October 27, 2008, 3:08 PM — RFID tags used in two new types of border-crossing documents in the U.S. are vulnerable to snooping and copying, a researcher said on Thursday.
United States Passport Cards issued by the U.S. Department of State and EDLs (enhanced driver's licenses) from the state of Washington contain RFID (radio-frequency identification) tags that can be scanned at border crossings without being handed over to agents. Both were introduced earlier this year for border crossings by land and water only, and can't be used for air travel. New York is the only other U.S. state with an EDL, though others are in the works.
The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card if a U.S. Department of Homeland Security agents at the border didn't see the card itself, the researchers said. Another danger is that the tags can be read from as far as 150 feet away in some situations, so criminals could read them without being detected. Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance, they said.
Another danger is that hackers could cause EDLs to self-destruct by sending out a certain number, they said.
"It would be relatively easy for someone to read your passport card or EDL," said Tadayoshi Kohno, an assistant professor of computer science and engineering at the University of Washington.
Though there's no reason for panic, "Our hearts should start to beat a little faster," Kohno said. The risk to individual passengers is low, but the problems create systemic weaknesses in the border-crossing system, according to a summary of the report.
Retail, shipping and other businesses are increasingly using RFID tags as wireless bar codes that can contain more information than traditional printed ones. The growth of the technology is making the tools of RFID hacking more easily available, Kohno said.
In a cloning attack, a hacker could read the information off a card's RFID tag, either while the cardholder was passing by or as the official card reader was picking up the data. The attacker could then encode a generic RFID tag with that same data, Kohno said. With that newly encoded tag, someone could slip through the border by appearing to the RFID reader to have a legitimate identification card, as long as no one asked to look at the actual card.
By themselves, the RFID vulnerabilities don't mean someone will get away with cloning or other attacks, Kohno pointed out.
"In reality, the system involved in border crossings is much greater than just the technical aspect," Kohno said. For example, authorities are likely to interview drivers and passengers crossing the border and look at their identification cards, he said. They may also use other measures against card-cloning near border crossings.
However, Kohno and three fellow researchers believe there are mechanisms available for the RFID tags that the U.S. and Washington governments aren't using.
For example, each tag has two specialized numbers: an access PIN (personal identification number) and a kill PIN. (These are larger than bank-card PINs and aren't chosen by the cardholders.) The access PIN can be used to verify that a tag is legitimate and the kill PIN can be used to render the tag unreadable.
The access PINs are used on both the passport cards and the EDLs, but there are additional security measures that the researchers don't think authorities are using. For example, they could test the access PIN using information from a database, Kohno said. In addition, the kill PIN is not set up on the Washington EDLs, which could make them vulnerable to an attack that would make all such cards at a certain site unreadable, he said. Such an attack could cause a nuisance or undermine travelers' confidence, the summary said.
The researchers have given recommendations to both U.S. and Washington authorities, Kohno said.
Full-size U.S. passports, which are booklets instead of cards, aren't affected by these vulnerabilities because their RFID tags have cryptographic protections and the booklets have metallic covers that protect against snooping, the researchers said.
For self-protection, the researchers suggest consumers use the protective sleeves that come with both cards, which can help to prevent clandestine scanning. Travelers can also use the safer full-size U.S. passports instead.