Beware of RFID-enabled Terrorists

A security company has demonstrated how passports with embedded RFID transponders could be used to blow up Americans. Be afraid. Be very afraid.
Published: August 7, 2006

You have to wonder about the things some companies spend their time and money on.

A mobile security company called Flexilis has demonstrated how terrorists could use the RFID transponders in e-passports to blow up the holders of those passports. The Flexilis Web site says: “Through extensive research and real-world experimentation, Flexilis has discovered a significant issue in the State Department’s proposed solution. This issue, if not immediately addressed, could put American passport holders at increased risk while traveling abroad for the ten-year lifetime of the passport deployment.”

According to Flexilis, the shielding on the new U.S. passports isn’t perfect. If the passport is open even a fraction of an inch, its presence could be detected, even though no information can be gleaned from it. To show how RFID-savvy terrorists could exploit this vulnerability, the company asked a 21-year-old electrical engineer named Kevin Mahaffey to build a prototype of an RFID-triggered explosive device using off-the-shelf components.

At the recent Black Hat conference in Las Vegas, Flexilis gave out copies of a four-minute video documenting a test of Mahaffey’s handiwork. The video showed a mannequin with a passport moving on a line toward a trashcan. A rocket engine inside the trashcan blasted the dummy when it got close enough for the RFID-enabled passport to be read and trigger the rocket.

It’s hard to believe Flexilis is making a big deal about these so-called “findings.” What Flexilis has “discovered” is that if a U.S. e-passport is open at least a half inch (instead of completely closed), the passport’s chip reflects back some sort of tag identifier in response to a signal from an RFID interrogator no farther than six inches away. The danger, Flexilis says, is that if terrorists can figure out which tag identifiers are used in U.S. passports, they can then plant an explosive device linked to an RFID reader. The reader would trigger an explosion if an American with a partially opened passport came within six inches of it.

Can you imagine Osama Bin Laden and his top lieutenants spending time and money to develop a system that is guaranteed to kill only a single American—a system, mind you, that will only work if said American walks within six inches of the explosive with a passport slightly opened? Why would terrorists bother with such a system when they could much more easily drive a car laden with explosives into a hotel frequented by Americans?

I worry about terrorists nuking New York City. I worry about them hijacking the planes I fly. I worry about them unleashing deadly chemicals in the air or water supply. However, I don’t think I’ll lose any sleep over the prospects of getting blown up by an RFID-enabled device triggered by my passport.