Snooping RFID embedded Drivers Licenses - is REAL ID a BAD idea?

We were coming down to the wire. States across the country already have plans in place, funding spent or even implementations of the REAL ID, where Radio Frequency Identifiers (RFID) were embedded into Passports and state drivers licenses. Congress originally passed the REAL ID Act in 2005, expecting to modernize everything from DMV visits to border crossing checkpoints. The original implementation deadline was 2008, but it was extended to 2013 and then 2017 when only a handful of states were close to even completing evaluation studies.  The Department of Homeland Security maintains a site discussing the reasons and benefits of the project.

One of the states that was on track: Michigan.  Michigan Rep. Paul Opsommer wants to make sure on time doesn’t mean insecure:

“Michigan entering into a federal agreement to put unencrypted, long range RFID computer chips into our driver’s licenses presents a huge privacy risk with very little benefit.  I don’t think we need RFID in our licenses period, but even if we did, there is absolutely no reason it couldn’t be short range and encrypted. The federal government has made some bad technology choices that they now want to cram down the rest of our throats. Canada is totally rethinking this whole program from the ground up, and so should Michigan.”

Indeed, Michigan’s northern neighbors decided their implementation of RFID enhanced drivers licenses needed rethinking. The Saskatchewan Province enhanced drivers licenses (EDLs) were scheduled for approval by a June 1, 2009 deadline set by the United States.  That is the date travelers from Canada must present border crossing documents – either Passports or EDLs. The problems surround privacy included in Bill 72, and inadequate time before enactment for impact studies by the Privacy Commissioner. Privacy watch guards point out that the RFID tags used in EDLs may be read from at least 30 feet away, there are questions regarding security protections for the database holding the personal information and the storage in these databases of more information than necessary.  There are similar questions for Bill 85 in Ontario, several of which the Province’s Information and Privacy Commissioner reviewed.

Representative Opsommer’s concerns are not unfounded. The proposed Michigan licenses contain an unencrypted RFID chip with a range of at least 30 feet. There is a new, unique Citizen ID number included that some privacy pundits believe could be the 21st century Social Security Number. Also, there are no laws in Michigan preventing unauthorized access or storage of the card data.

Four researchers from the University of Washington and the encryption company RSA presented a paper in October 2008 performing a vulnerability assessment and documenting clonable information on passport cards (PASS cards) and Washington State Enhanced Drivers Licenses.  The researchers demonstrated:

“that the publicly readable data in both types of identity document can be straightforwardly cloned after a single read.”  The cards “are subject to reading at a distance of at least 50 meters under optimal scan conditions (down a long hallway, but still operating within FCC limits).”

There are two other items to consider with these cards: a ‘kill’ command, and ‘lock codes’ for writable memory areas.  The EDLs tested were susceptible to the kill command, effectively voiding the RFID and likely the card for cross border use.  The EDLs also did not use lock codes and therefore could be further invalidated through electronic tampering.  The PASS cards were not vulnerable to lock code attacks, but there are conflicting reports on the kill capabilities.

The range on the cards should also be of concern. In 2006, Wired Magazine interviewed Jonathan Westhues, who demonstrated a homemade RFID reader.  The test involved an RFID card typically used for entering buildings.  That particular example required Westhues to pass “within a few inches” of the card holder.  There were several factors involved, including the type of cards used in the demonstration and the reading device and antennae rigged together.  A similar example by Chris Paget was a bit different.    Paget, a researcher with IOActive, drove around San Francisco with a $250 Motorola card reader and an antennae attached to the roof of a car.  The video shows the team nabbing details from two US Passport cards (PASS cards).  EDLs and PASS cards are distributed with protective sleeves intended to shield the cards from this sort of remote scanning.  The University of Washington researchers found that, while cards in a well maintained sleeve were not readable, the RFID credentials in a crumpled sleeve were accessible. Real world use suggests the sleeves were often lost or simply disposed of.

What about security features, such as PINs or encryption? Yes, they do work.  Sort of.  Adam Laurie, a British security expert, cracked the UK passport encryption and remotely read it’s credentials while still in the original mailing envelope.  Security consultant Lukas Grunwald of Germany demonstrated forging German passport’s at the Blackhat security conference, providing documents that successfully passed through an electronic passport reader.  Similar vulnerabilities have been found in Czech e-passports.  Some of these problems stem from not understanding the technology, implementing the technologies improperly, or simply ignoring the security features as unnecessary.

“I personally believe that RFID is very unsuitable for tagging people,” Paget said. “I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped.”

There are other problems beyond cloning.  With a unique ID on each card, there is the risk that people may be tracked, similar to the usage of cell phones in Britain to track customers and their shopping habits.  The ubiquitous nature of a drivers license provides more data; not everyone has a cell phone or carries it with them all the time.  This tracking is less likely to happen with shorter range cards, or those that implement security features.  And laws in place will stifle legal tracking of this sort, and the possibility of creating separate “marketing id” type databases based on EDL ID numbers.  Washington State Department of Licensing spokesperson Gigi Zenk says that laws have been passed prohibiting third parties from accessing RFID information without the owner’s consent.

It comes down to an increasing reliance on technology.  Let’s remain cognisant of how important the information on these cards is or can become.  As we put more technology in, we as a society expect that the output has to be better.  That said some of the biggest problems in information security and privacy are social engineering – pretending to be someone you’re not.  Implementing more technology should assist not replace the manual processes that successfully root out thieves and criminals.  ”I think we are in the growing-pains phase,” says Johns Hopkins University computer science professor and security researcher Avi Rubin. “This happens with a lot of technologies when they are first developed.”  Let’s aim to not let the growing-pains become chronic disease.


Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>