DHS proposes funky 'fix' for RFID security

A proposal by the Department of Homeland Security attempts to address one potential security problem with RFID-chipped passports, but leaves more obvious problems hanging fire.

In an effort to detect attempts to clone the data stored on RFID chips used on US Passport Cards, DHS on Wednesday announced that it is recommending that manufacturers supplying these RFID chips include a "unique identifier number," or Tag Identifier (TID).

The TID would be used to ascertain when a chip's data has been cloned, as one would do to create a fake passport. If two passports with the same identifier number turned up at the border, one of them could be deduced as fake. That number would actually be the second unique number in the chip, since all a passport's RFID chip stores is a unique number that is indexed in a database. (Currently the chips hold one unique number and one generic manufacturer code; that generic code is the one that would be replaced with a TID.)

It's an identification model that works reasonably well with mobile phones and automobiles, but an identity document is a different creature. Conceivably, the ID number might help to determine whether, for instance, a hacker intercepting the snail mail has waved a reader near a State Department envelope and picked off the data without having to open the envelope -- with "contactless" technology, the envelope would not have to be opened. But the model may not help with other security issues RFID researchers, privacy activists, and anti-terrorism experts have flagged.

Some of their concerns apply to any common RFID-bearing item. For instance, since the chips themselves haven't much computational power, you can't do much to harden them from a security standpoint. Various cryptographic techniques have been advanced for hardening RFID chips, but those all cost money. The chips used in US passports are Electronic Product Code (EPC) Class One Generation Two chips, which operate in the 860-960 MHz band of the spectrum. Those cost about ten cents each, and are so non-hardened that observers have called them "essentially wireless barcodes."

The numbers stored on an RFID are indexed a database on a presumably secure server, so by themselves, they wouldn't convey much information about the bearer. But simply knowing a chip's unique number can enable tracking of that chip's whereabouts. So if one keeps one's passport in one's possession at all times the way one's supposed to overseas, tracking the chip would mean tracking the passport holder.

But RFID-chipped passports may present a terrible attack surface simply by existing. RFID chips don't actively announce their presence, but inexpensive and widely available readers can sense them -- and can sense when there are a number of them gathered together.

One security professional who travels internationally (and asked that he not be named) suggests that if terrorists wanted to pinpoint the location of large groups of Americans (a guided tour? a popular expat hangout?), the specific information on any one RFID chip would be far less useful than the simple ability to sense where a bunch of RFID chip carriers were grouped -- the very fact of their grouping may be information enough. Under those circumstances, grabbing the unique number(s) doesn't matter, since the specific ID data is unimportant; all that matters is the presence of the chips, and thus the targeted Americans.

Savvy owners of chipped passports or cards keep them in Faraday-cage wallets or sleeves. Faraday cages being what they are, not every kind of cage blocks every frequency, but the chips used in passports can be blocked fairly effectively...until you get to the TSA security checkpoint and your passport jacket sets off the metal detector.

It's unlikely that any scanning issues will be seriously addressed until DHS officials and security researchers can agree on what's possible with these chips. On the DHS site, the page explaining RFID chips claims that vicinity chips such as those used in travel documents can be read 20-30 feet away, while proximity chips must be just a few inches from the reader. (The State Department, by the way, originally pushed for use of the relatively safer proximity chips; DHS however won the debate, and that's why your passport can be read by an official standing outside your vehicle.)

However, those are generally minimum ranges, and variety of tests indicate that chips can be read at several multiples of that "maximum" distance. In fact, a paper released in late October by researchers at RSA and the University of Washington (PDF available here) found that the inexpensive chips used in US passports were readable at a whopping 50 meters.