Gigi Zenk, a spokesperson for the Washington State Department of Licensing, says that she doubts the severity of the findings because the researchers “made a lot of assumptions about how customs and border control work.” While she says that no system is ever completely invulnerable, she stresses that the cards contain no personal information, and that the state of Washington has made it a felony to attempt to skim information from them. “We believe we took considerable steps to mitigate risk,” Zenk says, “and I get concerned about this causing unnecessary fear.”
Juels agrees that “if border agents do all that they’re supposed to do”–including, for example, comparing the photographs stored in the database with those printed on the ID–“they should be able to detect counterfeits.” But he adds that the agents may be tempted to rely on the technology and relax their vigilance.
Even if border agents prove vigilant, the researchers maintain, the cards could still pose risks. “These cards can still reveal information about our lives,” says Tadayoshi Kohno, an assistant professor of computer science at the University of Washington, who worked on the research. “If you think about the social-security number, at some point there could have been an argument that it’s just a number, not personal information. But numbers evolve over time, and uses evolve over time, and eventually these things can reveal more information than we initially expect.”
Jonathan Westhues, an independent security researcher who has studied RFID, notes that much depends on how the tag is actually used. If any official assumes that the tag itself is sufficient proof of identity, then the threat of cloning is serious. He notes, “It’s hard to say what exactly they plan to do with the tag, so it’s hard to say whether the overall system will be secure.” As far as privacy goes, he adds that many people already carry smart cards or cell phones that could be used to track them.
The researchers say that they hope to see passport technology improve as a result of the questions they’ve raised. “The whole RFID infrastructure is not a bad idea,” Juels says. “It just needs to be done well.”