New federal ID cards easily cloned, study says

Related Links

RSA study URL

Some new border-crossing identification cards are easily cloned, may be scanned at up to 150 feet, and may be susceptible to being disabled, according to a new study from RSA Laboratories and the University of Washington.

The resulting vulnerabilities create risks of impersonations and identity theft, cyberattacks that can destroy the cards, and tracking of individuals through unauthorized readings, the study said.

The scientists reviewed the U.S. Passport card, which is being produced jointly by the Homeland Security and State departments as a low-cost alternative to United States passports for land and sea border crossings, and the Washington State Enhanced Driver’s License (EDL), which is being produced in conjunction with DHS. The study was published Oct. 22.

Both of the cards have Generation2 Radio Frequency Identification tags, along with a sleeve that offers some protection against unauthorized reads. The sleeve for the passport card is more effective than for the driver’s license, the authors said.

The study found that both identification documents can be readily copied with off-the-shelf RFID tags and generic cards. Furthermore, a key anti-cloning feature of the technology is not being deployed in the cards.
 
“Our research confirms the vulnerability of Passport Cards and Enhanced Drivers Licenses to copying attacks of their electronic RFID components,” state the authors in a news release.“It is a technically straightforward matter to copy the data from a Passport Card’s RFID tag into another, off-the-shelf tag.”

“Our work suggests that as deployed, Passport Cards and Washington State EDLs possess security and privacy deficiencies that have the potential to compromise border security or render it more fragile than necessary and desirable,” the authors wrote.

DHS officials previously have defended the design of the cards. To protect privacy, the cards transmit only a reference number that must be matched with a secure database to obtain personal information.

Laura Keehner, a spokeswoman for DHS, said the technologies on the passport card and Washington State EDL tested in the RSA study have been updated since then, with additional security features. Because it tested older versions of the cards, the RSA study is “outdated,” Keehner said. 

Details on the security features were not immediately available.

That reference number may be tracked and records compiled to profile an individual, and if cloned and disabled identification cards begin appearing that  may undermine the effectiveness of the entire border control system, the study said.

The researchers also found that the RFID tags in the passport cards are subject to scanning at a long range, exceeding 150 feet under certain circumstances. The protective sleeve provided with the passport card effectively prevents such scanning.

However, the EDL is not completely protected by its sleeve and may be subjected to malicious software code and cyberattacks from nearby radios or from unauthorized RFID readers, the study found.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.