Communications of the ACM
RFID's Security Problem
New U.S. passport cards and driver's licenses issued by Washington and New York state are designed to enable U.S. citizens to cross international borders more efficiently through the use of radio frequency identification (RFID) tags containing identity data that can be scanned by readers. But RFID technology has generated controversy because of its potential for privacy infringement, and studies of the new cards indicate that they can be exploited by ID thieves as well as by governments for the purpose of tracking people.
Both the federal passport cards and the Washington driver's licenses boast electronic product code (EPC) tags that earned a passing grade from the U.S. Homeland Security Department, and which are inexpensive as well as capable of being read from an unusually long way off. Researchers from the University of Washington and RSA Laboratories see the latter capability as a means to facilitate invasive tracking, and also perceive a privacy issue in the tags' ability to store a unique number. The researchers also conclude that border security would be threatened by unauthorized reading, since the cards' ID numbers can be easily retrieved and therefore easily counterfeited.
In addition, the Washington cards' EPC tags can be disabled by a "kill" command that is supposed to come from authorized users, and the state's failure to set the PIN on the cards it distributed means that anyone with RFID readers can set it themselves and issue kill orders. Some of the weaknesses in the federal passport cards and the Washington licenses are not apparent in New York's enhanced driver's licenses, which contain chips with serial numbers to guard against counterfeiting. Their memory banks are locked to shield them against unauthorized use of commands, but the New York licenses also raise the same privacy concerns the other cards do.
From Technology Review
No entries found