RFID Passport Tags Save Time, Risk Privacy
August 18, 2009
The required presence of an RFID tag in U.S. passport cards has raised privacy concerns, but government officials insist the technology is secure--and that the resulting efficiency at land borders is worth the risk.
The presence of an RFID tag in U.S. passport cards has raised privacy concerns, but government officials insist the technology is safe--and that the efficiency it adds at land borders is worth the risk.
In January of this year, researcher Chris Paget drove through the streets of San Francisco scanning the RFID tags embedded in the passport cards and enhanced drivers licenses (EDLs) supported by the Western Hemisphere Travel Initiative (WHTI), in order to demonstrate the lack of security inherent in the devices.
Pagets demonstration raised a number of questions about the technology behind passport cards and the security with which theyve been deployed.
By the time WHTI went into effect on June 1st of this year, requiring Americans to present passport books, passport cards, or EDLs when crossing land borders into the United States, over a million RFID-enhanced passport cards had already been issued. While WHTI itself isnt new, its implementation for land borders was delayed two years ago in order to allow for further testing of passport card technology.
Its important to note that theres a key difference between e-passports (passport books) and passport cards. While passport cards use vicinity RFID (EPC Gen 2) technology, which can be read at distances of up to 30 feet, e-passports use ISO 14443 contactless smart card tech with a read range of a few inches. To compensate for their readibility (and therefore hackability) at a distance, passport cards only transmit an ID number that relates back to information stored in a secure central database, while e-passports store and transmit much more detailed information about the passport holder.
According to Randy Vanderhoof, executive director of the Smart Card Alliance, that difference was key to the selection of the two technologies. The electronic passport was built knowing that it was going to store secure information like a persons name, city of issuance, passport number, image of the person and therefore they chose a more secure chip technology to protect that informationwhereas the passport card was designed to be a static identifier to a central database, with no personal information stored in the chip itself, he says.
As a result, Vanderhoof says, the only data that Paget was able to gather in his demonstration was that relatively anonymous static identifier.
But Vanderhoof says there is still reason for concern, simply because that identifier can allow a card to be tracked. As a cardholder, Im not comfortable knowing that someone can read my whereabouts from a distance without me knowing about it that threat doesnt exist with an electronic passport, he says.
Near and far
Vanderhoof contends that the governments decision to use the longer-range EPC Gen 2 technology in passport cards was a mistake. The decision to trade speed over security and privacy, I think, was a poor decision on the part of the program managers under WHTIbut they repeatedly defended the decision because of the traffic flows through the land borders and the fact that they needed something that could be read from great distances, he says.
However, Vanderhoof says EPC Gen 2 technology doesnt actually improve traffic flow at all. The queuing process that takes place at these border points still requires the individuals to come to a complete stopand therefore, youre not gaining any time by reading the card 30 feet away from them coming to a complete stop, versus coming to a complete stop and then reading the card, he says. So you gained nothing from a speed standpoint, and all you did was open up the possibility for these other misuses of the technology.
Still, Paul Hunter, technical lead for the Western Hemisphere Travel Initiative at U.S. Customs and Border Protection, insists that the time savings provided by the passport cards are considerable. We can actually read the documents as theyre approaching the booth which means, instead of handing a document to an officer and him swiping it or manually typing in data, the datas already there, and now he can focus on the person, and he can focus on the conveyance it saves six to eight seconds per person, he says.
And at a land border, Hunter says, time is of the essence. Were talking over 100 million crossings a year, he says. Those six to eight seconds actually are very significant. Weve done time and motion studies where weve actually measured the time it takes to take the document, to bring it into the booth, to either manually type or swipe and then wait for the resultsand if you eliminate all that, you are actually on average saving between six to eight seconds.
Whats more, Hunter says, the same technology has already been in use for over ten years in the governments SENTRI and NEXUS trusted traveler programs. And we have not had one reported incident of somebody skimming that data and using it for nefarious purposes the reality is, its just a number, he says. And we further mitigate that by making sure the data thats associated with that is in a secure back-end database.
Ultimately, Michael Holly, chief of consular affairs/international affairs at the U.S. Department of State, says Chris Pagets interception of the passport cards data is no reason for concern. Mr. Paget actually was doing nothing more than what we intended to have happen the card, if powered by a reader, will give off the ID number, which is simply a pointer to the data that we share with the Department of Homeland Security, he says.
But Paget himself, now president and CTO of the security research firm H4RDW4RE, says that ID number shouldnt be so easily accessible. You shouldnt necessarily think of it as low-risk just because its a number, he says. Your social security number is just a number. Your credit card number is just a number. Its the meaning thats attached to those numbers that makes it riskyand in this instance, its an identifier for a person, so any time you see that identifier, you can be certain that youre seeing that same person.
One possible solution, Paget says, would be to add an on/off switch to the passport card, as has been suggested by Dr. Ann Cavoukian, Information and Privacy Commissioner for the Canadian province of Ontario. Paget says its simply a matter of adding a button on the card that you have to physically squeeze to turn the tag on, at which point it can be readso it completely negates the need for shielding because the tag is off until you actually want it to be turned on.
The larger point, Paget says, is that RFID needs to be approached with the same caution as the Internetboth, essentially, are simply untrusted networks that move bits of data from point a to point b. Theres no reason why RFID cannot have equivalent security to something like SSH or SSL that we use on the Internet all the time Im certainly not against RFID as a technology: I think its got great potential, but there needs to be a lot more security involved in the design of the systems, he says.
Jeff Goldman is a veteran technology journalist based in Southern California. He is a frequent contributor to Wi-Fi Planet. Learn more about Chris Paget's RFID passport hacking research in this YouTube video.