Researchers at the University of Washington and EMC’s RSA Laboratories detail in a new report (pdf) that there are security and privacy vulnerabilities in the federal government’s “passport cards” and “enhanced driver’s licenses” that the federal government deploys in conjunction with some state motor vehicle departments. Such cards and licenses contain personal details, including an individual’s citizenship status. They are also equipped with radio frequency identification (RFID) technology, which transmits data wirelessly from a chip or tag to a reader.
The researchers found that they were able to counterfeit and disable the cards with easily obtainable off-the-shelf technology. From the researchers’ FAQ:
Our research confirms the vulnerability of Passport Cards and EDLs to copying attacks of their electronic RFID components. We have shown, in fact, that an anti-counterfeiting measure that the U.S. Department of Homeland Security appears to have contemplated is not present in its initial designs is not present in the Passport Card. Without this countermeasure, it is a technically straightforward matter to copy the data from a Passport Card’s RFID tag into another, off-the-shelf tag. An attacker does not have to resort to building an emulating device in order to create a radio-similar clone. […]
The EPC tags in Passport Cards and EDL do not contain personally identifying information; they store what amounts to a database record pointer. Thus, concerns about read ranges revolve more around counterfeiting than privacy, though privacy is still an issue since repetitive reads of the same card can reveal travel patterns.
You can learn more about RFID tags and tracking in a recent article in Scientific American magazine by Katherine Albrecht, How RFID Tags Could Be Used to Track Unsuspecting People.
The University of Washington and RSA Laboratories researchers explain that their “research demonstrates the systemic problems that the vulnerabilities in Passport Cards and EDLs have the potential to create, including:
- Heightened opportunity for impersonation of travelers at the border;
- Erosion of best practices, i.e., an insinuation of security vulnerabilities into new systems that consume identity documents;
- Denial-of-service attacks in which malicious entities cause EDLs to self-destruct in order to create a nuisance or to undermine traveler confidence by causing a publicly visible disruption of passenger movement; and
- Tracking of individuals through repetitive reads.”