RFID Theft of Pasport Info

On one hand I’ve been hearing that hackers can scan your passport (the newer ones with RFID chips) and get your critical information and then go off and do all the bad things associated with identify theft. There is a market for rf-blocking products to protect against such behavior.

On the other hand I’ve been hearing that those hackers don’t get anything useful - the hackers don’t have access to the encryption key that truly gine them access to your data. The only time they can get your info is if they ‘snoop’ while your passport is being scanned by a valid security agent.

I find the later a little suspicious in that (to my experience) customs agents don’t scan your passport - at most they look at your photo-id to verify you are you. ANy ‘scanning’ is done at the kiosk where I have to insert my passport and the machine scans it. I have to assume that has shielding against transmission.

So, what’s to scoop on hackers accessing my passport?

I have an RFID drivers license.

When scanned by hack #1, it returns a number. A hacker can take that number and use it to look up my record in the state database (hack #2). That record must then be decrypted (hack #3) to get my information.

Color me not worried. Might be one step less with my passport, still not worried.

As far as I knew, the biometric passports only have the information that’s printed in the passport. Height, eye colour, etc and the picture. It’s so the kiosks can check against that when they take your photo. If a human checks your passport they don’t need to do that as they can read it in plain english/Maori (if it’s a New Zealand one).

I need to renew my passport, so the OP made me curious.

A little googling gives lots of hits for RFID protectors, quite a few portents of doom articles for a few years starting around 2006, then not so much. Even noted security guru Bruce Schneier seems to have stopped talking about the risks.

Also lacking are any reports of actual theft of passport data.

I did find one scolarly article, an ACM paper from 2009 that might answer some of your questions.

It concludes with :

Color me stupid, but what is a hacker going to do with my passport # that I need to be worried about?

He’s not going to apply for credit with it. He’s not going to rent an apartment with it. He’s not going to enroll in University with it.

I guess if he was really good at forging US government documents, he could make fake passport with my number on it, and enter another country as me. But should I really care? I guess if he was a terrorist and did terroristic things in my name, I probably might care, but I’m thinking that the probability of that occurring is pretty low.

There are two types of RFID passports. On the older version the only data that is stored on the RFID chip is what you can see on the picture page. These passports are protected with what is called Basic Access Control. BAC insures the integrity and authenticity of the chip and prevents eavesdropping between the passport and the passport reader.

The newer biometric passports also contain things such as your fingerprints and/or iris scans. These use Extended Access Control which is a layer on top of BAC and is used to unlock the biometric data stored on the chip.

If you have an NFC enabled smartphone you can get a passport reading app. For a BAC protected passport the ‘password’ for the chip is the machine readable code at the bottom of the picture page. The app used the camera to scan this then you hold the passport to the phone and it will read the data and show it to you.

He can get your full name and date and place of birth with it, and find out lots of other handy information about you with those. But I’m not worried either.