A couple years ago, RFID was considered one of the hottest new technologies. RFID was thought to be great idea to digitize shipping and make it more efficient -- many began to dream up new uses for the tracking tags. What about putting them in credit cards, passports, or even in our bodies? They indeed implemented many of these ideas and today many major credit cards, as well as U.S. passport cards, and alternative to paper passports, which features RFID chips.
However, last year, proof-of-concept attacks started to expose just how insecure having RFID as a means of personal identification might be. Hackers hitched free rides on subways and Myth Busters was set to air a special on how hackable RFID credit cards were, only to back down after criticism and hints at legal action from the credit card industry.
While new active RFID chips may provide greater security, the passive chips found in many sensitive items have been shown to be insecure. But just how insecure are they?
That's what Chris Paget, director of research and development at Seattle-based IOActive, set out to show. Mounting a $250 USD Motorola RFID reader and an antenna to his side window, he cruised the streets of San Francisco for 20 minutes, with a colleague that videotaped the demonstration.
He picked up the details of two U.S. passport cards. The information could easily be used to clone the cards and create fake passports that would pass as the real thing. He says the demonstration is just more sign of what a bad idea using RFID tags in security sensitive areas is. He states, "I personally believe that RFID is very unsuitable for tagging people. I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped."
The Western Hemisphere Travel Initiative is the program which champions the RFID passport cards, which allow for easy travel to anywhere in the Western Hemisphere, as the name implies. Authorities cite ‘kill codes’ (which can wipe the card’s data) and a ‘lock codes’ that prevents the tag’s data being changed that are built into the cards as proof of their security.
However, Mr. Paget says the cards would be easy to clone. Even if a radio interrogation (one of these signals) is done, he elaborates, it would be easy to collected, analyzed, and overridden as it is in plain text.
The ease with which Mr. Paget picked up the passport info is even more accentuated by the fact that less than a million of the cards have been issued to date, meaning that likely relatively few were driving on the streets with the cards.
While Mr. Paget is known as a ‘white hat’ ethical hacker, his latest moves could land him in legal hot water. San Francisco at this time has not announced any plans to pursue legal action against him, though. A constant voice of skepticism about RFID, Mr. Paget in 2007 was set to present a paper on the security failings of RFID at the Black Hat security conference in Washington, only to be forced out after legal threats by an RFID company.