Saturday, February 07, 2009

RFID Passports and Drivers Licenses Compromise Your Personal Data

RFID has great value as it is used today. It also has many excellent potential uses. However, it is totally unsuitable for use in a personal identification system.

Many times I've written about the potential dangers of personal identification cards and passports equipped with Radio Frequency Identification (RFID) technology. You can check them out here. My aim in this is not to bash the technology because it has many excellent applications. My objections are strictly limited to RFID-equipped personal identification.

What the problem with RFID?
The inherent flaw in using RFID in identification cards is the very thing which makes it excellent in other applications: The RFID chip sends out a signal containing a small amount of data which a receiver can detect and pass along to a computer. While this is great for companies like Walmart to track inventory going in and out of a store, it's not good for a person when anyone can grab their personal information out of thin air just by passing near them.

Proof Is In The Pudding
For those who think my opinions alarmist, allow me to point out two studies which I believe prove my point:

University of Washington and RSA Research
On December 1, 2008, the Consumer Warning Network reported on research done by The University of Washington and RSA Security in October of 2008 which showed data from RFID chips implanted in the new Passport Cards and "Enhanced" drivers licenses can be received from over 150 feet away. Data recovered from such reception could be cloned to another card in less than 5 seconds. These tests were done with off-the-shelf equipment, not exotic technology available only to government agencies. 

Receiving data from that far away, a criminal could position a receiver near a large gathering of people and clone cards to steal a large number of identities. It is fair to point out that personal information is not stored on these cards; only a unique ID code. However, this code is all that's needed to create a cloned card. Eventually, there has to be a way to match that number to personal data stored in a database somewhere. If there is enough desire, criminals could get access to such a database and get the personal information contained in it.

A Practical Demonstration
On Feb 2nd, posted an item showing how easy it is for someone to go about reading these RFID-equipped cards. Chris Paget demonstrated how to set up a system to read the cards as one drives around a city. Like in the above-mentioned study, he used off-the-shelf equipment in his demonstration. Although he didn't scan a large number of cards, I believe it's because they are not yet widely used. As government agencies issue this type of card, though, there will be more and more of them in circulation to scan. I highly recommend watching the short video which is quite telling.

Not Just Identity Theft
Given that these cards are so easy to read from a far longer distance than government agencies care to admit, it's also important to consider another potential way to exploit this technology: stalking and tracking. It's not difficult to put together a relatively cheap, but sophisticated, RF direction-finding system. Amateur radio operators do this in "fox hunt" competitions to find hidden transmitters. It would not be difficult for anyone to put together a direction-finding system to track a person's movements. In the ultimate "big brother" scenario, it would be a simple matter for government agencies to install direction-finding equipment around a city and use it to track anyone and everyone.

"Computer, what is the current location of Captain Picard?"

Shields Up!
There is one thing the person who has this type of ID card can do to prevent its exploitation: shield it. The issuers of these cards are supposed to provide a sleeve in which to store the card, the idea of which is to prevent the RFID from transmitting outside the person's wallet or purse. While this is a good idea, I believe it is not good enough. I question how many people will actually educate themselves on how RFID works and realize the importance of using such a sleeve. How many will lose or damage the sleeve and not bother to replace it? Although laudable, providing a sleeve is hardly practical.

I recommend you do your own research to learn more about RFID. I believe that as you educate yourself, you will realize RFID in personal identification is not a good idea and will let your elected representatives know about it.

No comments:

Post a Comment