will open the door for criminals to engage in new forms of people tracking and identity theft. (The feds promise that RFID passports will be voluntary, and they will provide protective shields to keep them from leaking data.)

I interviewed Amber Schroader, CEO of privately held Paraben Corp., about the RFID passports and Paraben’s own RFID shield technology. Paraben focuses on government and corporate consulting, has 54 employees and revenues under $10 million. Here’s an edited instant messaging transcript:

Fortt: So, let me get this straight: Paraben makes most of its money from helping cops and companies extract data from cell phones and other devices?

Schroader: Yes, we help with processing devices in the realm of digital forensics. Our speciality is hand held devices.

Fortt: So the idea goes, you guys would know how to protect data, since you’re used to prying data out.

Schroader: Part of protection is knowing how well the lock is going to work, and also knowing how to get around it. I look at it as, we are the CYA of digital things.

Fortt: CYA?

Schroader: Cover Your Assets.

Fortt: Of course. So fill me in on this RFID passport thing: Good idea? Bad idea? Good idea as long as you’ve got your data shielded?

Schroader: Overall I would say a bad idea. Having data you can’t have some level of control over is always a bad idea. The protection of the passport to me was a “have to,” not a “should do.” If they are going to do it, then make sure you are not walking around as a target.

Fortt: Give me a worst-case scenario for how some international baddies could read your RFID-tagged passport and do something evil. You know, a James Bond type thing.

Schroader: OK. So James is feeling savvy with his new RFID, thinking this is great. Faster processing at the airport. Little does he know that the bad guys set up some bombs just outside the secure area of the airport for when a U.S. RFID passport walks by. It triggers the bomb and James now has a very bad day. Did I warn you I am blunt?

Fortt: Gotcha. (Note: James Bond is a Brit of course, and wouldn’t have a U.S. passport, but you get the idea.) So someone could set up systems that look for you to pass through certain locations – and thus track your movements. Is there any identity theft danger here? How much information will RFID passports broadcast?

Schroader: The information is encrypted, but at a recent DEFCON conference (Conference for hackers) they had already broken the passport. There is always a risk of identify theft when it comes to that data, so I would say absolutely. They are passive chips, but a reader calls to it, authenticates, and then reads everything that is seen in your passport application. That is a lot of personal info.

Fortt: All right. You’ve made the case for why the road warrior needs to worry about this passport thing. So what’s your solution?

Schroader: Oddly, the solution came about many years ago with Faraday Shielding. What we have done is we have applied a principle in physics into something that the everyday person can use. We call ours a Passport StrongHold.

Fortt: So this is using the “Superman can’t see through lead” principle?

Schroader: It is made of a tri-woven material of copper, silver, and nickel and can block up to 10 GHz in signal. Which is way beyond what a passport goes out at. You can still have an X-Ray see through it, and so could Superman because there is no lead. But those potential bad guys are blocked completely.

Fortt: Right. But I mean, it’s like the Superman thing, if Superman used RFID instead of X-Ray vision.

Schroader: LOL. It is like that. Think of it as the cone of silence from Maxwell Smart. Just fits in your pocket.

Fortt: Ah. So, how much would one of these copper/silver/nickel baggies set me back?

Schroader: $19.95 for the standard more for the fashion savvy versions.

Fortt: And where should I expect to see these things offered? Luggage stores? Target?

Schroader: That is the goal. Right now they are just on our site. Easy online purchasing.

Fortt: Now, given that hackers have already cracked into the passport technology, I’ve got to think the feds might have second thoughts about how fast they roll this out. But RFID is everywhere these days. Are there other applications for the technology? I mean, if this fell into the wrong hands, couldn’t it be used for shoplifting?

Schroader: It could, but we have a very unique form factor with the size, so you could not fit anything in there, and it is shiny gold and Velcro, so opening it covertly to try to steal something would not work so well. RFID passports are already being rolled out in at least two of the passport offices, and the rest will follow after the first of the year.

Fortt: What sorts of data do you spend your time extracting, and what would people be most surprised to learn can be gleaned from their cell phones?

Schroader: I think the most shocking thing for people is that their text messages stay on their phone for a long time after they delete them. Weeks. We extract everything, then figure out the good evidence.