One of the stories out of the Defcon conference this week is much more far-reaching than surprising. Security experts, like Bruce Schneier, have been warning for quite some time that the international trend toward adding radio frequency identification (RFID) tags to passports to store personal information is a recipe for privacy and security disaster.
Now a German researcher has demonstrated how he acquired an RFID reader and cloned the RFID chip in a passport. The cloned passport, he said, would easily pass through an automated processing site.
Schneier, for one, points out in his blog and elsewhere that a smart card-enabled passport makes more sense than an RFID-enabled passport. He's a guru who's also got common sense. We haven't seen anyone else bring up the fact that U.S. passports are valid for 10 years -- and no technology is likely to escape compromise in that period of time.
U.S. authorities plan to begin issuing RFID-enabled passports to citizens in October 2006. (Several European countries are already issuing them.) They and enterprise planners using or considering the use of RFID chips should consider that, with growing wariness of the privacy implications of the technology, end users have the option of blocking RFID readers or destroying the chips altogether.
Schneier says "the best way to solve a security problem is not to have it at all." But, with RFID, it may not be the RFID technology owner who gets to make that decision.