Feb 05, 2009This article was originally published by RFID Update.
February 5, 2009—Update: Paget was actually skimming PASS Cards, not electronic passports, as our article originally stated.
A video has been making the rounds on the web in which hacker Chris Paget equips his car with off-the-shelf RFID gear then drives around downtown San Francisco scanning electronic passport IDs from the air, unbeknownst to the passport holders. The practice, known as skimming, has been one of the primary concerns about RFID among privacy advocates. Unlike much of the anti-RFID propaganda that has been published to date, this video is actually effective in raising questions about secure adoption of the technology.
Paget opens the video by showing how he has equipped his car with RFID. He has a Motorola reader from the XL-400 series lying in his back seat, with a single antenna secured to the ceiling and facing out the window. The reader is connected to a laptop in the front seat which displays the tag ID information that the antenna picks up in real time. Aside from jury-rigging the antenna to his car ceiling, Paget's setup is a simple and affordable one. (Though certainly not cheaper than the $250 that he claims.)
Most of the rest of the video consists of Paget discussing his concerns about the integration of RFID with identification documents while he drives around San Francisco skimming passport IDs. He is steadfastly against using RFID with human identification documents, at one point saying, "My dream for this research would be to see the entire Western Hemisphere Travel Initiative just be scrapped." The Western Hemisphere Travel Initiative (WHTI) is the US government program under which electronic passports and PASS Cards fall. Despite his opposition to the WHTI, Paget does not come across as paranoid or shrill. He considers himself a "white hat" hacker who explores and publishes the vulnerabilities of technology systems in the interest of seeing those systems improved. (Contrast that to a "black hat" hacker, who exploits such vulnerabilities for nefarious ends.)
By the end of his drive, Paget has managed to get only a few passport IDs, but he makes the valid point that electronic passports are still in the earliest stages of adoption and that presumably they will be carried by far more people within a few years.
Paget does not address the crucial and often-overlooked point that the skimmed ID data themselves are cryptic alphanumeric codes with no inherent meaning. Even if a hacker cloned such a passport ID onto a blank tag and put it into a counterfeit passport, the photo in that new passport would not match the hacker's face, rendering it useless. (RFID Update covered this in more detail when the electronic passport cloning story first surfaced. See New RFID Passport Scare -- Does it Matter?)
Paget argues that a victim's electronic passport ID could be paired with data skimmed from the victim's contactless credit card to actually ascertain the passport holder's identity. While this might be true in theory, in practice credit cards are much harder to skim since they are designed only for short read ranges. That begs the question: why were electronic passports equipped with long-range RFID instead of the short-range RFID used in contactless credit cards? The answer is that one of the key motivations for putting RFID in passports was to speed the processing of border crossings by having the passport be readable from the guard station even before the passport holder passes by.
The video is worth watching if for no other reason than to see that skimming is real and can be executed fairly easily and cheaply. Even though the ease of skimming does not translate into widespread passport cloning, the public may well be concerned by what the video shows. Since the public is the final jury on any technology's adoption, the video serves as a reminder to the industry to be ever-vigilant when it comes to security.
Watch the full video here
