Tuesday, February 3, 2009

RFID and Passport Cloning in the Register

Edit: Paget's presentation is available at: http://video.google.com/videoplay?docid=-282861825889939203, and he notes that he is working with the Passport Cart, the Enhanced Technology Driver's License, and the other WHTI components - a different RFID technology than the US passport.

The Register took a trip with Chris Paget in San Francisco, and captured and cloned RFID tags - but it sounds like the cloning may have been limited to the tag ID, and not the content. As Paget notes, "It's mainly to defeat the argument that you can't do it in the real world, that there's no real-world attack here, that it's all theoretical."

As I've discussed previously, the US RFID enabled passport requires key data about individual users to release the actual content of the passport. I do not currently know of any implementation that trusts the RFID tag ID alone as an authenticator or identifier - but that doesn't meant that it might not be used that way, much as we've seen the SSN used widely.

The Register says that "Because the technology employs no encryption and can be read from distances of more than a mile, the tags are highly susceptible (PDF) to cloning and tracking, researchers have concluded". This isn't the case with the US passport RFID tags. Other RFID standards can allow reads from a longer distance, however the greatest distance that has been popularly announced for reading the 13.56 Mhz tags used in US passports is approximately 30 feet with specialized gear.

It is worth noting that in my own testing, the tag ID was often accessible from greater distances than the tag data was - and that at longer distances, I often got incorrect tag ID readings.

The Register points out that the card ID is a unique identifier, and could be used for tracking. Again, with a closed RFID blocking shield and highly limited range, this tracking would be difficult at best.The data contained in the passport is not highly sensitive - it includes birthdate, picture, and other details, but is not data beyond the scope of that which can be accessed in common online databases.

The ability to uniquely identify American passports is perhaps the greater danger, but again the limited range limits the threat to a 30 foot range with most practical readers.

In the end, Paget's work serves at yet another reminder that the technology, as implemented, has flaws that could be fixed. Passport tags should have a unique certificate to prevent cloning, and use of RFID should be carefully examined - in many cases it may not be the best technology available, or the design and usage models should be carefully considered.

No comments: