IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

No Surprise: Border-Crossing Cards Can Be Copied

Contributed by Joanne C. Kelleher

The Wall Street Journal posted an article called Border-Crossing Cards Can Be Copied.  It is based on a paper (EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond) and set of FAQ that have been posted on the website of RSA Laboratories, a division of EMC Corp.

Researchers at the University of Washington and RSA examined state Enhanced Drivers license (EDL) and federal Passport cards issued for the Western Hemisphere Travel Initiative, which tightens border security at land and sea crossings in North America beginning next June.

The FAQ states Our research confirms the vulnerability of Passport Cards and EDLs to copying attacks of their electronic RFID components. We have shown, in fact, that an anti-counterfeiting measure that the U.S. Department of Homeland Security appears to have contemplated is not present in its initial designs is not present in the Passport Card. Without this countermeasure, it is a technically straightforward matter to copy the data from a Passport Card’s RFID tag into another, off-the-shelf tag. An attacker does not have to resort to building an emulating device in order to create a radio-similar clone. (While we think it unlikely, it is possible that DHS has deployed other anti-cloning countermeasures in the field.) Our research additionally shows that the RFID tags in Passport Cards are subject to scanning at a long range—exceeding 150 feet under certain circumstances. The protective sleeve provided with the Passport Card effectively prevents such scanning.

“We have also found that EDLs have weaker security properties than Passport Cards. They are subject to clandestine scanning at short range even through certain protective sleeves. Additionally, our research suggests that they are subject to clandestine, malicious destruction via radio from an off-the-shelf RFID reader.

“The EPC tags in Passport Cards and EDL do not contain personally identifying information; they store what amounts to a database record pointer. Thus, concerns about read ranges revolve more around counterfeiting than privacy, though privacy is still an issue since repetitive reads of the same card can reveal travel patterns.”

Kathleen Kraninger, the Department of Homeland Security’s deputy assistant secretary for policy responded by saying the study raised “issues that we were aware of, but certainly issues that we feel have been addressed.”

SecureRF reached out to Ms. Kraninger last year about this topic so we know she is aware of the issue, but we disagree that it has been adequately addressed.

“There is a critical infrastructure evolving around RFID,” said Ari Juels, a researcher at RSA. “If we don’t build in protections now, it will be much harder to build them in later,” he said.

We couldn’t agree more.