Security Review: RFID Tags are safe to use?

By sojc701 at 5:18 pm on February 5, 2009 | 1 Comment

In Current Event: WarCloning Passport RFID Tags, The recent experiment was introduced, which was done by researcher Chris Paget. According to the article, Paget could scan passport RFID tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners.

The RFID tags contain no personally identifiable information, but rather what amounts to a record pointer to a secure Department of Homeland Security database. But because the pointer is a unique number, the American Civil Liberties Union and other civil libertarians warn the cards are still susceptible to abuse, especially if their RFID tags can be read. The tags could also be correlated to other signals, such as electronic toll-booth payment systems or RFID-based credit cards, to track the detailed movements of their holders.

Asset and security goals
– The main asset is the RFID tags that represents person’s identity. If it falls into the wrong hands, it can be used for tracking, stalking, identity theft, and counterfeiting.
– Just like a social security number, the unique identifier number must be properly safeguarded. It must not be scanned without the knowledge of owners.
– Even if RFID tags were scanned, it must not be copied nor used by attacker.

Adversaries and threats
– The most obvious adversary is attackers who could make the copy of passport or driver’s license which RFID is implemented.
– person who obtained the copied passport could do so many things. For example, terrorists could use the cloned passport to come to the USA. And people could import prohibited things.

Potential weaknesses
– Attacker scan the RFID tags in the public places use these to make cloned passports and drivers’ licenses.
– Attackers use cloned RFID tags to make payment such as toll payment, or as credit cards.

– Shield the RFID tags to restrict the range that the RFID tags could be scanned.
– Whenever the RFID tags are scanned, it notifies the users that it is being scanned.
– Add additional authentication mechanism so that it is used with RFID tags. For example, pin number or finger print.

So far, about 750,000 people have applied for the passport cards, which are credit card-sized alternatives to passports for travel between the US and Mexico, Canada, the Caribbean, and Bermuda. And also so-called EDLs, or enhanced drivers’ licenses are currently offered by Washington and New York states. RFID tags are currently used for electronic toll collection at toll booths in several states.
We can store the social security number in the house, or the passport and drivers’ license in our wallet safely. However, when we carry RFID passports and drivers’ licenses with ourselves, we could advertise our identities without our intention or knowledge. The RFID will be used widely more and more but I don’t think that people are fully aware of its vulnerability. I hope that this technology is applied slowly because it contains myself.

Filed under: Security Reviews1 Comment »

1 Comment

  • 1
    Get your own gravatar for comments by visiting

    Comment by nhunt

    February 5, 2009 @ 10:03 pm

    Pervasive RFID does raise some serious privacy concerns, but aside from that, I’m not convinced they’re as dangerous as they are often portrayed. The above review mentions that cloned passports can be used to illegitimatly enter the US. From my understanding of how RFID is used, this doesn’t seem like a too realistic threat. RFIDs, as mentioned above, provide a string of bits. These bits contain no personal information, but rather are used as a key in a larger database. Assuming a third party has a cloned passport, wouldn’t the human checking the passport see the discrepancy between the passport information and the information contained in the database, despite have a valid RFID tag? If the human was taken out of the loop however (which seems to be the trend these days), I understand where the threat could arise. Do these human-less checkpoints exist?

RSS feed for comments on this post