Researchers find problems with RFID passport cards
RFID tags used in two new types of border-crossing documents in the U.S. are vulnerable to snooping and copying, a researcher said on Thursday.
United States Passport Cards issued by the U.S. Department of State and EDLs (enhanced driver's licenses) from the state of Washington contain RFID (radio-frequency identification) tags that can be scanned at border crossings without being handed over to agents. Both were introduced earlier this year for border crossings by land and water only, and can't be used for air travel. New York is the only other U.S. state with an EDL, though others are in the works.
The information in these tags could be copied on to another, off-the-shelf tag, which might be used to impersonate the legitimate holder of the card if a U.S. Department of Homeland Security agents at the border didn't see the card itself, the researchers said. Another danger is that the tags can be read from as far as 150 feet away in some situations, so criminals could read them without being detected. Although the tags don't contain personal information, they could be used to track a person's movements through ongoing surveillance, they said.
Another danger is that hackers could cause EDLs to self-destruct by sending out a certain number, they said.
"It would be relatively easy for someone to read your passport card or EDL," said Tadayoshi Kohno, an assistant professor of computer science and engineering at the University of Washington.
Though there's no reason for panic, "Our hearts should start to beat a little faster," Kohno said. The risk to individual passengers is low, but the problems create systemic weaknesses in the border-crossing system, according to a summary of the report.
Retail, shipping and other businesses are increasingly using RFID tags as wireless bar codes that can contain more information than traditional printed ones. The growth of the technology is making the tools of RFID hacking more easily available, Kohno said.
In a cloning attack, a hacker could read the information off a card's RFID tag, either while the cardholder was passing by or as the official card reader was picking up the data. The attacker could then encode a generic RFID tag with that same data, Kohno said. With that newly encoded tag, someone could slip through the border by appearing to the RFID reader to have a legitimate identification card, as long as no one asked to look at the actual card.
By themselves, the RFID vulnerabilities don't mean someone will get away with cloning or other attacks, Kohno pointed out.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
rfid
Powered by Twitter
Esther Schindler
Insisting on FOSS Doesn't Mean Annoying Others
James Gaskin
Learn How To Print Pages In Order with Ink Jet Printers
pasmith
More on the super secret Nexus One
Sandra Henry-Stocker
Unix How To: Using Basename Wisely
sjvn
MS says you don't have to check some files for viruses. Bad idea.
jfruh
Rumorville: TV subscription, Apple tablet
mikelgan
Cell phones don't create stress or interrupt much
Tom Henderson
OSes of the Decade: The Good, the Bad and the Ugly
claird
Not enough women in computing? Don't believe it--at least, not uncritically.
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Password management: How the pros store their passwords
- Five portable apps that run anywhere and everywhere
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
