New federal ID cards easily cloned, study says

Related Links

RSA study URL

Some new border-crossing identification cards are easily cloned, may be scanned at up to 150 feet, and may be susceptible to being disabled, according to a new study from RSA Laboratories and the University of Washington.

The resulting vulnerabilities create risks of impersonations and identity theft, cyberattacks that can destroy the cards, and tracking of individuals through unauthorized readings, the study said.

The scientists reviewed the U.S. Passport card, which is being produced jointly by the Homeland Security and State departments as a low-cost alternative to United States passports for land and sea border crossings, and the Washington State Enhanced Driver’s License (EDL), which is being produced in conjunction with DHS. The study was published Oct. 22.

Both of the cards have Generation2 Radio Frequency Identification tags, along with a sleeve that offers some protection against unauthorized reads. The sleeve for the passport card is more effective than for the driver’s license, the authors said.

The study found that both identification documents can be readily copied with off-the-shelf RFID tags and generic cards. Furthermore, a key anti-cloning feature of the technology is not being deployed in the cards.
 
“Our research confirms the vulnerability of Passport Cards and Enhanced Drivers Licenses to copying attacks of their electronic RFID components,” state the authors in a news release.“It is a technically straightforward matter to copy the data from a Passport Card’s RFID tag into another, off-the-shelf tag.”

“Our work suggests that as deployed, Passport Cards and Washington State EDLs possess security and privacy deficiencies that have the potential to compromise border security or render it more fragile than necessary and desirable,” the authors wrote.

DHS officials previously have defended the design of the cards. To protect privacy, the cards transmit only a reference number that must be matched with a secure database to obtain personal information.

Laura Keehner, a spokeswoman for DHS, said the technologies on the passport card and Washington State EDL tested in the RSA study have been updated since then, with additional security features. Because it tested older versions of the cards, the RSA study is “outdated,” Keehner said. 

Details on the security features were not immediately available.

That reference number may be tracked and records compiled to profile an individual, and if cloned and disabled identification cards begin appearing that  may undermine the effectiveness of the entire border control system, the study said.

The researchers also found that the RFID tags in the passport cards are subject to scanning at a long range, exceeding 150 feet under certain circumstances. The protective sleeve provided with the passport card effectively prevents such scanning.

However, the EDL is not completely protected by its sleeve and may be subjected to malicious software code and cyberattacks from nearby radios or from unauthorized RFID readers, the study found.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.