RFID passport identity theft made simple

RFID passport identity theft made simple

Summary: Put your RFID passport in a signal blocking wallet. But pulled out and read it broadcasts your private data for any RFID sniffer to record. And then?

TOPICS: Mobility, Security, Wi-Fi

You're confident your RFID passport is safe in its signal-blocking wallet as you pass through immigration. What you don't know is that the man behind you is recording the data sent by your passport's RFID chip as it is scanned.

Your name, nationality, gender, birthday, birthplace and a nicely digitized photo is in his hands. With that info he can photoshop up a passport, get a copy of your Social Security card and with that get credit cards and bank accounts in your name.

Rewarding individual enterprise Thanks to bureaucratic confidence in RFID technology this is a real threat. An article in the Communications of the Association for Computing Machinery goes into the details:

For successful data retrieval the perpetrator's antenna must catch two different interactions: the forward channel, which is the signal being sent from the RFID reader to the RFID token; and the backward channel, which is the data being sent back from the RFID token to the RFID reader. . . .

. . . the perpetrator would need only an antenna and an amplifier to boost the signal capture, a radio-frequency mixer and filter, and a computer to store the data. The amplifier itself would not even need to be that powerful, since it would need to boost the signal over only a short distance of three to five meters. . . . These RFID "sniffers" can then be plugged into a laptop via a USB port.

They've got your data, now what? The weak 52-bit key encryption is easily broken. Then just counterfeit the passport, get a social security card and start shopping!

As the article notes, forging a passport can be expensive. It might be easier just to steal it.

The Storage Bits take The RFIDiocy keeps getting worse. The Feds were pwnd at DefCon earlier this year.

But these are just the risks we know about today. What new technologies will appear in the next 15 years to make both eavesdropping and forgery easier?

The RFID passport is a technological sitting duck for bad guys of all kinds - criminals and terrorists - courtesy of the US State Department.

As I noted in previous post:

The time to end this nonsense is now. There are perfectly usable non-RF storage technologies - like 3D barcodes - that can safely store data in hard to crack, hard to hack formats.

We can do better. And we must.

Comments welcome, of course.

Topics: Mobility, Security, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RFIDiocy is only in implementation not the technology

    How easy is it to steal a car's license plate or a person's credit card? Just look out the window and you can copy the license plate of the car passing by, or get a screw driver and you can take it. Dive in a dumpster for some credit card receipts and you're in business.

    The security of your car's identity and your ownership of that car is incumbent on a secure database. That is how most RFID networks are implemented including those for the DOD, Airbus, Dell, etc.

    Most passport tags are ISO standard 14443 and are using High Frequency (HF or 13.56Mhz) which has a read range of less than a foot. There are very expensive and sophisticated antenna arrays ($20,000+ and six feet tall) that can read HF at greater distances but none that could be used without being detected in a passport control area, where you would take your passport out of a protective wallet if you were so inclined.

    Policy the Customs and Border Protection has in place at all passport control facilities require that one person at a time is at a booth and the next closest person is more than 10' away behind a designated line. There is no possibility of skimming an RFID tag.

    This type of ill-informed hype is what will slow innovation and adoption of a technology that can have a huge impact on our safety and efficiency.

    Border officers are the biggest supporters of RFID passports and drivers licenses since the officers can have information before a person comes up to their booth, and officers never have to turn their back on a car full of suspects without knowing who they are or if they are a threat. It's [b]improved safety and reduced lines [/b]at all the borders - that's a great benefit to society.

    Not a single case of identity theft has been reported because of passport RFID tags, yet millions of personal records get stolen every year off internet databases, laptops with private data, etc (http://digg.com/business_finance/130_Million_Credit_Card_Numbers_Stolen_in_Identity_Theft). If you're worried about being tracked don't carry a mobile phone or use a credit card and for heavens sake don't put any information on the Internet.
    • There's a big difference.

      [i]How easy is it to steal a car's license plate or a person's credit card? [/i]

      Big difference: When I walk out and notice that my plate is gone, police are alerted, the plate unregistered. Same with a credit card.

      How many times do you use your passport? You may not find out your info was stolen and used until it's too late, because your passport has been right there in front of you for the past year.

      Sure you can write a plate number down, then make (if your capable) your own counterfit plate, hope the police don't notice, but if you get pulled over and the numbers don't match the info at the DMV, you're busted
      John Zern
    • Bet THAT doesn't get an official blog entry!

      Sweendog - since what your reply indicates is:

      a: True
      b: Not fantastic
      c: Gives us nothing to worry about

      You can be sure that you won't see a retraction article entry that refutes the FUD that Robin's post foments.
    • not quite

      I don't care if someone steals my license plate. They have nothing to gain from it. I shred all of my personal mail before tossing it, so that is not a problem. There are things I can do to safe guard my personal information. Now you have a stupid implementation of an idea, probably because of lobbying, that puts me at risk. As pointed out, a printed bar code would provide the same information and be much more secure. While right now the antenna technology might necessitate a large antenna, you can be sure that in the near future, before my passport expires, someone will figure out a way to make the device smaller. It wasn't that long ago that receiving and transmitting a satellite signal required a huge antenna, now there are satellite phones that can fit in a large pocket.

      You mention licenses, and you have a valid point about an officer not wanting to turn their back to a car, but this article has nothing to do with licenses, this is strictly about passports.

      I would also add that you can easily disable the RFID chip in a license and there are no consequences. You would not want to do that with a passport that could potentially cause problems at border crossings.

      This is a major privacy issue which folks selling RFID equipment wish to sweep under the table like it is not a big deal. It is a big deal because these are all easily forseeable problems that were ignored because people wanted to make money.
      • What idf the thief is the Border Agent?

        I find it fascinating that no one here has even thought about corruption at the border entry point. What if the guy/gal scanning your passport is the thief with the laptop/receiver combo in the kneehole of the entry kiosk? Distance, less than a couple of feet from your passport. And he/she can scan hundreds of passport in one shift! Do you really think that all those border agents across the world who have access to your passport are 100% squeaky clean and would NEVER think of doing ANYTHING dishonest?
        • Just like handing credit card to be swiped in the back

          good call on questioning the border agent's ability.

          its just like having a restaurant or other business take your credit card and swiping it through a card reader (which *I have* had happen)

          possession becomes the problem, even when distance is supposed to be limited.

          Also the original ISO standard doesn't limit the chip to that range, its the intended range for the passport, where other chips manufactured under the same ISO standard are equiped to read upto 300 feet away and they are working on making the same chip able to read through metal containers, etc.. Specs id'd that the chip can read within 300 feet, that's 600 ft in diameter, and to be able to query multiple tags, and even upto 40mph by a stationary reader ... so the RFID chip used has been specifically range limited, not becase ISO spec said.
        • One would expect that a sensitive area such

          a Border Controller Booth would have strict limitations of what is allowed in the booth, and would be under surveillance. Any attempt by a Border Control Officer trying to scam passports would be caught on camera.

          And as it has been said before, someone setting up for such a feat would have to do so without being seen on camera, and get through the security measures at the airport.

          It would be a high risk of getting caught to low payout ratio on the theft. 3 to 5 meters is awfully close, and even if it was set up in some sort of bag, they are risking getting caught with it at security checkpoints with physical search of the bag or even on a back scatter x-ray.

          Is there a better tech for this sort of application? Probably, but I think the risk ratio is pretty low.
          • Strict limtiations...

            When we have White House Security Staff members who can't be bothered to check the guest list for a State Dinner, what makes you think that the US Border Patrol is going to be any more zealous day in and day out in "limiting" what's supposed to be at the checkpoint desk?

            Just sayin', is all.
            M.R. Kennedy
          • Think out of the box, thensome

            A three meter radius is a bunch of cubic feet in three dimensions. A cubic foot holds a bunch of computing, telemetry, and specialized broadcasting equipment. Think of a new table, an air conditioning box overhead, or whatever a clever perp places under the floor.

            When one considers the fradulent ATM machines that were designed, manufactured, and installed for the purpose of getting credit card id info you must then consider the ease of beating a lo-tech invironment surrounding an RFID station.

            Just thinkin' is all...
          • Border Control Booths

            When travelling with your passport you leave the US, the UK, Europe and arrive in a slightly less security conscious country for your holiday or business trip. Do we know who and what they allow in their border control booth?

            Or the other scenario is: a trip to an unfriendly state - their border guards are allowed to scan your passport... that state might be a sponsor of terrorism and give away your details to our enemies...
          • WoW times 3

            @M.R. Red Herring argument. Topic is border control, not US Whitehouse security.

            @WornHall - if you read the attached article to the story you would have read that it is the communication that is intercepted. The information is not being read directly from the card. Some one would have to get into the booth area to set this equipment up, and as was pointed out elsewhere loitering around a customs booth, isn't allowed. And since you would need to be within range of the communication between the RFID Card and the border control booth, in order to make the hack, you will be noticed, if you are phishing for Identities.

            @ Ginger_Prince your arguement is fallacious as well. State B is allowed to scan your passport, state may be sponsor of terrorism, therefore RFID passports are a bad idea?

            First of all if you are going to someplace, say like Iran who may not like Americans or Any Westerners for that matter, They are going to be able to tell just by looking at you and talking to you. Also whats stopping them from having a good camera that can take a picture of your passport as opposed to having the bag full of equipment.
        • And what would they get?

          This would matter if there was anything on the chip that they could use. See my comment about what's actually ON the RFID chip in a passport.
        • CIA? NSA?

          This would also allow other Government agencies to bypass privacy laws. They could just sit in an airport and get a large portfolio of "fake" IDs that have valid background info.

          It would also be handy for covert surveillance.

    • Not Exasctly: RFIDiocy is only in implementation not the technology

      Your rebuttal presupposes that the only place a card can be read is at a border check. That's not true. The RF Passports are always on, and a tiny percentage of people carry them in shielded wallets. It's also true that the shielding schemes are hardly absolute protection. You are right in saying the sky isn't falling. The threat may not match the hype, but the threat and risk are real and dismissing them is hardly more responsible than hyping them.
    • That's not the point...

      ... the point is that it CAN be done!

      Also I object to the fallacious argument that because there is identity theft and that records are stolen somehow means that any further breeches in personal privacy should be dismissed. Also the fact that since this information can be potentially picked up by unauthorized third parties also throws the whole "safety and efficiency" line out the window for what should be obvious reasons.

      Final point is that considering our government's total disregard for border security in the past especially following 9/11, the fact that illegal immigration is still a problem, the fact that I haven't heard about any suspected terrorists being caught by this program, and finally that at it's heart this is a potential invasion of privacy issue; I think it is safe to say that many people in this country, myself inclusive, really don't give a rat's you-know-what whether or not our border patrol agents like this program. It was a bad idea to begin with.
    • Say What?

      Sorry, but it sounds like you are talking through your hat.

      First of all, you say that RFIDs from passports can only be read within one foot. Then you imply that a car full of them can be read before the car even arrives at the booth.

      S'up with that??
  • Push the hype, ignore the details

    Here's a good bit from your referenced article:

    "Lab demonstrations3 have shown that a successful eavesdrop (a capture of both channels) on an RFID tag can occur at a distance of one meter with the use of an H-field antenna, a radio frequency receiver, an oscilloscope to monitor the signals, and a computer to store, analyze, and manipulate the data."

    Have you stood near a passport check-point recently? They really don't take too kindly to loiterers there. For this to work you're going to have a whole bunch of kit running away in your laptop bag. Oh plus you'll need a plane ticket for an international destination and go through passport control yourself.

    1 meter isn't a lot of distance, next time you're standing at one of those check points pace off the distance from that yellow line to where you actually drop off your passport. Might be a bit shy of a meter but not by much. This would mean at best you could get one or maybe a few passports as you move up to the front of the line.

    The conclusion of the article also states the case nicely:
    It seems much more likely that most perpetrators would resort to old-fashioned means of stealing your passport information, by stealing your physical passport itself. We recommend that it is more important to be careful about keeping your physical passport safely in hand than to be wary of perpetrators lurking behind you in line at the airport attempting to exploit the RFID tag in your passport.
    Robert Crocker
    • A Better Idea

      I'd just wait outside the passport office. Where I got mine you could park in a spot where the majority of new passport owners walk by. But perhaps that's all ready being done!
      • Wouldn't work

        The whole point of the exploit was that it required you to be able to eavesdrop on an active communication between the passport and the special reader that is used at the immigration control point.

        A passport won't respond to a random request and is essentially inert until the correct request is received.
        Robert Crocker
    • How many people pass through LAX?

      How many people pass through LAX everyday?
      1000? 10000? 100000?

      Try breaking into 1000 houses everyday. I'm sure someone would notice and call the cops. If you got caught with 1000 passports you'd have to answer some tough questions.

      On the other hand how many people do you see walking around with laptops?
      Do you thinks it's weird if you see someone with a laptop?
      Do you even notice any more?