The Netherlands government is introducing a new passport in August 2006 with an embedded RFID (Radio Frequency Identification) chip that contains digital information about the holder, such as name, birthday, fingerprint and pass photo. However, a company from Delft demonstrated on Friday on the TV show nieuwslicht how easy it is to read (or destroy) the biometric data on the chip from a distance of around 10 meters.
Two RFID chips
The information on the chip is normally read with a radio signal from a dedicated card reader. Security specialists from the company Riscure managed to intercept this radio signal and then cracked the encryption code. Riscure noted that cracking the encryption code is aided by the fact that the Dutch government decided to make the passport numbering scheme sequential instead of random.
They also demonstrated on the show that holding a strong magnet above an RFID chip will completely destroy the information on the chip. This way all the information on one or more passports can easily be erased. The person from Riscure noted on the show that there will probably be a market in the near future for protective passport sleeves to protect the chip from strong magnetic fields.
After this crack the encryption level of the new passport drops from 60 bits to 35 bits, which is pretty bad if you consider that banks usually use 120 bit encryption for their money transactions.
The new passport will cost 65 euro, will be valid for 12 years and will be given for free to all citizen on their 14th birthday. Hopefully the Dutch government will be able to increase the security of their new passport before the planned release date in August.
What is RFID?
From Wikipedia.org: Radio Frequency Identification (RFID) is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. An RFID tag is a small object that can be attached to or incorporated into a product, animal, or person. RFID tags contain silicon chips and antennas to enable them to receive and respond to radio-frequency queries from an RFID transceiver. Passive tags require no internal power source, whereas active tags require a power source.