Borderline Security

For some U.S. travelers, border crossings can be sped up by enhanced driver's licenses or by passport cards, wallet-sized plastic cards that are issued by the federal government and permit passage by land or sea to Canada, Mexico, Bermuda, or the Caribbean. Both types of cards are cheaper than ordinary passports and contain radio frequency identification (RFID) devices that can be read at a distance. If a traveler holds a card up to the windshield of a car, a border crossing agent can automatically pull up information about him or her from a database. However, a recent analysis by researchers at the University of Washington and RSA Laboratories, based in Bedford, MA, shows that attackers could use the RFID signals sent by the cards to create counterfeit documents or to spy on cardholders.

Such cards are relatively new. They're part of the U.S. government's Western Hemisphere Travel Initiative, which changes the rules for crossing nearby borders as of July 2009. After that date, travelers will no longer be able to get through simply by showing a driver's license and birth certificate. Instead, they will need special, approved documents. In early 2008, Washington became the first state to offer enhanced driver's licenses for border crossings, and New York followed suit in September.

The RFID chips contained in the cards are called electronic product code (EPC) tags, and they're similar to bar codes. When scanned, they return a unique number tied to a database maintained by the federal government, where information such as photographs of the cardholders is stored. Ari Juels, director and chief scientist at RSA Laboratories, who took part in the recent analysis, explains that, while it was known that EPC tags could be copied, several features of the new ID cards increase the risk that they could be counterfeited, tracked, or, in the case of the Washington cards, deactivated by a malicious attacker.

The type of chip used in the cards can be reprogrammed using off-the-shelf equipment, Juels explains; an attacker with a stolen ID number can load it onto a blank chip fairly easily. But if each chip also had a unique serial number programmed into it at the factory, it would be more difficult to duplicate. The counterfeiter would have to alter the serial number in the blank chip--a much harder proposition.

Another problem with the cards, Juels says, is that they can be read at relatively long range. An attacker could get the number contained in a card by eavesdropping at a checkpoint or reading the card while it's being carried in a victim's pocket or purse.

The cards are issued with a protective sleeve intended to block unauthorized access, but the researchers found that Washington's cards could still be read through the sleeve. In addition, EPC tags can be disabled by sending a "kill" command to them. While the passport cards were protected from this attack, the researchers say, the possibility was left open on the Washington cards. This could allow an attacker to disrupt border crossings by killing large numbers of cards, or to harass particular individuals, since a killed card is likely to draw suspicion.

Gigi Zenk, a spokesperson for the Washington State Department of Licensing, says that she doubts the severity of the findings because the researchers "made a lot of assumptions about how customs and border control work." While she says that no system is ever completely invulnerable, she stresses that the cards contain no personal information, and that the state of Washington has made it a felony to attempt to skim information from them. "We believe we took considerable steps to mitigate risk," Zenk says, "and I get concerned about this causing unnecessary fear."

Juels agrees that "if border agents do all that they're supposed to do"--including, for example, comparing the photographs stored in the database with those printed on the ID--"they should be able to detect counterfeits." But he adds that the agents may be tempted to rely on the technology and relax their vigilance.

Even if border agents prove vigilant, the researchers maintain, the cards could still pose risks. "These cards can still reveal information about our lives," says Tadayoshi Kohno, an assistant professor of computer science at the University of Washington, who worked on the research. "If you think about the social-security number, at some point there could have been an argument that it's just a number, not personal information. But numbers evolve over time, and uses evolve over time, and eventually these things can reveal more information than we initially expect."

Jonathan Westhues, an independent security researcher who has studied RFID, notes that much depends on how the tag is actually used. If any official assumes that the tag itself is sufficient proof of identity, then the threat of cloning is serious. He notes, "It's hard to say what exactly they plan to do with the tag, so it's hard to say whether the overall system will be secure." As far as privacy goes, he adds that many people already carry smart cards or cell phones that could be used to track them.

The researchers say that they hope to see passport technology improve as a result of the questions they've raised. "The whole RFID infrastructure is not a bad idea," Juels says. "It just needs to be done well."