Middle America's Worldview

An interesting article on the fallacy of RFID security for our passports, and building access. Rather than the RFID company suing Chris, they should hire him as a consultant to beef up their holes in security.

But that would make too much sense.

Hacker clones passports in drive-by RFID heist

White hat demonstrates security vulnerabilities in radio technology

A British hacker has shown how easy it is to clone US passport cards that use Radio Frequency ID chips by conducting a drive-by test on the streets of San Francisco.

Chris Paget, director of research and development at Seattle-based IOActive, used a $250 Motorola RFID reader and an antenna mounted in a car's side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration.

Paget picked up the details of two US passport cards, which are fitted with RFID chips and can be used instead of traditional passports for travel to Canada, Mexico and the Caribbean.

"I believe that RFID is very unsuitable for tagging people," he said. "I do not believe we should have any kind of identity document with RFID tags in them. My ultimate goal would be to see the entire Western Hemisphere Travel Initiative scrapped."

Paget claimed that it would be relatively simple to make cloned passport cards from the information he had gathered.

Genuine passport cards support a 'kill code' which can wipe the card's data, and a 'lock code' that prevents the tag's data being changed. But Paget believes that these protections are not being used and that, even if they were, the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

The ease with which the passport cards were picked up is even more worrying considering that fewer than a million have been issued to date.

Paget is a renowned 'white hat' ethical hacker, and has made the study of the security failings of RFID something of a speciality.

In 2007 he was due to present a paper on the subject at the Black Hat security conference in Washington, but was forced to abandon the plans after an RFID company threatened him with legal action.

Paget points out that RFID tags are increasingly being used in physical security systems such as building access cards, and that the technology needs significant extra security before it can be considered safe for commercial use.