Weak Security Measures Allow Passport Card Cloning

December 1, 2008

Weak security on government-issued electronic identification cards allows anyone with off-the-shelf equipment to copy them from afar and masquerade as the cardholder, according to researchers at the University of Washington.

These “enhanced” identity cards – some state driver licenses and U.S. passport cards – contain an embedded microchip with an antenna that transmits a secret identification number to electronic readers at U.S. borders. The idea is to speed up crossings.

But researchers found in an October 2008 study that the transmissions aren’t secure.

Using off-the-shelf readers, they captured the identification number on a U.S. Passport Card and a Washington State driver’s license from as far away as 50 meters, or about 160 feet, in less than 5 seconds.  It can be transferred to another card that costs about 10 cents, they said.

The chips – EPC tags – were created to replace bar codes used to track consumer goods. They now are found in enhanced driver licenses, border crossing documents used by the Department of Homeland Security and a variety of other applications.

These U.S. Passport cards and enhanced driver licenses can be used like a passport when traveling between the United States, Canada and Mexico. When the tag is scanned by the reader, the confidential 10-digit identification number is compared to a government watch list. The number acts like a pointer to an internet web site and also pulls up a picture of the cardholder.

“Even though the EPC values of these cards do not reveal the owner’s name directly, there are many straightforward indirect methods for exploiting these EPC values to compromise an individual’s privacy and safety,” the study found.

Enhanced driver licenses containing these chips already are available in Arizona, New York, Vermont, and Washington State.  The Michigan legislature approved these cards earlier this year.

The October 2008 study found:

  • The anti-cloning feature proposed by the Department of Homeland Security hasn’t been deployed in the passport cards.
  • Electronic readers scanned the Washington State drivers licenses through a sleeve that is supposed to protect it from view.
  • Anyone with a RFID reader can permanently “kill” the microchip on the enhanced driver’s license without the cardholder knowing it.
  • The read range of these cards is long enough for an attacker to monitor movements and target victims based on their patterns of border crossings.

Disabling the enhanced driver licenses could wreak havoc, researchers said.

“This leads to at least three classes of scenarios in which an attacker might wish to leverage the EDL’s vulnerability to cause havoc: attacks against targeted individuals, malicious pranks against random individuals, and attacks against the entire border crossing system,” the study said.

Privacy issues likely will increase as enhanced driver licenses are used for other purposes, such as verifying age for liquor sales, the researchers said. These uses, they said, will have to be carefully controlled to protect privacy.