How secure are U.S.’ new ‘smart’ passports?

In a scary video on YouTube, an explosion in a trash can, which appears to be wirelessly triggered by a passport equipped with a computer chip, blows away a dummy.

Two caveats: That’s not a real passport, and even Kevin Mahaffey, the L.A. security consultant who made the video, calls it “a far-out scenario.”

It is unlikely that terrorists or others could steal your identity or attack you through the new computer chips in U.S. passports, many experts say. But that hasn’t stopped the rumors from ricocheting around the Internet and elsewhere.

Sorting fact from fiction is tough when it comes to the “smart” chips, tiny integrated circuits that are now being embedded in U.S. passports. They’re part of U.S. efforts to improve border security that, starting Jan. 31, will also tighten document requirements for traveling from Canada to the U.S.

Here’s how the chips work:

They use radio frequency identification, or RFID, a wireless technology with various applications.

The chip on your passport stores your name, gender, birth date and place; your passport number, its issue and expiration dates; and a digital version of your ID photo. It broadcasts this data when its antenna is activated by signals from a government reader at a border crossing.

The security of this broadcast is the crux of the debate. The State Department says the chip’s range is about 4 inches and that it cannot be read when the passport book is fully closed.

But with the right equipment, early critics said, people several feet away or more could secretly access the data and use it to identify Americans, track their movements and steal their personal information. The chip could also be copied or altered to make phony passports, some critics worried.

Responding to concerns, the State Department added security features:

* To block radio signals, it put metallic material in the passport’s front cover and spine.

* To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip’s data. (Officials note Social Security number and address are not on the chip.)

* To prevent tracking, it installed a “randomized unique identification” system that presents a different ID to a reader each time the chip is accessed.

* To counter fraud, it installed a digital signature that flags chips that have been altered.

These measures have at least partly mollified some critics, including Ari Juels, chief scientist and director of RSA Laboratories in Bedford, Mass., who analyzed earlier versions of the embedded-chip passport and found them wanting.

“At the moment, the security protections in U.S. passports are pretty good,” Juels said.

Bruce Schneier, chief technology officer of the BT Counterpane security company in Santa Clara, Calif., said he was pleased with the final version of the passport.

But both men said RFID technology is potentially vulnerable. And other experts say they found flaws. They include Mahaffey, a co-founder of Flexilis Inc., a mobile security company that made the video of the exploding trash can.

If your passport book falls open by even half an inch, Mahaffey said, a nearby person could wirelessly detect that you are an American and, conceivably, trigger a bomb as you pass by -- although the likelihood of the latter is “very low,” he conceded. (The State Department disputed the validity of his video, which Mahaffey said featured a mock passport that he fabricated using similar materials to an authentic one.)

Another expert, Lukas Grunwald, chief technology officer with the German security company DN-Systems Enterprise Internet Solutions, says he was able to copy data from an RFID chip on a German passport and transfer it onto another passport.

Although the digital signature on U.S. chips could detect such fraud, Grunwald said his demonstration suggests that criminals might be able to use the chips to introduce malicious viruses into the inspection system.

In the end, given the new technology and its complexity, it’s impossible to know whether the RFID chip is 100% safe, experts said.

“We know that there are counterfeiters out there,” said Michael Holly, chief of the international affairs staff in the passport services directorate of the State Department. “I don’t think anyone will say . . . the document is foolproof.”

But its possible flaws, I suspect, needn’t keep you up at night.

jane.engle@latimes.com