New Chip Technology Poses Threat to Homeland Security

Radio-frequency-identification (RFID) is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. (Source: wikipedia.org)

Researchers at RSA Laboratories and the University of Washington recently released a report which studies the privacy and security vulnerabilities of the RFID tags embedded in the state of Washington's Enhanced Driver's License and Electronic U.S. Passport Cards.

Electronic Product Code and RFID

Electronic Product Code, or "EPC tags," are industry-standard RFID devices created as the successor to the bar codes that are prevalent in case and pallet tracking.

EPC tags are now being utilized in individual consumer items such as Enhanced Driver's License and border-crossing documents used by the Department of Homeland Security in their new Electronic passports.

Risks and Challenges of EPC when used for Security Applications

The report explored the systemic risks and challenges created by increasingly common use of EPC for security applications including:

• Cloning: U.S. Passport Cards and Washington Enhanced Driver's Licenses are susceptible to straightforward cloning (copying) into off-the-shelf EPC tags. The anti-cloning feature proposed by the DHS (the tag-unique TID) remains undeployed in the U.S. Passport Cards. Concerns about cloning involve heightened opportunity for impersonation of travelers at the border. The RFID tag in Enhanced Driver's Licenses and Passport Cards is designed to play a pivotal role in the border-crossing process. The tag is scanned prior to agent-passenger interaction. Once the tag is scanned it automatically guides an initial watchlist lookup. Cloned EPC tags, by causing false negatives in watchlist flagging process, could have a non-negligible impact on agents' behavior and the security of our national borders.
   
• Skimming: The unique identification number of the RFID tags can be read from great distances which can cause issues regarding owner privacy and vulnerability to clandestine "skimming" and cloning from up to 50 meters (162 ft.) away.
   
• Vulnerable: Even if Enhanced Driver's License cardholders keep their cards inside a protective foil sleeve provided by the Department of Licensing, the unique identification number on the RFID can still be read up to two feet away, unlike the passport cards, and are vulnerable to denial-of-service attacks and covert-channel attacks.
   
• Privacy: The EPC tags in Enhanced Driver's Licenses and Passport Cards do not contain personally identifying information. They store what amounts to a database record pointer, making concerns about read ranges more about counterfeiting than privacy, although privacy remains an issue since repetitive reads of the same cards can reveal travel patterns.
   
• Anyone with access to an EPC Gen 2 RFID reader can permanently disable the RFID tag within an Enhanced Driver's License and the cardholder will never know it, which could create a serious problem for the cardholder who lives in Washington since "tampering with or deactivating the chip will invalidate the enhanced driver's license or identicard for purposes of border crossing." (WAC 308-105-020(4)).

The report considers the implications of vulnerabilities to overall system security, and offers suggestions for improvement. It also demonstrates anti-cloning techniques for off-the-shelf EPC tags and how to overcome practical challenges in a previous proposal to co-opt the EPC "kill" command to achieve tag authentication.

Washington and New York State are the only two states currently issuing Enhanced Driver's Licenses, with Michigan will follow soon. The Department of Homeland Security (DHS) says Arizona, California, Texas, Vermont and some provinces in Canada have expressed interest in Enhanced Driver's Licenses.

More information on the vulnerabilities of Enhanced Driver's Licenses and Electronic Passport Cards is available in the release from RSA Labs, The American Civil Liberties Union, KOMO 4 News Seattle and TechWorld.

Information on RFID security can be found from RFID CUSP (RFID ConsortiUm on Security and Privacy) and from RSA Laboratories.

Visit Bill's Links and More for more great tips, just like this one!