The one presentation from the recent Shmoocon that I want to focus on is Chris Paget's on hacking the US Passport Card. This presentation takes an hour, but I urge you all to take some time for it. It's not just the great hacking perspective, it's that he gives further proof of how an initiative in ID standards being undertaken by the U.S. government and some states is technologically bankrupt.
I'm so bothered by this that I've decided to write my own congressional representatives, Secretary of State Hillary Clinton, Secretary of Homeland Security Janet Napolitano, maybe even President Obama. Enough is enough.
The problem broadly is the WHTI (Western Hemisphere Travel Initiative) and specifically the US Passport Card. The WHTI is a standard for what is supposed to be a strong form of identification. The Passport Card can be used when entering the United States from Canada, Mexico, the Caribbean and Bermuda at land border crossings or sea ports-of-entry. It is not valid for international travel by air. Some states are also developing WHTI-compliant drivers licenses and the State Department lists these other WHTI-compliant IDs:
- Trusted Traveler Cards (NEXUS, SENTRI or FAST)
- Enhanced Tribal Cards (when available)
- U.S. Military Identification with Military Travel Orders
- U.S. Merchant Mariner Document when traveling in conjunction with official maritime business
- Native American Tribal Photo Identification Card
- Form I-872 American Indian Card
The key to the WHTI cards is that they use an RFID chip, a very simple one. It conforms to the EPCGlobal Class 1 Generation 2 UHF tag protocol. It's originally designed for tagging products through a supply chain. The system works well for what it was designed for; it was not designed to uniquely identify people.
I've written in the past about the chip in the U.S. Passport Book (what most people call a passport) and questioned its value, but it's a much more sophisticated system than that in the Passport Card. The Passport Card chip is a dumb UHF transmitter that emits a unique code. This code is associated in government records with the person whose card emits that code.
Paget describes how he built a system for cloning the chips in these cards for $250. How he got the number that low is a bit of a long story; long story short, he bought some broken equipment on eBay and fixed it; brand new at retail with a warranty he might have paid $3,000, which a criminal might be willing to do.
He took his boss' Passport Card (Paget is not an American) and cloned it for the crowd. A simple process, it took seconds, it got lots of applause. What he had, of course, was a cloned RFID chip, not a Passport Card, so what could he do with it?
Here it's worth explaining the real practical logic for putting RFID in these cards. After all, if the border guard really needs to look at the face on the card and the face on the person then what time has been saved? The idea is that as you approach the station, it reads your card and uses it to prefetch your records so that when you're there in person they can check you quickly and not have to enter any information into the system to note that you crossed the border.
The chips are designed to be read at 30 feet, but in fact they can be read from much further away. Paget announced that he intended to set a new world record for this, at least 250 feet, at Black Hat this summer. Theoretically, with strong enough readers and antennas, you should be able to read from more than 2 miles away, but this involves power that Paget doesn't want his own body anywhere near. Practically, though, he thinks half a mile is obtainable.
It's worth mentioning that the Passport Card comes with a sleeve that does (according to Paget) block reading the chip. He also says that other WHTI cards, like the Washington State drivers license, come with sleeves that don't work. But since the card has a credit card form-factor I think it's fair to assume many, if not most card holders will take the card out of the sleeve and put in it a slot in their wallet. And to use it, even at a border station, they need to take it out of the sleeve. At that point, half a mile away, Paget may be able to read the card, too.
After spending half an hour on the technology of cloning the chips, at 33:39 into the presentation Paget gets into the real meat: How could you steal identities with this technology? Some of what he says seems a little far-fetched to me, but most of it is perfectly reasonable.
The number emitted by the RFID chip is "just a number," not the actual data on you, but that number uniquely identifies you. Combined with other data it could be used to create a rich database. Paget asks what if he sets up readers in public and also takes pictures? He could end up associating pictures with the IDs. He could also set up readers for other types of RFID cards, like those for credit cards, and associate with them. Once you tie the Passport Card number with some other data value that can act as a database key to look up into other databases of personal information, then you're really cruising. The coup de grace is where he says how once he gets enough Passport Card IDs and enough pictures, soon he'll find one where the person looks enough like him that he can pass a superficial border guard inspection. Then he can get into the United States on someone else's passport.
Paget makes all of this sound really easy, and I'm not so sure it's so easy. But it sounds plausible. And the general idea of tying the number with other personal data seems very plausible.
Paget isn't unsympathetic to border security concerns. He says that a contact smart card, for example, would not be objectionable because there's no way for anyone to sniff it. Such cards are also intelligent enough that they can use encryption and strong authentication. But the smart card doesn't meet the convenience level for security officials that the EPCGlobal chips do because you have to put then in a reader to read them, but the convenience isn't worth the trade-off. He argues that WHTI should be scrapped and the replacement should come from an improved RealID.
Paget quotes some impressive people and bodies who opposed RFID in WHTI: the American Electronics Association and even the Department of Homeland Security Data Privacy and Integrity Advisory Committee. But who do you think said this?
"State and DHS do not appear to have tested this technology for use in a personal ID card ... I urge State and DHS to give careful consideration to concerns that it has chosen the wrong technology for its program."Why, it's then-Sen. Hillary Clinton, now in charge of passports. Perhaps she's now in a position to do something about her earlier concerns.
Paget has set up a site at rfidhackers.com for following this topic.
Thanks to Bruce Schneier for pointing me to this presentation.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.