UW Computer Security Research and Course Blog

According to Slashdot, researcher Chris Paget was able to capture many identification numbers from the new passports containing RFID tags while driving around San Francisco. Using $250 of equipment (a RFID reader and an antenna) hooked up to his laptop, Paget was able to read the identification numbers of the passport RFID tags from up to 20 feet away. According Paget, it could be possible to read the tags from hundreds of feet away since they are actual radio signals. It is then “trivial to program” a blank tag with the retrieved identification numbers. It is these numbers that are used in verifying the RFID tag.

The concern that arises are the issues of privacy and identity theft. The passport RFID tags do not contain any personal or identifying information themselves, but when they are combined with the information gleaned from other RFID tags that an individual may be carrying, it then becomes possible to track an identity. Paget gives an example of how this can be done. By combining RFID readers at a door way or an entrance, it would be possible to read the tags of driver’s licenses and credit cards (both of which *do* contain identifying information) and match them with the passport identification number. Since it was demonstrated that the passport tag could be read at a distance of many feet instead of inches, a person could be tracked using their passport RFID and their identity would be linked using the data from their driver’s license and credit cards.

Paget has posted a video on YouTube that demonstrates how he accomplished this feat. In it, he mentions two security features built into the passport RFID. They are a lock code and a kill code. The lock code is suppose to prevent the identification number in an RFID tag from being altered. The kill code is intended to disable the tag completely. Paget describes how, when read, these codes are transmitted over plaintext allowing anyone to intercept them. Although Paget admits that only the identification number is used in verification, if the lock and kill code are ever used for verification they are easy to capture.

This should come as a serious concern to those receiving passports and the new driver’s license, as this has been a known concern for some time even though few have been bold enough to demonstrate how easy it is to break this system. Paget does not believe that any personal identification documents should ever contain RFID tags and says his ultimate goal of his research is to “see the entire Western Hemisphere Travel Initiative just be scrapped.” Though these RFID tags make it more convenient for travelers and security personnel alike, the convenience comes at a cost.

It will be necessary for the government to address these security problems for the general public to trust the RFID tags. This will likely mean that the data must be encrypted instead of being broadcast over plaintext. It may also mean reducing the range at which the passport RFID tags can be read. However, even if these problems are addressed, this does not fix the problems created by RFID tags in other devices such as driver’s licenses and credit cards. To truly address this problem, it may be necessary to remove RFID tags from cards that do not require them. At a minimum, it will require removing identity information from the cards and encrypting data that must be read.

Links:
http://it.slashdot.org/article.pl?sid=09/02/02/2224255
http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/
http://www.youtube.com/watch?v=9isKnDiJNPk
http://darkreading.com/security/privacy/showArticle.jhtml?articleID=213000321
http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-francisco-cloning-rfid-passports/