Aug. 16, 2006 -- U.S. Immigration and Customs Enforcement is expected to issue 13 million passports this year. And one group of security experts says the American passports could be used as potential bomb triggers.
The new e-passports, fitted with radio frequency identification, or RFID, tags for wireless processing when people pass through Customs, will be issued for the first time this week, starting at the Aurora, Colo., Passport Agency.
But experts at Flexilis, a Los Angeles RFID security firm, argue that the digital document could be used to set off a bomb. An e-passport containing stolen RFID tag data need not even come in contact with the bomb trigger. It only has to be nearby.
Kevin Mahaffey, a director of software development at Flexilis, presented a report on RFID security concerns at the Black Hat Security Conference in Las Vegas in July 2005. He said the following question was raised: "What if a terrorist were to develop a RFID-enabled land mine tuned to the frequency of an American passport when it came in proximity? Could it detonate an explosive?"
So Mahaffey and his Flexilis colleagues decided to carry out a "proof of concept" experiment. They used a mock-up of the new passport, equipped with an RFID chip, and set up a small explosive charge nearby. With the passport about a half inch open -- as it might easily be in someone's pocket or purse -- Mahaffey demonstrated how the explosive could be set off when the passport came within a foot of it. You can see the demonstration by clicking here. And Flexilis has posted more information here.
"The government has taken great steps in securing the passport, but our one fundamental concern is that the shielding technology is inadequate," says John Hering, director of Flexilis. Hering claims Flexilis' tests reveal the tag can be easily read, in spite of the metallic shielding in the passport.
"If you can wrap the entire cover of the passport (not just one side) in a conductive material -- solid core or fiber -- we can prevent any of these concerns," says Mahaffey. "Even if the encryption is broken, they still cannot read the passport because it is physically impossible."
The State Department counters that the e-passports come equipped with several layers of security. Infineon Technologies in San Jose, Calif., supplies the RFID chips. "There are more than 50 individual security mechanisms inside the Infineon chip to ensure that personal data remains private," says company spokesman Matthew Schmidt in an e-mail to ABC News. "Passport holders should exercise the same caution they do with current printed passports to protect personal information."
That means the new e-passport should be kept safely -- and closed completely -- as you travel.