Hiding in plain sight, a debate has been raging about the US State Department’s directive that all American passports employ RFID technology as a means of digitizing a significant chunk of their identification function.

There are many concerns about how this system will work in the real world (most focused on the “radio frequency” part of the equation – transmission of data via radio creates a host of security dilemmas as any unsecured wifi access point hosting sucka will attest). Bruce Schneier has comprehensively covered this topic for a year or so and other groups, such as the ACLU are all over it.

Now comes word that Adi Shamir, professor of computer science at the Weizmann Institute, has demonstrated that the most popular brand of RFID chips can be cracked via the use of ordinary cellphones.

Apparently this type of attack is only effective against chips that aren’t internally powered (depending passively upon electromagnetic energy – e.g. being scanned by an RFID reader – for their ability to respond.

Shamir announced this at the (rather informative) RSA conference.

Although the State Department claims to have addressed the sort of vulnerabilities Shamir describes, we’ll have to wait and see if our passports will become crackable by any cheeky monkey with a little know-how and a forty dollar cellie or if some reasonable fraction of good design and best practice security techniques win the day.