On a recent afternoon, security researcher Chris Paget was able to capture the passport card information of several unsuspecting individuals while driving through San Francisco, using a device he built in his spare time for a total of $250. A video released by Paget shows just how easy it is to clone RFID (Radio Frequency ID) tags with this relatively simple technology.
The tags he captured are part of a new generation of ID cards that come with embedded RFID microchips. These vulnerable IDs include PASScards, new mini-passports the size of a credit card which are designed for non-air travel between the US, Canada, Mexico and the Caribbean. They also include the Enhanced Drivers' Licenses (EDLs) issued by New York, Michigan and Washington states. These cards use the same type of simple RFID tags used in shipping and pallet tracking, which allows them to be read from a distance of tens of feet under normal conditions — and UW researchers demonstrated 50 meters in some situations.
Paget's work confirms a study released by RSA Labs and the University of Washington last year which found that RFID tags in PASScards and EDLs were vulnerable to remote capture using widely available tools. That study pointed out while the vulnerable information is only a unique number — not a name or passport number — there is still a reasonable threat to privacy since the tags can enable location tracking, could eventually be linked to individuals, and could also be cloned into fake IDs, making identity theft easier. (The RFID tags embedded in passport books issued by the US government are somewhat more secure, with a shorter range and some cryptographic protections.)
The same factors that make radio great for broadcasting — radio waves travel through many materials to many receivers — make it inappropriate for sensitive information, including unique ID numbers. A person carrying an unprotected RFID passport card or other ID may be broadcasting personal information or a tracking number to anyone with the right reader.
You can catch Paget presenting his findings at the upcoming ShmooCon in Washington DC this Sunday.
Update: View Chris Paget's ShmooCon presentation here.