RFID is being added to all our identification cards, allegedly for security. In fact, it adds nothing for security and makes us vulnerable. Call your elected representatives. This stupidity has to be stopped.
The problem broadly is the WHTI (Western Hemisphere Travel Initiative) and specifically the US Passport Card.
The WHTI is a standard for what is supposed to be a strong form of
identification. The Passport Card can be used when entering the United
States from Canada, Mexico, the Caribbean
and Bermuda at land border crossings or sea ports-of-entry. It is not
valid for international travel by air. Some states are also developing
WHTI-compliant drivers licenses and the State Department lists these
other WHTI-compliant IDs:
Trusted Traveler Cards (NEXUS, SENTRI or FAST)
Enhanced Tribal Cards (when available)
U.S. Military Identification with Military Travel Orders
U.S. Merchant Mariner Document when traveling in conjunction with official maritime business
The key to the WHTI cards is that they use an RFID chip, a very simple one. It conforms to the EPCGlobal Class 1 Generation 2 UHF tag protocol.
It's originally designed for tagging products through a supply chain.
The system works well for what it was designed for; it was not designed
to uniquely identify people.
I've written in the past about the chip
in the U.S. Passport Book (what most people call a passport) and
questioned its value, but it's a much more sophisticated system than
that in the Passport Card. The Passport Card chip is a dumb UHF
transmitter that emits a unique code. This code is associated in
government records with the person whose card emits that code.
Paget describes how he built a system for cloning the chips in these
cards for $250. How he got the number that low is a bit of a long
story; long story short, he bought some broken equipment on eBay and
fixed it; brand new at retail with a warranty he might have paid
$3,000, which a criminal might be willing to do.
He took his boss' Passport Card (Paget is not an American) and
cloned it for the crowd. A simple process, it took seconds, it got lots
of applause. What he had, of course, was a cloned RFID chip, not a
Passport Card, so what could he do with it?
Here it's worth explaining the real practical logic for putting RFID
in these cards. After all, if the border guard really needs to look at
the face on the card and the face on the person then what time has been
saved? The idea is that as you approach the station, it reads your card
and uses it to prefetch your records so that when you're there in
person they can check you quickly and not have to enter any information
into the system to note that you crossed the border.
The chips are designed to be read at 30 feet, but in fact they can
be read from much further away. Paget announced that he intended to set
a new world record for this, at least 250 feet, at Black Hat this
summer. Theoretically, with strong enough readers and antennas, you
should be able to read from more than 2 miles away, but this involves
power that Paget doesn't want his own body anywhere near. Practically,
though, he thinks half a mile is obtainable.
It's worth mentioning that the Passport Card comes with a sleeve
that does (according to Paget) block reading the chip. He also says
that other WHTI cards, like the Washington State drivers license, come
with sleeves that don't work. But since the card has a credit card
form-factor I think it's fair to assume many, if not most card holders
will take the card out of the sleeve and put in it a slot in their
wallet. And to use it, even at a border station, they need to take it
out of the sleeve. At that point, half a mile away, Paget may be able
to read the card, too.
After spending half an hour on the technology of cloning the chips,
at 33:39 into the presentation Paget gets into the real meat: How could
you steal identities with this technology? Some of what he says seems a
little far-fetched to me, but most of it is perfectly reasonable.
The number emitted by the RFID chip is "just a number," not the
actual data on you, but that number uniquely identifies you. Combined
with other data it could be used to create a rich database. Paget asks
what if he sets up readers in public and also takes pictures? He could
end up associating pictures with the IDs. He could also set up readers
for other types of RFID cards, like those for credit cards, and
associate with them. Once you tie the Passport Card number with some
other data value that can act as a database key to look up into other
databases of personal information, then you're really cruising. The
coup de grace is where he says how once he gets enough Passport Card
IDs and enough pictures, soon he'll find one where the person looks
enough like him that he can pass a superficial border guard inspection.
Then he can get into the United States on someone else's passport.
Paget makes all of this sound really easy, and I'm not so sure it's
so easy. But it sounds plausible. And the general idea of tying the
number with other personal data seems very plausible.
Paget isn't unsympathetic to border security concerns. He says that
a contact smart card, for example, would not be objectionable because
there's no way for anyone to sniff it. Such cards are also intelligent
enough that they can use encryption and strong authentication. But the
smart card doesn't meet the convenience level for security officials
that the EPCGlobal chips do because you have to put then in a reader to
read them, but the convenience isn't worth the trade-off. He argues
that WHTI should be scrapped and the replacement should come from an
Paget quotes some impressive people and bodies who opposed RFID in WHTI: the American Electronics Association and even the Department of Homeland Security Data Privacy and Integrity Advisory Committee. But who do you think said this?
State and DHS do not appear to have tested this
technology for use in a personal ID card ... I urge State and DHS to
give careful consideration to concerns that it has chosen the wrong
technology for its program.
Why, it's then-Sen. Hillary Clinton, now in charge of passports. Perhaps she's now in a position to do something about her earlier concerns.
Paget has set up a site at rfidhackers.com for following this topic.
Thanks to Bruce Schneier for pointing me to this presentation.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.
For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.
In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.
Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.