Print 9 comment(s) - last by Mojo the Monke.. on Feb 5 at 4:52 PM

Chris Paget shows of one of the RFID cloner attennas at a 2007 security conference. Mr. Paget has since refined the design. He recently showed how easy it was to pick up RFID passport card data with a simple attenna/reader setup, and did so, picking up 2 passports in a 20 minute drive in San Francisco  (Source: Flickr)
RFID system is shown yet again to be painfully insecure

A couple years ago, RFID was considered one of the hottest new technologies.  RFID was thought to be great idea to digitize shipping and make it more efficient -- many began to dream up new uses for the tracking tags.  What about putting them in credit cards, passports, or even in our bodies?  They indeed implemented many of these ideas and today many major credit cards, as well as U.S. passport cards, and alternative to paper passports, which features RFID chips.

However, last year, proof-of-concept attacks started to expose just how insecure having RFID as a means of personal identification might be.  Hackers hitched free rides on subways and Myth Busters was set to air a special on how hackable RFID credit cards were, only to back down after criticism and hints at legal action from the credit card industry.

While new active RFID chips may provide greater security, the passive chips found in many sensitive items have been shown to be insecure.  But just how insecure are they?

That's what Chris Paget, director of research and development at Seattle-based IOActive, set out to show.  Mounting a $250 USD Motorola RFID reader and an antenna to his side window, he cruised the streets of San Francisco for 20 minutes, with a colleague that videotaped the demonstration.

He picked up the details of two U.S. passport cards.  The information could easily be used to clone the cards and create fake passports that would pass as the real thing.  He says the demonstration is just more sign of what a bad idea using RFID tags in security sensitive areas is.  He states, "
I personally believe that RFID is very unsuitable for tagging people.  I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped."

The Western Hemisphere Travel Initiative is the program which champions the RFID passport cards, which allow for easy travel to anywhere in the Western Hemisphere, as the name implies.  Authorities cite ‘kill codes’ (which can wipe the card’s data) and a ‘lock codes’ that prevents the tag’s data being changed that are built into the cards as proof of their security.

However, Mr. Paget says the cards would be easy to clone.  Even if a radio interrogation (one of these signals) is done, he elaborates, it would be easy to collected, analyzed, and overridden as it is in plain text.

The ease with which Mr. Paget picked up the passport info is even more accentuated by the fact that less than a million of the cards have been issued to date, meaning that likely relatively few were driving on the streets with the cards.

While Mr. Paget is known as a
‘white hat’ ethical hacker, his latest moves could land him in legal hot water.  San Francisco at this time has not announced any plans to pursue legal action against him, though.  A constant voice of skepticism about RFID, Mr. Paget in 2007 was set to present a paper on the security failings of RFID at the Black Hat security conference in Washington, only to be forced out after legal threats by an RFID company.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By waltaugust on 2/4/2009 10:58:41 AM , Rating: -1
People really need to read what comes with the passport card. It ships with and Identity Stronghold Secure Sleeve and the paperwork says to keep the card in the sleeve when not at the border. This sleeve blocks the RFID chip from being read. These sleeves also will block the new contactless RFID credit cards from being read as well.

You can buy your own Secure Sleeves and shielded badge holders at Identity Stronghold's website.

By TomZ on 2/4/2009 12:03:46 PM , Rating: 2
Paget's experiment demonstrates how effective the shieid is - or isn't. It is not foolproof obviously as some users will knowingly or unknowingly not use it.

Also, shields only "attenuate" signals - they don't block them 100%. I would imagine a more sensitive receiver could read RFID passports in their shields.

Overall seems like a bad idea. They should stick with barcodes.

By tastyratz on 2/5/2009 4:42:19 PM , Rating: 2
a 3d barcode would be the most logical and safe solution, but it just isn't as "hot button cool" as rfid.

At the very least some sort of encryption should have been pursued for this very reason - the fact that its transmitted in plain text is just utter fail.

By Chocobollz on 2/4/2009 2:59:25 PM , Rating: 2
I think that is not right solution. If someone wants to steal a lot of RFID's data, he could just do it in a place where the RFID itself most likely be used (therefore, no protection from the sleeve), like in a country border or in an airport for examples. It is as simple as that. Then you'll have to be faced with 2 options, use your RFID and get your data stealed, or you can protect the RFID but you can't use it as an id card. Which one will you choose? ~_~

By Moishe on 2/5/2009 9:04:25 AM , Rating: 2
Good idea for a product except that it's not perfect and it adds an extra step. Now I have to pull my CC out of the wallet and then out of the sleeve.

They need a wallet made entirely of that material.

The best defense though is to come up with a way to encrypt the data so that even reading it is useless without a key.

By Mojo the Monkey on 2/5/2009 4:52:46 PM , Rating: 2
I have seen such wallets, i think on ThinkGeek or a similar site.

"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997
Related Articles

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki