For some U.S. travelers, border crossings can be sped up by enhanced driver’s licenses or by passport cards, wallet-sized plastic cards that are issued by the federal government and permit passage by land or sea to Canada, Mexico, Bermuda, or the Caribbean. Both types of cards are cheaper than ordinary passports and contain radio frequency identification (RFID) devices that can be read at a distance. If a traveler holds a card up to the windshield of a car, a border crossing agent can automatically pull up information about him or her from a database. However, a recent analysis by researchers at the University of Washington and RSA Laboratories, based in Bedford, MA, shows that attackers could use the RFID signals sent by the cards to create counterfeit documents or to spy on cardholders.
Such cards are relatively new. They’re part of the U.S. government’s Western Hemisphere Travel Initiative, which changes the rules for crossing nearby borders as of July 2009. After that date, travelers will no longer be able to get through simply by showing a driver’s license and birth certificate. Instead, they will need special, approved documents. In early 2008, Washington became the first state to offer enhanced driver’s licenses for border crossings, and New York followed suit in September.
The RFID chips contained in the cards are called electronic product code (EPC) tags, and they’re similar to bar codes. When scanned, they return a unique number tied to a database maintained by the federal government, where information such as photographs of the cardholders is stored. Ari Juels, director and chief scientist at RSA Laboratories, who took part in the recent analysis, explains that, while it was known that EPC tags could be copied, several features of the new ID cards increase the risk that they could be counterfeited, tracked, or, in the case of the Washington cards, deactivated by a malicious attacker.
The type of chip used in the cards can be reprogrammed using off-the-shelf equipment, Juels explains; an attacker with a stolen ID number can load it onto a blank chip fairly easily. But if each chip also had a unique serial number programmed into it at the factory, it would be more difficult to duplicate. The counterfeiter would have to alter the serial number in the blank chip–a much harder proposition.
Another problem with the cards, Juels says, is that they can be read at relatively long range. An attacker could get the number contained in a card by eavesdropping at a checkpoint or reading the card while it’s being carried in a victim’s pocket or purse.
The cards are issued with a protective sleeve intended to block unauthorized access, but the researchers found that Washington’s cards could still be read through the sleeve. In addition, EPC tags can be disabled by sending a “kill” command to them. While the passport cards were protected from this attack, the researchers say, the possibility was left open on the Washington cards. This could allow an attacker to disrupt border crossings by killing large numbers of cards, or to harass particular individuals, since a killed card is likely to draw suspicion.
When designing an embedded system choosing which tools to use often comes down to building a custom solution or buying off-the-shelf tools.