Scaremongers dub RFID passports as potential bomb trigger
By Paul Miller 
posted August 18th 2006 4:18PM
posted August 18th 2006 4:18PM
Sure, we have just as many concerns over RFID-related security technology as anybody, but a new report by mobile security experts Flexilis seems to take things a bit too far. In their report on the lacking shielding of the new e-passports, allowing the passport to be read by a high-powered reader if the book is slightly open, they go on to illustrate the "dangers" of such a security lapse by calling it a potential bomb trigger. Their demonstration involves a passport-toting dummy brushing by a trash can, which explodes once the dummy gets too close. The Flexilis guys even conjecture that a country ID code could eventually be identified in passports, allowing for targeted bombing of citizens from specific countries. The problem with all this, is that any radio-transmitting device could potentially trigger a bomb (phone, Bluetooth device, etc.), nobody has hacked an RFID country code yet, and the situations that would call for this sort of bomb are even more far-fetched than the concept. There's nothing much special about RFID in this regard, other than some security "experts" trying to cash in on the hysteria. Check the video after the break, and judge for yourself whether or not RFID is going to be the hip-cool new detonation system of the decade. We're thinking no.[Via textually.org]
I'm no expert, but I agree with the experts and disagree with Paul (the poster). With the proper RFID reader, a very accurate and reliable bomb detonator could be built. To kill someone with a bomb, timing and proximity to the target is critical. With RFID technology, no triggerman with a scope needs to give the OK, -- instead the target itself becomes the trigger.
I have to agree with the "scaremongers", as passports are issued for a 10 year duration. I seriously doubt the encryption on them won't be cracked within 10 years.
a) Do you guys even read other technology blogs? The frequency with which Engadget is a week or so behind seems to be increasing rampantly of late.
b) The primary reason "terrorists" don't set up bombs to detonate when bluetooth walks by, is that it isn't so specifically targetted as one nation's passport. It wouldn't bode well for their cause if they start blowing up their own people who happen to meander by while on the cell.
c) A tech blog, of all places, should recognize the inevitability of country codes being hacked, stolen, sold, or inadvertantly posted for everyone to see. While these guys are surely getting in on the hype, this is a very real threat (if not immediately).
What these guys aren't realizing is that the majority of terrorist tactics are the opposite of what they're proposing: they're low-tech. We're talking box cutters and flammable liquids in baby bottles, not RFID chips and computer hacking.
Just to add to my previous comments: I have no idea what I'm talking about. I don't have statistics, just a general impression. It just SEEMS to me that the bigger threat is from low-tech terrorism.
Frankly, I'm not one to waste my time being scared by this stuff anyway. I'm more likely to get hit and killed by a drunk driver on the way home from partying tonight than I am to get blown up by a terrorist.
...oh Engadget, when will you stop dismissing such talk as scaremongering... must we all carry the number of the beast on our foreheads before youll believe that Abraham Lincoln can travel through the space time continuum and detonate bombs with a passport that he forgot to wrap with tinfoil?!?!
while you're right that they're often low tech in nature they are also often highly innovative with that low tech. People I've spoken with from Iraq in particular mentioned their use of the garage door triggers (the thing that keeps it from crushing you if you stand underneath it while closing) and linking that to a bomb. Low tech, but an innovative use of it. and with the push for RFIDs to become ubiquitous I don't think it will take too long for the tech to become readily available. But right now this seems like hype until a better proof of concept is displayed that can tell the difference between an American passport and someone else (also, what if the country whose citizens an attacker wants to target doesn't use RFIDs, what then?) Maybe in 10 years...maybe.
Yeah... I'd also have to disagree with the poster on this one... RFID passports, unlike any other wireless technology, allow targeted attacks on specific people or people fitting specific demographics, which are the kinds of killing that are most common. The fact that no one has yet cracked any given code is irrelevant, as tech geeks of all people should know. Codes get cracked, that's what happens. All it takes is one smart guy who wants to make some cash by selling this technology to the wrong people. It may never happen, but it isn't all that unresonable, lets not pretend like it is.
-Taylor
I heard RFID tags cause cancer...
just kidding, theyre harmless. honestly linking rfid passports and terrorist bombs is ridiculous. now dell laptop batteries and terrorist bombs, theres the real threat!
I would've laughed if their shielding improvement was a rubber-band wrapped around the passport. According to their definition of the vulnerability, it would work.
Anyone see Sir Robert King walk too close to his millions and set it off with his lapel pin? (The World is Not Enough) Even 007 can't keep this from happening.
I'd have to agree with the poster on this one - This is kind of ridiculous in terms of being a new threat. What this gives terrorists is the option to invest the same amount of time and energy required to blow up an airport or train station while only killing one person (the blast would have to be small to take advantage of the whole targeting based on country thing). I'm certainly not an expert on the subject but even so, this seems to be just scaremongering.
Oh man, I gotta be really careful next time I strap my passport to my waist and run into a trash can. I'm no expert, but if closing your passport stops the tag from transmitting wouldn't a pants pocket or purse do the same? And how do the terrorists plan to get the explosives and equipments into an airport? Oh well my family's passports are all rubber banded together so even if I am wrong, I'm safe!
I think too much emphasis of this post was placed on the fact that you can use the passport as a trigger. The main point of Flexilis was that the current system doesn't protect against passports being somewhat open. Since Flexilis offers a better solution which does no harm to anyone, why not listen to what they have to say.
But then, why waste all the money to set up an RFID reader, some kind of embedded computer interpreter, etc.. just to blow something up? Wouldn't it be (a lot) cheaper just to go somewhere and blow up some explosives?
Many things can be used to trigger electical systems. RFIDs, cellphones, radio signals, movement, loud noises...
My point is there's no reason to fear what is pretty much a high-tech barcode, used in the same basic way a barcode is used.
why are all the people who work for this 'company' (Flexillis) 15 years old?
some folks spend too much time watching 24!
grow up
More importantly, if the government believes this, they could always just prohibit us from taking our passports onto aircraft, which in turn would keep us from leaving the country and seeing what freedom is actually like.
oh you silly americans.. :D
u should start a dumb level system instead of the threat level system.. :P
Now, first commenting the post above me from dov, why are we silly americans? I hate being insulted with no reason given.
Anyway, though as of right now, I wouldn't consider this a huge threat. But as a concept of what this new technology could be exploited to do... well this definitley seems plausible and scary. Now, I still like to hold the fact that I am more likely to die from falling off the bed then from a plane crash - but still, a hackable technology where your killed just based on your country information or such just seem incredibly scary.
But as mentioned, couldn't there be a feature (now I haven't honestly researched RFID that much so maybe there already is or something) where when you close your passport, it doesn't transmit any information?
oh wow, talk about being uninformed. I didnt see the youtube video at the bottom of the post. though still, I like their idea :)
The terrorist will also incorporate the technology that determines a persons sex, so it only blows up men from a certain country.... also, I hear Osama is developing a new scanner to be sure no cows are injured in the process. They are cutting edge.
While the video was undoubtedly sensational, the threat potential is real. I don't know exactly how plausable the chance is that one's passport will be partially open in a pocket while they walk by a RFID-detector-explosive trash can, other groups have shown that the data off the passport can be read at some distance (http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/) regardless of the built in shielding.
I was shocked when I followed the links and discovered that this YouTube video actually appears to be produced by this company, Flexilis. At first, I was certain that it was a joke, or at least not professional- the whole video smacked of a high school project. The "talent" look far too young to be professionals of any caliber, they have very poor speaking voices and pronunciation, and their acting is simply ridiculous. "And now we will take you to an undisclosed location..." The whole garbage can-firecracker exercise looks cheap and terrible as well. This video is just embarassing. Seriously. I still think that this must somehow not be what it seems, but if it really is a corporate video produced by Flexilis, then I have very little confidence in this company doing anything of any quality.