White-hat hacker to show way to clone passport card data
Chris Paget last week posted a YouTube video that chronicled him driving around San Francisco, where he successfully lifted the data from two RFID tags on U.S. Passport Cards, first released last fall, in 20 minutes.
Paget -- who is scheduled to detail his findings Saturday at the ShmooCon 2009 hacker conference in Washington, D.C. -- used an antenna and a $250 Motorola card reader that he purchased on eBay, where he works.
He also used a laptop, which he programmed to tell the reader to "continuously scan for tags and then read back any information it gets and then just [log] it. It's not particularly complicated," he said on the video.
The U.S. Passport Card is RFID enabled and wallet size, designed to be more traveler friendly. Paget said on the video that about 750,000 have been issued so far.
As of last January, under the Western Hemisphere Travel Initiative, U.S. citizens returning from Canada, Mexico, Bermuda and the Caribbean are required to show proof of identity and citizenship. The passport card eliminates the need to carry a driver's license and birth certificate. Plus, it costs less than a traditional passport.
But, according to Paget, it is far less secure and lacks appropriate protection.
"I personally believe that RFID is very unsuitable for tagging people, so I don't believe that we should have any kind of ID documents with RFID tags on them," he said. "So my dream for this research would be to see the entire Western Hemisphere Travel Initiative just be scrapped."
Hugh D'Andrade, an activist with the privacy watchdog Electronic Frontier Foundation, said any "average tech geek" easily could use the reader to steal passport data. He said the problem could prove particularly worrisome from a privacy perspective if there are multiple people carrying the passport card at a crowded event, such as a political rally.
"[RFID is] a great technology if you want to be able to scan items easily at a store," D'Andrade told SCMagazineUS.com on Friday. "EFF thinks it's a really risky technology when it's connected to a personal ID that the government issues. There are concerns that we could be building a world where people can be constantly tracked all the time."
A spokesperson at the Department of State, which oversees passport services, did not return a call for comment on Friday.
Detailing the dangers of RFID technology has become commonplace at hacker events. At last year's Black Hat show in Las Vegas, researcher Nate Lawson warned that automatic toll collection systems lack privacy controls and can easily be cracked to steal customer identification numbers.
In 2007 at Black Hat, Paget was scheduled to show how he could clone widely used RFID-enabled employee badges, but canceled the talk under increasing pressure from the badge maker.
The Federal Trade Commission is studying ways to tighten regulations around RFID.