RFID is being added to all our identification cards, allegedly for security. In fact, it adds nothing for security and makes us vulnerable. Call your elected representatives. This stupidity has to be stopped.The one presentation from the recent Shmoocon that I want to focus on is Chris Paget's on hacking the US Passport Card.
This presentation takes an hour, but I urge you all to take some time
for it. It's not just the great hacking perspective, it's that he gives
further proof of how an initiative in ID standards being undertaken by
the U.S. government and some states is technologically bankrupt.
I'm so bothered by this that I've decided to write my own congressional representatives, Secretary of State Hillary Clinton, Secretary of Homeland Security Janet Napolitano, maybe even President Obama. Enough is enough.
The problem broadly is the WHTI (Western Hemisphere Travel Initiative) and specifically the US Passport Card.
The WHTI is a standard for what is supposed to be a strong form of
identification. The Passport Card can be used when entering the United
States from Canada, Mexico, the Caribbean
and Bermuda at land border crossings or sea ports-of-entry. It is not
valid for international travel by air. Some states are also developing
WHTI-compliant drivers licenses and the State Department lists these
other WHTI-compliant IDs:
- Trusted Traveler Cards (NEXUS, SENTRI or FAST)
- Enhanced Tribal Cards (when available)
- U.S. Military Identification with Military Travel Orders
- U.S. Merchant Mariner Document when traveling in conjunction with official maritime business
- Native American Tribal Photo Identification Card
- Form I-872 American Indian Card
.
What's so special about these cards? As Paget notes in his presentation, they were sold as a way to make identification more secure. In fact, they do nothing of the sort and actually make holders of the cards vulnerable to all sorts of identity theft.
The key to the WHTI cards is that they use an RFID chip, a very simple one. It conforms to the EPCGlobal Class 1 Generation 2 UHF tag protocol.
It's originally designed for tagging products through a supply chain.
The system works well for what it was designed for; it was not designed
to uniquely identify people.
I've written in the past about the chip
in the U.S. Passport Book (what most people call a passport) and
questioned its value, but it's a much more sophisticated system than
that in the Passport Card. The Passport Card chip is a dumb UHF
transmitter that emits a unique code. This code is associated in
government records with the person whose card emits that code.
Paget describes how he built a system for cloning the chips in these
cards for $250. How he got the number that low is a bit of a long
story; long story short, he bought some broken equipment on eBay and
fixed it; brand new at retail with a warranty he might have paid
$3,000, which a criminal might be willing to do.
He took his boss' Passport Card (Paget is not an American) and
cloned it for the crowd. A simple process, it took seconds, it got lots
of applause. What he had, of course, was a cloned RFID chip, not a
Passport Card, so what could he do with it?
Here it's worth explaining the real practical logic for putting RFID
in these cards. After all, if the border guard really needs to look at
the face on the card and the face on the person then what time has been
saved? The idea is that as you approach the station, it reads your card
and uses it to prefetch your records so that when you're there in
person they can check you quickly and not have to enter any information
into the system to note that you crossed the border.
The chips are designed to be read at 30 feet, but in fact they can
be read from much further away. Paget announced that he intended to set
a new world record for this, at least 250 feet, at Black Hat this
summer. Theoretically, with strong enough readers and antennas, you
should be able to read from more than 2 miles away, but this involves
power that Paget doesn't want his own body anywhere near. Practically,
though, he thinks half a mile is obtainable.
It's worth mentioning that the Passport Card comes with a sleeve
that does (according to Paget) block reading the chip. He also says
that other WHTI cards, like the Washington State drivers license, come
with sleeves that don't work. But since the card has a credit card
form-factor I think it's fair to assume many, if not most card holders
will take the card out of the sleeve and put in it a slot in their
wallet. And to use it, even at a border station, they need to take it
out of the sleeve. At that point, half a mile away, Paget may be able
to read the card, too.
After spending half an hour on the technology of cloning the chips,
at 33:39 into the presentation Paget gets into the real meat: How could
you steal identities with this technology? Some of what he says seems a
little far-fetched to me, but most of it is perfectly reasonable.
The number emitted by the RFID chip is "just a number," not the
actual data on you, but that number uniquely identifies you. Combined
with other data it could be used to create a rich database. Paget asks
what if he sets up readers in public and also takes pictures? He could
end up associating pictures with the IDs. He could also set up readers
for other types of RFID cards, like those for credit cards, and
associate with them. Once you tie the Passport Card number with some
other data value that can act as a database key to look up into other
databases of personal information, then you're really cruising. The
coup de grace is where he says how once he gets enough Passport Card
IDs and enough pictures, soon he'll find one where the person looks
enough like him that he can pass a superficial border guard inspection.
Then he can get into the United States on someone else's passport.
Paget makes all of this sound really easy, and I'm not so sure it's
so easy. But it sounds plausible. And the general idea of tying the
number with other personal data seems very plausible.
Paget isn't unsympathetic to border security concerns. He says that
a contact smart card, for example, would not be objectionable because
there's no way for anyone to sniff it. Such cards are also intelligent
enough that they can use encryption and strong authentication. But the
smart card doesn't meet the convenience level for security officials
that the EPCGlobal chips do because you have to put then in a reader to
read them, but the convenience isn't worth the trade-off. He argues
that WHTI should be scrapped and the replacement should come from an
improved RealID.
Paget quotes some impressive people and bodies who opposed RFID in WHTI: the American Electronics Association and even the Department of Homeland Security Data Privacy and Integrity Advisory Committee. But who do you think said this?
State and DHS do not appear to have tested this
technology for use in a personal ID card ... I urge State and DHS to
give careful consideration to concerns that it has chosen the wrong
technology for its program.
Why, it's then-Sen. Hillary Clinton, now in charge of passports. Perhaps she's now in a position to do something about her earlier concerns.
Paget has set up a site at rfidhackers.com for following this topic.
Thanks to Bruce Schneier for pointing me to this presentation.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
Network Security & Hardware 
