New federal ID cards easily cloned, study says
- By Alice Lipowicz
- Oct 24, 2008
Some new border-crossing identification cards are easily cloned, may be scanned at up to 150 feet, and may be susceptible to being disabled, according to a new study from RSA Laboratories and the University of Washington.
The resulting vulnerabilities create risks of impersonations and identity theft, cyberattacks that can destroy the cards, and tracking of individuals through unauthorized readings, the study said.
The scientists reviewed the U.S. Passport card, which is being produced jointly by the Homeland Security and State departments as a low-cost alternative to United States passports for land and sea border crossings, and the Washington State Enhanced Driver’s License (EDL), which is being produced in conjunction with DHS. The study was published Oct. 22.
Both of the cards have Generation2 Radio Frequency Identification tags, along with a sleeve that offers some protection against unauthorized reads. The sleeve for the passport card is more effective than for the driver’s license, the authors said.
The study found that both identification documents can be readily copied with off-the-shelf RFID tags and generic cards. Furthermore, a key anti-cloning feature of the technology is not being deployed in the cards.
“Our research confirms the vulnerability of Passport Cards and Enhanced Drivers Licenses to copying attacks of their electronic RFID components,” state the authors in a news release.“It is a technically straightforward matter to copy the data from a Passport Card’s RFID tag into another, off-the-shelf tag.”
“Our work suggests that as deployed, Passport Cards and Washington State EDLs possess security and privacy deficiencies that have the potential to compromise border security or render it more fragile than necessary and desirable,” the authors wrote.
DHS officials previously have defended the design of the cards. To protect privacy, the cards transmit only a reference number that must be matched with a secure database to obtain personal information.
Laura Keehner, a spokeswoman for DHS, said the technologies on the passport card and Washington State EDL tested in the RSA study have been updated since then, with additional security features. Because it tested older versions of the cards, the RSA study is “outdated,” Keehner said.
Details on the security features were not immediately available.
That reference number may be tracked and records compiled to profile an individual, and if cloned and disabled identification cards begin appearing that may undermine the effectiveness of the entire border control system, the study said.
The researchers also found that the RFID tags in the passport cards are subject to scanning at a long range, exceeding 150 feet under certain circumstances. The protective sleeve provided with the passport card effectively prevents such scanning.
However, the EDL is not completely protected by its sleeve and may be subjected to malicious software code and cyberattacks from nearby radios or from unauthorized RFID readers, the study found.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.