Hacker copies passport data with off-the-shelf gear

Some new forms of ID, like this passport card, actually
broadcast information to scanning equipment.

In an astonishing display of the vulnerability of modern identification technology, Chris Paget, an "ethical hacker," assembled $250 worth of electronic equipment that allowed him to scan and copy the information stored on radio-frequency identification (RFID) chips embedded in new passport cards (but not the traditional passport books), as well as in some enhanced drivers' licenses, while he drove around San Francisco. According to Paget, whose 20-minute experiment was captured on video by The Register, it would be "trivial to program" blank tags with the skimmed identification numbers -- a key part of the process of creating counterfeit cards.

Paget was able to scan passport cards from a moving car since the embedded RFID chips broadcast their information. This is a feature the State Department advertises as a convenience, saying, "With RFID technology, Customs and Border Protection inspectors will be able to access photographs and other biographical information stored in secure government databases before the traveler reaches the inspection station."

The State Department emphasizes that the passport card contains no sensitive data itself, only "a unique number linking the card to a secure database maintained by DHS and State." You need to have access to that database to pull up more information using the identifying number.

The State Department also issues sleeves with the passport cards that block their transmissions. That the sleeves are not universally used is evidenced by the two passport cards Paget scanned during his brief drive.

Paget also points out:

If you combine the reader that I've got, at a chokepoint like a doorway, with another kind of RFID reader, one that reads credit cards say, you can correlate the ID number that you get from the passport card with the identity that you can retrieve from the credit cards. So instead of just tracking a passport card around the city, you can then track an actual identity around the city."

Similar RFIDs are beginning to appear in enhanced drivers' licenses, such as those issued by Washington State. As they become pervasive, it's possible that such identification could make it possible for police to determine the identities of attendees at, for instance, demonstrations and rallies simply by scanning the crowd and cross-referencing the skimmed identifying numbers with relevant databases.

RFID-embedded ID could also exacerbate concerns about anonymous travel that have already been raised by electronic toll-paying systems like FasTrak and E-ZPass. Travel patterns recorded by the toll systems have become something of a hot commodity in divorce cases and criminal investigations. Putting a traceable RFID in every pocket has the potential to make everybody a blip on somebody's radar screen.

Of course, Paget's experiment raises the likelihood that some of those blips won't be who they claim to be.

Below is the video of Chris Paget's RFID-skimming experiment.

 Last year, a joint research project by the University of Washington and RSA Labs uncovered exactly the sort of vulnerabilities in passport cards and enhanced drivers' licenses that were exploited in Paget's experiment. A FAQ for that effort states:

The major risk, in our view, is that of clandestine device cloning. An attacker can in principle harvest the data from a Passport Card or EDL and create an identity document that transmits identical information (even if it does not appear identical upon inspection). If border control agents do not exercise sufficient vigilance in the passenger screening process, e.g., physical inspection of all cards, the result could be a heightened risk of passenger impersonation.

That risk appears to remain in place.

Contact J.D.: civilliberties (at) tuccille.com