Does your passport look like this, with a strange-looking symbol on the bottom? Then you’re in luck, for your passport contains an RFID tag! Now, we’re not exactly the tin foil hat types, but news that one of those security researcher types has managed to copy sensitive data off various passports in San Francisco without the owners’ knowledge does annoy us. What’s worse is that the pertinent officials, the Foggy Bottom bunch, don’t really seem to care. Why would they?
It’s like this: Chris Paget, a security researcher, built a $250 device with off-the-shelf (read: eBay) components. With this device in hand, he sped around the mean streets of San Francisco, looking for passports to scan, and he found some! The RFID tags don’t contain any identifying information per se—it’s not like the tag says, “This is John Smith’s passport, and his Social Security Number is 123-45-6789”—but then do contain a unique number.
The real problem starts if an Evildoer is able to sync up a passport number with a driver’s license number. (Some new driver’s licenses contain RFID tags.) Now the Evildoer has both your non-identifying passport and the info from your driver’s license, which, presumably, does contain identifying info. Now the Evildoer has your personal info! Horror!
The State Department, which issues passports, had nothing to say about the matter. Customs, however, offered The Register a weak quote, saying that doomsayers will always look for a way to demonize a new technology. Apparently saving a few minutes scanning people at airports and other border crossings is worth more than personal, and national, security. Maybe if these security researchers threw around scary-sounding words like “terrorism” or “Islam is the light” then the government will pay more attention. Or maybe we’ll have to wait for Today Show producers to catch wind of this and put together a segment, scaring Middle America and generating the attention this warrants. After all, it’s one thing for a security researcher to make a YouTube video, which is then picked up techies like The Register (and us here at CG), but it’s an entirely different can of beans when you scare Middle America into action. Someone call Hannity!
Photo: Flickr
RFID has so many good uses. However, videos like this definitely show the really poor uses as well. I do hope that this catches on. I don’t really want to be carrying around credit cards with RFID, but I know I definitely do not want to have an identification materials on me that are tagged with RFID.
I wish these articles would start and end with the fact that you can take your passport with the RFID chip and smash it with a hammer. It doesn’t invalidate your passport, it just makes you wait in line at the border longer. That’s your choice.
Actually, if you take a hammer (or a microwave) to the RFID chip in your passport, there’s a good chance that you may invalidate it as a means to cross borders. DHS hasn’t laid out the rules for what happens if your RFID is broken, and since they claim it “adds security at the border” they probably wouldn’t be too happy about it. I wouldn’t go smashing any chips just yet – but certainly keep anything with a tag in a metal sleeve (not 100% protection but much better), and leave it in a safe place at home if you’re not going to use it.
I just keep mine in an anti-static bag when I’m not at an airport.
I hope you just misspoke. An anti static bag is great for reducing static and “Protecting” your electronic parts. I think you would really like a metal screen like bag that is a ‘faraday cage’ to reduce rf energy from reaching your rfid passport.
Additionaly this ‘hack’ is not a hack at all since the XR400 reader and antenna are normal run of the mill ($3000) equipment used in factories.
Actually, learning more about the pagett guy. He is not cloning or reading passports at all, just the “pass card” issued for north america travel only. This card has a longer range rfid tag but it issued with a metal screen pouch for protection.
read more
http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-francisco-cloning-rfid-passports/
I have a feeling that you are probably one of the few people on Earth who didn’t understand what I meant, but if I must, I meant an ESD protection metallized shielding bag. You know the type of bag, in my experience at least, most people call anti-static bags. You are correct though that the term “anti-static bag” could also refer to a bag designed not to generate static.
You should check the continuity on those bags. Methinks the thin mylar coating is just conductive enough to prevent high voltage static buildup, and way way below the conductivity required to offer actual EM protection.
Reading the SSID (a RO field) does not mean you cloned the passport, its just a number with no meaning.
You can’t reprogram a tag to have some random SSID your equipment was able to read on the street (once again its a read-only field).
While you could technically create an active device to mimic an SSID, its certainly not trivial.
Yes, it is trivial. All you need are some “blank” cards. Normally the SSID is built in when the card is produced – but “development” cards can be programmed with any SSID desired.
I am sorry to say this but as a muslim I am getting offended by your “Islam is the light” crap. I dont understand if that is negative or positive.
What of the real security risk that I see? anyone anywhere can do this, how ’bout someone rigs a couple of taxis with devices like this… Who cares about Identification questions they just know who the Americans are THAT IS MORE INFORMATION THAN I AM WILLING TO DIVULGE IN SOME PLACES!!!
here is a cool new way to authenticate your passport: Ingenia, a startup from the UK developed a “fingerprinting” system for documents, such as passports. the system scans the surface and using its algorithm gives it a unique ID-code that can be used to identify the passport again in the future. Ingenia, won the “Global Security Challenge” in 2006.
This article is not factually correct and does not accurately match the video. The U.S. passport is not vulnerable to the remote reading attack demonstrated on RFID-based US Passport Cards and EDLs by Chris Paget in his video.
US Passports are not the same as US Passport Cards and Enhanced Driver’s Licenses, and they use different technologies. Chris Paget’s video is about US Passport Cards and EDL as he carefully and accurately states.
US Passport Cards and EDLs use long range, insecure, EPC Gen 2 RFID tags, which lack encryption and authentication.
By contrast, the blue U.S. electronic passport books (incorrectly pictured above in the context of the video) use RF-enabled contactless smart card technology. This is a completely different technology that includes a small computer inside the passport book.
U.S. electronic passports are very privacy-secure. A metallic shield in the cover prevents any information from being read when the book is closed. Further, it has a short read range of two inches and the chip won’t give up any information until the passport book is physically opened and a unique key that is printed inside the passport is optically scanned and sent to the chip. The U.S. Department of State calls this passport security Basic Access Control.
More information is available at:
http://www.smartcardalliance.org/pages/activities-councils-identity
ihttp://travel.state.gov/passport/eppt/eppt_2788.html
and from video author Chris Paget who takes the same position at the end of this article by Kelly Higgins in Dark Reading, http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=213000321
Great article, Nicholas! Unfortunately, the WHTI cards issued so far are based on long read range RFID (UHF). And even worse, these long read range RFIDs don’t have security of any kind – they can be cloned and they emit all information in the clear to any sneaking reader.
Short read range can be achieved by either using a different kind of RFID (based on high frequency – 13.56 Mhz), or making appropriate changes to the UHF antenna designs to operate only in near field. This can protect against any off-the-shelf long range reader, such as the one shown in Paget’s video, reading all tags in a wide area.
Verayo provides a unique security technology that addresses the issue of cloning of the RFID chips. Verayo’s technology is a type of silicon ‘biometric’ technology that makes these ID chips effectively unclonable, and enables a strong and robust authentication mechanism based on a silicon chip’s fingerprints. With Verayo’s PUF technology, DHS can collect some silicon fingerprints of the ID chip in each WHTI card they issue, and then authenticate the card at the port-of-entry by comparing the ID chip’s fingerprint.
Additionally, I believe RFID should not store much information, beyond the equivalent of an identifier – a kind of vehicle number plate for the ID card. The mapping of this electronic ‘number plate’ to relevant personal data should happen in some secure backend server. If it is absolutely necessary to store information on the RFID chip it could be encrypted, such that only the authorized readers (like the DHS readers) can decrypt and make sense of it.
The technology certainly exists today, and I think it is matter of revising the current implementation. That will certainly address lot of the concerns.
I look forward to more on this story as it continues to unfold in the comments.
- Vivek Khandelwal, Verayo