New federal ID cards easily cloned, study says

Related Links

RSA study URL

Some new border-crossing identification cards are easily cloned, may be scanned at up to 150 feet, and may be susceptible to being disabled, according to a new study from RSA Laboratories and the University of Washington.

The resulting vulnerabilities create risks of impersonations and identity theft, cyberattacks that can destroy the cards, and tracking of individuals through unauthorized readings, the study said.

The scientists reviewed the U.S. Passport card, which is being produced jointly by the Homeland Security and State departments as a low-cost alternative to United States passports for land and sea border crossings, and the Washington State Enhanced Driver’s License (EDL), which is being produced in conjunction with DHS. The study was published Oct. 22.

Both of the cards have Generation2 Radio Frequency Identification tags, along with a sleeve that offers some protection against unauthorized reads. The sleeve for the passport card is more effective than for the driver’s license, the authors said.

The study found that both identification documents can be readily copied with off-the-shelf RFID tags and generic cards. Furthermore, a key anti-cloning feature of the technology is not being deployed in the cards.
 
“Our research confirms the vulnerability of Passport Cards and Enhanced Drivers Licenses to copying attacks of their electronic RFID components,” state the authors in a news release.“It is a technically straightforward matter to copy the data from a Passport Card’s RFID tag into another, off-the-shelf tag.”

“Our work suggests that as deployed, Passport Cards and Washington State EDLs possess security and privacy deficiencies that have the potential to compromise border security or render it more fragile than necessary and desirable,” the authors wrote.

DHS officials previously have defended the design of the cards. To protect privacy, the cards transmit only a reference number that must be matched with a secure database to obtain personal information.

Laura Keehner, a spokeswoman for DHS, said the technologies on the passport card and Washington State EDL tested in the RSA study have been updated since then, with additional security features. Because it tested older versions of the cards, the RSA study is “outdated,” Keehner said. 

Details on the security features were not immediately available.

That reference number may be tracked and records compiled to profile an individual, and if cloned and disabled identification cards begin appearing that  may undermine the effectiveness of the entire border control system, the study said.

The researchers also found that the RFID tags in the passport cards are subject to scanning at a long range, exceeding 150 feet under certain circumstances. The protective sleeve provided with the passport card effectively prevents such scanning.

However, the EDL is not completely protected by its sleeve and may be subjected to malicious software code and cyberattacks from nearby radios or from unauthorized RFID readers, the study found.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.