[Reader-list] Cloning and Reading E-Passports and PASS Cards

[Taha Mehmood]

http://www.rfidjournal.com/blog/entry/4615/

Cloning and Reading E-Passports and PASS Cards

RFID Journal Blog
Posted By By Mark Roberti, 02.10.2009

A new video shows self-described hacker Chris Paget driving around San
Francisco in a car equipped with an ultrahigh-frequency (UHF) RFID
interrogator in an effort to read tags embedded in PASS Cards. A
number of Web sites have reported this as news, claiming he "skimmed"
or "cloned" information from electronic passports. This is not true,
however, and what Paget did do isn't nearly as dangerous as it might
seem. I'll explain why, but first, here's a little background on the
PASS Card.

The card was created after the terrorist attacks of Sept. 11, 2001, in
an effort to make the U.S. borders more secure without slowing down
traffic. It allows Americans driving across U.S. borders, or traveling
by sea from Canada, Mexico, the Caribbean or Bermuda, to carry a card
containing an RFID chip instead of a traditional passport book. The
card, approximately the size of a driver's license, can be read
through a vehicle as the owner approaches a border. (Previously, the
only identity document an individual required to drive into the United
States from Canada was a valid driver's license.)

PASS Cards utilize UHF Electronic Product Code (EPC) tags instead of
more secure high-frequency RFID tags that support encryption. The
reason UHF was chosen was that the card would carry only a random
serial number that would be linked to a person's information and photo
in a database. As a car approaches a border checkpoint, the driver
holds up the card, and the system reads it. By the time the vehicle
arrives at the checkpoint, the driver's information is called up on a
screen. The border agent looks at the person's face and the picture on
the screen, and allows him or her to enter the country if they match.

It has been widely reported that the UHF RFID transponders in the PASS
Cards do not support encryption and can be read by any UHF reader. As
such, consumer privacy groups, as well as some RFID vendors, have
called for greater security on the cards (see RFID Vendors Brief
Congress on PASS Card Security). So the fact that Paget could drive
around San Francisco and read tags is not surprising—what is
surprising is how this is being misrepresented.

First, Paget himself refers to reading the tags as "cloning" the tags.
Cloning a tag means creating a copy of a tag that can be used for
nefarious purposes. So the impression a person gets from watching the
video is that Paget could use the captured information to pass himself
off as the PASS Card's holder. But that's simply not the case—if he
were to drive up to the Mexico border-crossing, for example, and
present a cloned PASS Card, its serial number would call up the
original holder's information and photo. In such an event, there would
not be a match, and Paget would be arrested. What's more, the card
also contains the name and a photo of the holder printed on the front,
so he'd have a problem trying to pass himself off as the person whose
tag he read.

Some Web sites reporting about Paget's video have claimed he skimmed
data from e-passports. Nowhere in the video, however, does he ever say
this. In fact, he makes it clear he's talking about PASS Cards and
electronic driver's licenses only, which use RFID technology that
lacks a great deal of security since it was designed for use in the
supply chain, not for identifying people.

Following the video's dissemination, the Smart Card Alliance issued a
press release clarifying this point. "The Smart Card Alliance wants to
make it clear that this [Paget's] demonstration did not involve the
blue U.S. electronic passport books," said Randy Vanderhoof, the
alliance's executive director. "Headlines stating that passports can
be scanned and tracked are wrong. The widely reported demonstration
involved U.S. passport cards and enhanced driver's licenses, which use
EPC Gen 2 RFID technology. These are different travel documents, and
use completely different technologies from U.S. electronic passports,
which use contactless smart-card technology and are very
privacy-secure."

The Smart Card Alliance called for a review of EPC technology use,
because the organization promotes the use of more secure forms of
RFID. There are, of course, many ways to enhance security, such as
employing encryption or shielding to prevent tags from being skimmed.
Government agencies should consider all options and choose the most
appropriate technology that fits the application and protects the
document holder.

Paget rightly points out that as RFID becomes more widely used in
government identity documents, the potential for abuse grows. He notes
that if everyone were to carry a PASS Card and an RFID-enabled credit
card, a doorway secretly equipped with a UHF interrogator to read the
PASS card and an HF interrogator that can read the RFID tag in
contactless credit cards could potentially capture that individual's
identity (assuming the person's name were stored on the credit card's
tag). Then, the person capturing the information could associate a
random number in the PASS Card with a specific individual, and thus
use the PASS Card to track that person's movements (a government could
do this, for instance, to track opponents).

To date, this type of abuse has not occurred, but it could if
governments fail to take privacy issues seriously. Unfortunately,
misinformation regarding the issues—as in the case of the erroneous
coverage involving the Paget demonstration—doesn't help get them
resolved. It just creates a lot of fear.

Mark Roberti is the founder and editor of RFID Journal. If you would
like to comment on this article, click on the link below. To read more
of Mark's opinions, click here or here.