Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

For some U.S. travelers, border crossings can be sped up by enhanced driver’s licenses or by passport cards, wallet-sized plastic cards that are issued by the federal government and permit passage by land or sea to Canada, Mexico, Bermuda, or the Caribbean. Both types of cards are cheaper than ordinary passports and contain radio frequency identification (RFID) devices that can be read at a distance. If a traveler holds a card up to the windshield of a car, a border crossing agent can automatically pull up information about him or her from a database. However, a recent analysis by researchers at the University of Washington and RSA Laboratories, based in Bedford, MA, shows that attackers could use the RFID signals sent by the cards to create counterfeit documents or to spy on cardholders.

Such cards are relatively new. They’re part of the U.S. government’s Western Hemisphere Travel Initiative, which changes the rules for crossing nearby borders as of July 2009. After that date, travelers will no longer be able to get through simply by showing a driver’s license and birth certificate. Instead, they will need special, approved documents. In early 2008, Washington became the first state to offer enhanced driver’s licenses for border crossings, and New York followed suit in September.

The RFID chips contained in the cards are called electronic product code (EPC) tags, and they’re similar to bar codes. When scanned, they return a unique number tied to a database maintained by the federal government, where information such as photographs of the cardholders is stored. Ari Juels, director and chief scientist at RSA Laboratories, who took part in the recent analysis, explains that, while it was known that EPC tags could be copied, several features of the new ID cards increase the risk that they could be counterfeited, tracked, or, in the case of the Washington cards, deactivated by a malicious attacker.

The type of chip used in the cards can be reprogrammed using off-the-shelf equipment, Juels explains; an attacker with a stolen ID number can load it onto a blank chip fairly easily. But if each chip also had a unique serial number programmed into it at the factory, it would be more difficult to duplicate. The counterfeiter would have to alter the serial number in the blank chip–a much harder proposition.

Another problem with the cards, Juels says, is that they can be read at relatively long range. An attacker could get the number contained in a card by eavesdropping at a checkpoint or reading the card while it’s being carried in a victim’s pocket or purse.

The cards are issued with a protective sleeve intended to block unauthorized access, but the researchers found that Washington’s cards could still be read through the sleeve. In addition, EPC tags can be disabled by sending a “kill” command to them. While the passport cards were protected from this attack, the researchers say, the possibility was left open on the Washington cards. This could allow an attacker to disrupt border crossings by killing large numbers of cards, or to harass particular individuals, since a killed card is likely to draw suspicion.

3 comments. Share your thoughts »

Credit: University of Washington/RSA Laboratories

Tagged: Computing, Communications, security, privacy, RFID

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me