RFID drive-by cloning by Chicken Little
This week's blog comes to you from Gordon Fraser, one of our top engineers at ODIN technologies:
An article was recently circulating on the internet about a white hat hacker who purchased a RFID reader system on E-Bay for $250 and went war-driving for "Passport" RFID tags in San Francisco. The media response was one of "the sky is falling." It was just like the frenzy of media when WiFi systems first emerged and were hacked. Just a little investigation reveals the hack has no value and is pointless. Rather it helps make the case for using RFID chips as another layer of security, since it requires mobile communication equipment and makes hacking more difficult than simply accessing a database.
The data he collected is equivalent to reading a license plate (which he could have done without spending the $250). You could sit at a border crossing and write down all the license plates you want with little effort. The RFID tag enhances that security essentially making a persons' "license plate" more difficult to access and requiring special knowledge and gear. When crossing the border, the RFID tag gets scanned before the holder reaches the border agent, and a picture of the registered holder of that ID is displayed with personal information that the Customs and Border Protection Inspectors have access to from a secure database. (See http://travel.state.gov/passport/ppt_card/ppt_card_3926.html for more information about the Passport Card.) The captured data does not include any secure printed media that is designed to prevent counterfeiting and forgery one cannot obtain the necessary materials to replicate the card as a system, which would be required to actually clone a passport.
The Western Hemisphere Travel Initiative (WHTI) is mentioned as a target that this person would like to get "scrapped," along with all of the RFID enabled identification cards. He invokes the big brother aspect of tracking people with the use of these cards as they move about, for example shopping. Another fear that he invokes is the combining of his reader with another that can read credit card information and linking the data to acquire a profile of the "victim." All of this assumes he could break into the world's most secure database and systems which carry the actual information. If one is that talented a hacker you would not need to set up bulky and expensive RF gear and try to "catch" people, one could just hack the motor vehicle database and credit card companies for example, or easier still sit outside a person's house and hack their WiFi system and wait for them to buy something online. Quite the contrary to his thesis, the RFID chip actually adds another layer of security to a systemic security strategy, which any InfoSec practitioner must appreciate.
I do applaud white hats for bringing out weaknesses in systems and technology. Many have brought attention to areas that truly need fixing. However, some should include more of the facts when making statements instead of opinioned or biased media hype that may get them a few minutes of fame as people panic about a vulnerability that does not exist the Chicken Little syndrome. The WHTI cards in their current state may not be a perfect solution, but they are designed to expedite the passage of people who regularly cross the border legally, and more importantly to make agents safer by not having to turn their back on a car as it comes to cross the border. They are an order of magnitude safer and more efficient than the legacy systems, and will only continue to get better.
People should worry more about the theft of personal information, including credit card information that they place on the internet to make purchases, who is tracking their mobile phone, who is watching their online habits, etc and be less concerned with getting their passport card "scanned" on the street with data that cannot be used. If you're really worried about the RFID in your passport spend $20 for one of these and the case is closed.