Cloning and Reading E-Passports and PASS Cards

A lot of myths exist regarding RFID's use in identity documents—and erroneous reports of a new hacking demonstration only make the picture cloudier.
Published: March 27, 2009

A new video shows self-described hacker Chris Paget driving around San Francisco in a car equipped with an ultrahigh-frequency (UHF) RFID interrogator in an effort to read tags embedded in PASS Cards. A number of Web sites have reported this as news, claiming he “skimmed” or “cloned” information from electronic passports. This is not true, however, and what Paget did do isn’t nearly as dangerous as it might seem. I’ll explain why, but first, here’s a little background on the PASS Card.

The card was created after the terrorist attacks of Sept. 11, 2001, in an effort to make the U.S. borders more secure without slowing down traffic. It allows Americans driving across U.S. borders, or traveling by sea from Canada, Mexico, the Caribbean or Bermuda, to carry a card containing an RFID chip instead of a traditional passport book. The card, approximately the size of a driver’s license, can be read through a vehicle as the owner approaches a border. (Previously, the only identity document an individual required to drive into the United States from Canada was a valid driver’s license.)

PASS Cards utilize UHF Electronic Product Code (EPC) tags instead of more secure high-frequency RFID tags that support encryption. The reason UHF was chosen was that the card would carry only a random serial number that would be linked to a person’s information and photo in a database. As a car approaches a border checkpoint, the driver holds up the card, and the system reads it. By the time the vehicle arrives at the checkpoint, the driver’s information is called up on a screen. The border agent looks at the person’s face and the picture on the screen, and allows him or her to enter the country if they match.

It has been widely reported that the UHF RFID transponders in the PASS Cards do not support encryption and can be read by any UHF reader. As such, consumer privacy groups, as well as some RFID vendors, have called for greater security on the cards (see RFID Vendors Brief Congress on PASS Card Security). So the fact that Paget could drive around San Francisco and read tags is not surprising—what is surprising is how this is being misrepresented.

First, Paget himself refers to reading the tags as “cloning” the tags. Cloning a tag means creating a copy of a tag that can be used for nefarious purposes. So the impression a person gets from watching the video is that Paget could use the captured information to pass himself off as the PASS Card’s holder. But that’s simply not the case—if he were to drive up to the Mexico border-crossing, for example, and present a cloned PASS Card, its serial number would call up the original holder’s information and photo. In such an event, there would not be a match, and Paget would be arrested. What’s more, the card also contains the name and a photo of the holder printed on the front, so he’d have a problem trying to pass himself off as the person whose tag he read.

Some Web sites reporting about Paget’s video have claimed he skimmed data from e-passports. Nowhere in the video, however, does he ever say this. In fact, he makes it clear he’s talking about PASS Cards and electronic driver’s licenses only, which use RFID technology that lacks a great deal of security since it was designed for use in the supply chain, not for identifying people.

Following the video’s dissemination, the Smart Card Alliance issued a press release clarifying this point. “The Smart Card Alliance wants to make it clear that this [Paget’s] demonstration did not involve the blue U.S. electronic passport books,” said Randy Vanderhoof, the alliance’s executive director. “Headlines stating that passports can be scanned and tracked are wrong. The widely reported demonstration involved U.S. passport cards and enhanced driver’s licenses, which use EPC Gen 2 RFID technology. These are different travel documents, and use completely different technologies from U.S. electronic passports, which use contactless smart-card technology and are very privacy-secure.”

The Smart Card Alliance called for a review of EPC technology use, because the organization promotes the use of more secure forms of RFID. There are, of course, many ways to enhance security, such as employing encryption or shielding to prevent tags from being skimmed. Government agencies should consider all options and choose the most appropriate technology that fits the application and protects the document holder.

Paget rightly points out that as RFID becomes more widely used in government identity documents, the potential for abuse grows. He notes that if everyone were to carry a PASS Card and an RFID-enabled credit card, a doorway secretly equipped with a UHF interrogator to read the PASS card and an HF interrogator that can read the RFID tag in contactless credit cards could potentially capture that individual’s identity (assuming the person’s name were stored on the credit card’s tag). Then, the person capturing the information could associate a random number in the PASS Card with a specific individual, and thus use the PASS Card to track that person’s movements (a government could do this, for instance, to track opponents).

To date, this type of abuse has not occurred, but it could if governments fail to take privacy issues seriously. Unfortunately, misinformation regarding the issues—as in the case of the erroneous coverage involving the Paget demonstration—doesn’t help get them resolved. It just creates a lot of fear.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, click here or here.