New federal ID cards easily cloned, study says

Related Links

RSA study URL

Some new border-crossing identification cards are easily cloned, may be scanned at up to 150 feet, and may be susceptible to being disabled, according to a new study from RSA Laboratories and the University of Washington.

The resulting vulnerabilities create risks of impersonations and identity theft, cyberattacks that can destroy the cards, and tracking of individuals through unauthorized readings, the study said.

The scientists reviewed the U.S. Passport card, which is being produced jointly by the Homeland Security and State departments as a low-cost alternative to United States passports for land and sea border crossings, and the Washington State Enhanced Driver’s License (EDL), which is being produced in conjunction with DHS. The study was published Oct. 22.

Both of the cards have Generation2 Radio Frequency Identification tags, along with a sleeve that offers some protection against unauthorized reads. The sleeve for the passport card is more effective than for the driver’s license, the authors said.

The study found that both identification documents can be readily copied with off-the-shelf RFID tags and generic cards. Furthermore, a key anti-cloning feature of the technology is not being deployed in the cards.
 
“Our research confirms the vulnerability of Passport Cards and Enhanced Drivers Licenses to copying attacks of their electronic RFID components,” state the authors in a news release.“It is a technically straightforward matter to copy the data from a Passport Card’s RFID tag into another, off-the-shelf tag.”

“Our work suggests that as deployed, Passport Cards and Washington State EDLs possess security and privacy deficiencies that have the potential to compromise border security or render it more fragile than necessary and desirable,” the authors wrote.

DHS officials previously have defended the design of the cards. To protect privacy, the cards transmit only a reference number that must be matched with a secure database to obtain personal information.

Laura Keehner, a spokeswoman for DHS, said the technologies on the passport card and Washington State EDL tested in the RSA study have been updated since then, with additional security features. Because it tested older versions of the cards, the RSA study is “outdated,” Keehner said. 

Details on the security features were not immediately available.

That reference number may be tracked and records compiled to profile an individual, and if cloned and disabled identification cards begin appearing that  may undermine the effectiveness of the entire border control system, the study said.

The researchers also found that the RFID tags in the passport cards are subject to scanning at a long range, exceeding 150 feet under certain circumstances. The protective sleeve provided with the passport card effectively prevents such scanning.

However, the EDL is not completely protected by its sleeve and may be subjected to malicious software code and cyberattacks from nearby radios or from unauthorized RFID readers, the study found.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.