RSSDHS proposes funky 'fix' for RFID security
By Angela Gunn | Published November 14, 2008, 10:23 AM
A proposal by the Department of Homeland Security attempts to address one potential security problem with RFID-chipped passports, but leaves more obvious problems hanging fire.
In an effort to detect attempts to clone the data stored on RFID chips used on US Passport Cards, DHS on Wednesday announced that it is recommending that manufacturers supplying these RFID chips include a "unique identifier number," or Tag Identifier (TID).
The TID would be used to ascertain when a chip's data has been cloned, as one would do to create a fake passport. If two passports with the same identifier number turned up at the border, one of them could be deduced as fake. That number would actually be the second unique number in the chip, since all a passport's RFID chip stores is a unique number that is indexed in a database. (Currently the chips hold one unique number and one generic manufacturer code; that generic code is the one that would be replaced with a TID.)
It's an identification model that works reasonably well with mobile phones and automobiles, but an identity document is a different creature. Conceivably, the ID number might help to determine whether, for instance, a hacker intercepting the snail mail has waved a reader near a State Department envelope and picked off the data without having to open the envelope -- with "contactless" technology, the envelope would not have to be opened. But the model may not help with other security issues RFID researchers, privacy activists, and anti-terrorism experts have flagged.
Some of their concerns apply to any common RFID-bearing item. For instance, since the chips themselves haven't much computational power, you can't do much to harden them from a security standpoint. Various cryptographic techniques have been advanced for hardening RFID chips, but those all cost money. The chips used in US passports are Electronic Product Code (EPC) Class One Generation Two chips, which operate in the 860-960 MHz band of the spectrum. Those cost about ten cents each, and are so non-hardened that observers have called them "essentially wireless barcodes."
The numbers stored on an RFID are indexed a database on a presumably secure server, so by themselves, they wouldn't convey much information about the bearer. But simply knowing a chip's unique number can enable tracking of that chip's whereabouts. So if one keeps one's passport in one's possession at all times the way one's supposed to overseas, tracking the chip would mean tracking the passport holder.
But RFID-chipped passports may present a terrible attack surface simply by existing. RFID chips don't actively announce their presence, but inexpensive and widely available readers can sense them -- and can sense when there are a number of them gathered together.
One security professional who travels internationally (and asked that he not be named) suggests that if terrorists wanted to pinpoint the location of large groups of Americans (a guided tour? a popular expat hangout?), the specific information on any one RFID chip would be far less useful than the simple ability to sense where a bunch of RFID chip carriers were grouped -- the very fact of their grouping may be information enough. Under those circumstances, grabbing the unique number(s) doesn't matter, since the specific ID data is unimportant; all that matters is the presence of the chips, and thus the targeted Americans.
Savvy owners of chipped passports or cards keep them in Faraday-cage wallets or sleeves. Faraday cages being what they are, not every kind of cage blocks every frequency, but the chips used in passports can be blocked fairly effectively...until you get to the TSA security checkpoint and your passport jacket sets off the metal detector.
It's unlikely that any scanning issues will be seriously addressed until DHS officials and security researchers can agree on what's possible with these chips. On the DHS site, the page explaining RFID chips claims that vicinity chips such as those used in travel documents can be read 20-30 feet away, while proximity chips must be just a few inches from the reader. (The State Department, by the way, originally pushed for use of the relatively safer proximity chips; DHS however won the debate, and that's why your passport can be read by an official standing outside your vehicle.)
However, those are generally minimum ranges, and variety of tests indicate that chips can be read at several multiples of that "maximum" distance. In fact, a paper released in late October by researchers at RSA and the University of Washington (PDF available here) found that the inexpensive chips used in US passports were readable at a whopping 50 meters.
There's a slight error in this statement: "That number would actually be the second unique number in the chip, since all a passport's RFID chip stores is a unique number that is indexed in a database. (Currently the chips hold one unique number and one generic manufacturer code; that generic code is the one that would be replaced with a TID.)"
The e-passport chip stores all of the data on the data page of your passport, including a jpg of your photo. In contrast, the PASS card stores a unique database pointer, which perhaps is what you meant to refer to here.
Score: 0
|It's all about the antenna.
At 900 MHz, a high gain antenna isn't pocket
size, but a pretty good one can fit into a
violin case (or Pringles can :).
Hmm, I wonder which is easiest to build.
Probably yagi, maybe helical.
And don't forget to use a fifty buck low noise
amp for an additional 15 or so dB.
Score: 0
|Mm, all appealing options. Guess it depends on the elevations where you mean to do your scanning, and how much you need to blend into the crowd. If I were at an airport, I think I'd definitely go with a hard-sided instrument case (violin, or maybe mandolin for the slightly improved form factor). I also carry a "purse" made of a case for a zoom lens; the right dimensions, and everyone would think it was just a wacky little fashion choice. (Yes, surveillance can be much more amusing for female-type persons. In theory, I mean. Wouldn't know. Just saying.)
Some friends of mine who own a gift shop and are quite concerned about the RFID usage (hey, this is Washington State, where they're fixing to chip the driver's licenses -- if you're from here BTW I strongly suggest reading the PDF linked above for some data you specifically need). We BS'ed for a while about the feasibility of setting up a little reader combined with an attractive front-window display. People who paused to look in would be presented with the data just skimmed from whatever chips they had on them. Think that would've raise some local awareness? :-)
Score: 0
|This topic has been explored ad nausuem ;-) by Bruce Schneier.
Commercial scanners are readily availble at low cost - otherwise they could not be deployed ubiquitously to commercial establishments! And as far as concealing an antenna? Has anyone ever considered the extremely rare and exotic briefcase or computercase? I realize that they would most certainly raise the suspition of even the most trusting person, but, hey, one could try! ;-)
And as far as security goes, there are no regulatrions requiring the disabling of RFIDs. So, what are you doing this Christmas holiday?
How about some nefarious individual simply driving about a crowded parking lot (well, maybe not THIS Christmas!) with a reader scanning the contents of vehicles where packages have been 'oh so carefully hidden' cherry picking the gift list! They don't even have to guess what is in the car!
Likewise, ingenious marketers can simply set up mobile proximity scanners to ascertain what customers are buying in a mall or merchants can scan the contents of your bag as you come to shop there - providing them with a wealth of data to mine for your buying habits - allowing them to further tune their marketing efforts.
This can be used for good or evil - its the users choice.
At least the industry for lead lined envelopes that effectively died with the death of film cameras will experience a second life!
The other neat thing about RFIDs are that they CAN be realtively easily disabled without destroying or burning the 'carrier' in which they are attached/embedded. The question remains however as to how this will freak out cutoms and how long you will be detained as they try to figure out just what happened.
...A technology with many potential uses jumped on by too many too quickly who haven't a clue as to its potential uses and abuses. And why are we surprised that politicians would be among this group?
Score: 0
|"How about some nefarious individual simply driving about a crowded parking lot (well, maybe not THIS Christmas!) with a reader scanning the contents of vehicles where packages have been 'oh so carefully hidden' cherry picking the gift list! They don't even have to guess what is in the car!"
What am I doing for the holidays? I'm going parking-lot fishing with foxfyre, that's what I'm doing! (cue music) He sees you when you're shopping, he knows what he can take... (/caroling)
Seriously, you're quite right re various potential abuses on the commercial side -- and the pretty utter lack of regulation re removing RFID tags when the products reach the consumer is truly disturbing. Chipless RFID tech is even worse; not only does it flush the (at this point tiny) financial penalty for tagging everything in sight, my understanding is that they're a heck of a lot harder to spot and destroy. I am not amused.
And yeah, Bruce S. covers RFID. A lot. And I am glad, because that's something he does well. But about a year ago I had a clash with my bank over a debit card they sent me in the mail, which arrived with, yes, a chip. I phoned the bank while I set to work on the card itself; it took me maybe three minutes to extract the chip (thin blade and tweezers, no trouble at all), and seven more minutes to argue with the guy on the phone about how I will under no circumstances carry some %#@! chip around on their behalf.
Here's the thing: The jerk on the phone had the nerve to tell me that "most people" were perfectly fine with the chip, and that the bank had no intention of offering a chip-free card. The "perfectly fine" is only true until you tell "most people" about the chip and RFID's potential for abuse, at which point 19 out of 20 people get rather cranky about it. Until we get that number to 20 out of 20, and until my bank (soon to be my former bank, as my older chip-free card expires soon) changes its mind or has it changed for it by its new corporate masters, and until that "customer service" jerk wakes up every morning and slaps himself upside the nasty rude head on my behalf, we cannot have too many people writing about this stuff.
Score: 0
|Perhaps it was this century.
I got a see through ruby red Visa card (very pretty, appealed to my sense
of humour, horrible rate, never planned to use it...) that was with a
circuit board trace type antenna with a chip.
After a couple of years they replaced it with a card that did not have the
chip.
The form letter said this was because there was no demand for that func-
tionality.
Shrug, I'm pretty sure that no place I've been to has contactless readers.
I bet a tazer has the oomph to really fry any chip including the one on
my old Visa Red, but I think that putting it in a microwave would be a bit
more fun to watch because I think the tazer's arc would hide some of the
smaller explosions.
Note to self:p build antenna into arm of coat with repeater so that I can
aim my arm at guy and have my coat arm repeat his CC data to the contact-
less reader.
(Please note that this is less advanced than my plan to patent using light
to see a 3D display.)
Score: 0
|