The Guardian has a “gotcha” piece about how easy it is to crack the security on the RFID tags in the new UK passports. Bruce Schneier and Bruce Sterling have both commented favorably on the piece, but personally I don’t see what all the fuss is about. The RFID chip contains a cryptographically signed digital copy of the main page of your passport, including a digital copy of your photograph. The idea is that this way you can’t modify the name or paste your own photo into a stolen passport because the digital data won’t match, and you can’t modify the digital data because it has to be signed by the issuing country. After people expressed concerns that someone nearby could eavesdrop on the conversation between the passport and the RFID reader, they decided to encrypt the passport using your passport number, expiration date and date of birth, which is encoded using a barcode (or maybe a magnetic stripe). That way the customs official swiping your card can read the photo but someone eavesdropping on the RFID conversation can’t.
There’s only one concern the story mentions that makes even vague sense to me:
This means that each time you hand over your passport at, say, a hotel reception or car-rental office abroad to be “photocopied”, it could be cloned with equipment like ours. This could have been done with an old passport, but since the new biometric passports are supposed to be secure they are more likely to be accepted without question at borders.
Certainly people trust computers a little too much, but this sounds like something proper training would solve. The idea that the RFID chip can be cloned doesn’t seem like that difficult a concept to teach.
So what am I missing here?