Video: Hacker war drives San Francisco cloning RFID passports
By Thomas Ricker 
posted Feb 2nd 2009 3:51AM
posted Feb 2nd 2009 3:51AM
Think of it this way: Chris Paget just did you a service by hacking your passport and stealing your identity. Using a $250 Motorola RFID reader and antenna connected to his laptop, Chris recently drove around San Francisco reading RFID tags from passports, driver licenses, and other identity documents. In just 20 minutes, he found and cloned the passports of two very unaware US citizens. Fortunately, Chris wears a white hat; his video demonstration is meant to raise awareness to what he calls the unsuitability of RFID for tagging people. Specifically, he's hoping to help get the Western Hemisphere Travel Initiative -- a homeland security project -- scrapped. Perhaps you'll feel the same after watching his video posted after the break.
Read -- Western Hemisphere Travel Initiative
Read -- RFID passports cloned
Pffft, Motorola. What a noob.
Ya that "noob" using Motorola hardware cloned someones drivers license and passport information. Any "noob" with similar hardware could potentially do the same, but i guarantee that they wont use the information as kindly as he did.
Reason why my RFID-enabled license card and passports will be meeting with my friend Mr. McMagnet.
...that would work better if RFID used magnetism at all.
http://www.wikihow.com/Protect-Your-RFID-Enabled-Passport
haha read that article,
cover it in foil or microwave it
or just hit it with a hammer.
Actually, what you need is a Faraday cage:
http://www.emvelope.com/
It should be easy enough to test whether it works.
Don't forget to get your free grand slam breakfast from Denny's tomorrow. :)
Magnets won't do anything, but a big boot will do the job on a passport quite readily...
I do not think a magnet would help. You would need to prevent the RFID chip from getting read. The chips work by sending their data via radio waves. You need to shield your RFID passport or credit card with something like this protective RFID blocking sleeve: http://www.rfid-shield.com/products.php
scary shit.. i hope his work has the government thinking. i hope i never carry around an RFID tag
"i hope i never carry around an RFID tag" - erm, why?
Just because this particular kind of RFID tag isn't that suitable for being used in passports doesn't mean RFID can't be a cool and useful technology. The tags that are being used are EPC tags, designed for tracking products around the supply chain. There are loads of tags more suitable for use in passports, with much smaller read range, integral encryption, etc.
Don't be tempted to consign an entire technology to the rubbish heap because of one dumb implementation.
In 20 minutes he actually found and cloned 10 passports, but reported 2. Perfect Cover!
TAG! your it.
Big Brother just got owned by a fat english hacker.
Justice at its sweetest.
I can't wait til the mainstream media gets a hold of this. $5 they call this guy a 'terrorist'.
Mainstream media has already been all over the new fancy chipped passports several times, as have loud security experts in every nation they've been introduced.
All for deaf ears.
Wow, wonder why they did not compare standards from Seoul and Tokyo. I've been using RFID in both places for almost 5 years without any security issues...
What's his beef with WHTI? That program has nothing to do with RFID (the link points to just one part of the program). Its primary goal is to reduce the amount of acceptable documents one can use to enter the country,
Was he able to crack the information on the RFID or just copy it? He kind of slips off into confusing talk at the end. Having the data is still no good if you go through clearance, since your face and other biographic data pops up when the CBP officer scans your passport.
I hope people recognize what a good thing he's doing by doing this. By making people aware RFID has huge problems, it may result in greater national security because instead of ignorance allowing all sorts of ne'er-do-wells to get people's private data, perhaps a more secure system that at least needs physical contact might be used for these kinds of things. I mean, it wouldn't be that hard to put flash memory with a good layer of encryption (to be handled off site, unlike the encryption on current credit card RFID tags,) in a credit card sized/passport sized device. It might even be something of a challenge to spoof. Maybe. It'd be better than RFID system atleast.
good job man!
EZ-Pass also has a RFID tag in its casing. Now thats some scary shit, hed be able to see where your going as long as you got scanned underneath a toll
YOU'RE. Where YOU'RE going.
One should note that he's talking about a "passport card" - which is the new EDL, or Enhanced Drivers License. These cares are combo passports & drivers licenses, and only work at specific drive-through & seaport checkpoints. Border states are the only ones who are issuing them (presently), such as Washington, Vermont, and Arizona.
http://www.dol.wa.gov/about/news/priorities/edl.html
As far as I can tell, he wasn't able to read normal ePassports - which have a protective material built into the cover.
Additionally, the number he was pulling is a number that only has meaning to the EDL/CBP databases. As I understand it, a person would "wave" their card at a checkpoint, and the reader would capture the number (just like Chris did). The number itself is meaningless until the system looks up name, address, picture, other biometrics, etc, and either a human officer, or a biometrics matching system would verify the individual and border crossing rights (i.e. citizenship & residency).
So getting your number alone would do no good, unless you were also able to fool the biometrics information. There is no "personal data" on the RFID chip (and yes, I do realise the def'n of "personal data" could be debated).
But I don't disagree with the purpose of his exercise - I'd much rather have a smart card (which requires physical contact) for this application.
I will also add that his comments re: correlating multiple RFID tags are also spot on! However, this can be done with ANY RFID tag (including those little speedpass tags, your office keycards, RFID credit cards, etc) - it's not just an issue w/ the Passport Cards and EDL's.
"So getting your number alone would do no good, unless you were also able to fool the biometrics information. There is no "personal data" on the RFID chip"
Only a very small subset of RFID chips are "ID only". The large majority of chips contain a manufacturer embedded, non-volatile ID, like the one referred to in the article, but they also contain varying amounts of user-writeable bits.
The big-picture problem with RFID use in situations where personal data is used is that clueless implementors store actual user information in that user writeable space, not in the private, hard-to-access centralised database. It allows systems to operate neatly without a centralised database (no need to lookup the ID, you can get all the info you need from the chip), but it's ripe for exploitation, both by users tweaking their own chips and by others cloning them.
@Dan:
OTOH, info in the central database is vulnerable to attack and seizure of all (or large parts) of the data, completely out of my control. Data in an RFID in my tinfoil wallet lies within my responsibility, and my ability, to protect.
(Of course, I might be advocating this for someone other than the devil, if it wasn't quite likely the data is exposed on a central server anyway in most such systems, so you're adding, not replacing, vulnerabilities...)
Normal US passports with built in shielding are still a risk because of the natural tendency of the cover to open slightly. Also even with the best shielding whenever you open it to be read anyone in the area will be able to read and record it. 2-D bar codes can be used for most things RFID are being used for.
http://www.youtube.com/watch?v=DBo_dnQrkCw
http://en.wikipedia.org/wiki/Datamatrix
I just got a cheap RFID reader from tikitag.com. It recognises my UK issued passport, but says as it's not a tikitag I can't associate it with an application. I'm definitely going to get some tinfoil and verify I can protect the tag from being read!
I expect him to get a call from the Homeland Insecurity, charging him with a crime - probably a list of "crimes" so that one of them might stick.
Why bother? They can just 'extraordinarily render' him to a friendly (read: totalitarian) nation and have him tortured indefinitely without making a single charge.
Smash it with a hammer. It's easier.
They are issued with a sleeve that has aluminum foil as an inside liner.
This guy is a hero. Thank Jesus we have white-hat hackers like this working for the public good. Imagine how much damage this guy could do if his intentions were malevolent. I would bet there are probably dozens of black-hat hackers doing this type of thing as we speak, but unfortunately, they don't publish their videos on Engadget.
You're welcome.
The RFID passports are proximity cards:
http://en.wikipedia.org/wiki/Proximity_card
Which means he'd have to get that crazy device of his 0-3 inches in order to read the tag. Didn't people notice he was trying to scan them? Also how did he read them driving by? It takes a couple of seconds to read the card. Maybe he ran them over and then scanned them...
Once again: regular scanners need close proximity to read RFID tags of this sort. One simply needs to use an irregular scanner, running at higher power, to read them from longer distances up to several yards... OK? We've been at this for years now. The vendors are full of it, they are lying, not telling the true, I am questioning the veracity, it is not a fact, a falsehood is being told. The cards can be read from a distance. The experiments are many and this is one of them.
Do you actually think they made us carry those cards for fun? They're conditioning us to accept the things. Reading a passport with eyeballs has worked fine. The RFID cards are no less copyable than a paper passport. Those cards can be scanned from a distance, in large numbers, by the proper equipment, and believe me, they possess the proper equipment. They are crowd scanning devices in embryonic form. What other purpose could they have?
I used to work for a firm that made RFID dongles (see SDiD forums) and I know for a fact that while you can increase the power of the reader antenna to make the card receive the signal the reverse is not true. The card will only generate an output for proximity based on 0-3 inches. You CAN'T read data from the card past that level. Period.
@JR: Wow. So it's impossible to use amplifiers and/or high-gain antennae to pick up weak signals beyond design range? Godd to know, then.
I'm going to chalk it up to ignorance (Heinlein's razor), but you need to be aware that you could look like part of a conspiratorial coverup when you identify as one of ''them'' and spew forth reassuring nonsense. If you don't know it, don't talk like you do.
I pray you are joking/trolling Benson, if not then I guess I'll pray for your mental health.
He wasn't using a high gain antenna. Look at it. Do you even know what one of those is?
Even if there is a conspiracy, this guys bogus and a liar. He's a fear-monger plain and simple and if people like him get to decide policy we'd all be living in log cabins cowering around our windows with shotguns. Boo Luddites, boo.
"He wasn't using a high gain antenna. Look at it."
I wouldn't call it high-gain but it's certainly directional - 6dBi gain over a 60 degree beamwidth. It's a Motorola AN400 if you want to look up the specifications - I'm planning on replacing it with a pair of 15dBi yagis at some point.
"Even if there is a conspiracy, this guys bogus and a liar."
You seem to be confusing "vicinity read" technologies (such as the EPC Gen2 tags in EDL and PASS) with more conventional "proximity read" technologies (such as my previous work cloning HID cards). EPC Gen2 has a designed read range of 20-30 feet. Might I suggest you watch the video, come to Shmoocon and see my demonstration (and examine the kit up-close if you'd like), do some googling for "epc gen2 read range", and then re-think your comments?
EPC cards are vicinity RFID tags and are usually 15693 which have a much larger range. That's because you want the large range in a warehouse. The e-Passort is made with proximity tags which according to this article:
http://www.rfidjournal.com/article/view/1951/1/1
"The ISO 14443 specification permits chips to be read when an e-passport is placed within approximately 10 centimeters of an RFID interrogator (reader)". Last time I checked 10cm was around 3 inches.
I stand by what I've said. I've done the engineering, I've done the research. I've made an attenuated bidirectional antenna and you can't get the range. Myself and the rest of the RF engineers weren't able to do it. None of our competitors were able to either. We worked on this stuff for 2 years trying to squeeze an extra centimeter out of that crappy 14443 spec. You can't do it. This guy is a bold faced liar and a fear-monger.
Wow.
EPC Gen2 (aka ISO18000-6) - 900MHz.
ISO14443 - 13.56MHz
ISO15693 - 13.56MHz
Totally different systems based upon a totally different communication mechanism (electrical modification of the tag's reflectivity coefficient versus differential power consumption via a magnetically coupled pair of coils) and operating at a totally different frequency. Saying that EPC tags are "usually 15693" just demonstrates your lack of clue since they really couldn't be more different. The specification is online at http://www.epcglobalus.org/dnn_epcus/KnowledgeBase/Browse/tabid/277/DMXModule/706/Command/Core_Download/Default.aspx?EntryId=292 if you want to go read it. ISO14443 and 15693 tags cannot be read at long-range - but these aren't either of those specifications, and are actually wildly different from them.
The RFID firm that you used to work for - let me guess, HID?
Nope Wireless Dynamics (read above).
Here's the thing ePassports don't use EPC tags. I've never read anything that says they do. You are probably right, he could drive through a warehouse and picked up some tags. Who cares? He's saying that you can do that with ePassport and you can't. They aren't EPC tags. Feel free to post a link saying they are if you still think they are.
FYI Still sticking with what I said before...
So here are a couple more links. This one is from the EPC global site asking questions about security:
http://www.epcglobal.org.hk/enews/epc_page.php?newid=374
Quote: "So you need to keep that data more secure. For that reason, the ISO 14443 chip architecture, with its very short read range, is used [for the passport]."
Here, this one talks about the bidding wars for A and B variants of 14443:
http://www.eetimes.com/news/latest/showArticle.jhtml;jsessionid=JWPXZYTYCXYT0QSNDLPSKHSCJUNN2JVN?articleID=52200157&_requestid=19538
Also the one I posted earlier. So how did you do it Chris? How did you read short range (10cm or less) card (that take up to 2 seconds to read) in a car by driving by people?
OK, I think I see your confusion here. I'm cloning the PASS card - http://travel.state.gov/passport/ppt_card/ppt_card_3926.html You're correct that the passport uses 13.56MHz chips - the PASS card and Electronic Drivers License use EPC Gen2 tags. Different system.
I guess we did have a bit of miscommunication back there. If you weren't talking about passports I apologize. You were right that unsecured PASS cards can be read from 20-30 feet. But...
PASS cards are for North American travel only and all they have on them is a number that is looked up on a database to retreive information. They are also supossed to be kept in a metallic sleeve:
Frank Moss: "I also think that it is noteworthy to mention that even in the PASS card, the vendors proposing a solution must provide a [metallic] sleeve to keep that card from being read until it is removed from the sleeve."
http://www.epcglobal.org.hk/enews/epc_page.php?newid=374
Leaving you self open for attack this way is as dumb as leaving you Visa laying around. Just keep it in the sleeve until you need it.
The vicinity chip portion of the EDL contains only a unique number as well. From the Washington State website:
"The passive RFID tag embedded in your EDL/ID doesn’t contain any personal identifying information, just a unique reference number."
http://www.dol.wa.gov/driverslicense/edlfaq.html#rfidpersonal
It also comes with a sleeve. Both of these documents don't contain personal info and they will be checked by border patrol as well.
Here's the kicker. There isn't any personnal information on the card only a unique number. You don't have any way to associate that number with a person that you read it from. So what's the scandal?
Leaving you self open for attack this way is as dumb as leaving you Visa laying around. Just keep it in the sleeve until you need it.
Two points here - firstly, RFID is an unknown technology to most people. If they don't understand that their tags can be cloned from 20-30 feet away, why should they bother to protect them? Secondly, according to the UW research paper at http://www.rsa.com/rsalabs/node.asp?id=3557 , the sleeves supplied with Washington-state EDLs are ineffective at shielding the tags from a standard reader (albeit with reduced read range). If you have no viable way to protect the identity documents which are vital to your everyday life, what are you supposed to do?
"The passive RFID tag embedded in your EDL/ID doesn’t contain any personal identifying information, just a unique reference number."
Your credit card is just a unique reference number, as is your SSN. Both are considered sensitive information by themselves, due to the purpose that they serve. The fact that it's just a number is irrelevant - it's what happens to that number and how it is used that's important.
It also comes with a sleeve. Both of these documents don't contain personal info and they will be checked by border patrol as well.
How? If a border patrol officer encounters a WHTI document with an incorrect or non-functional RFID tag in it, how will they respond? How much security at the border is actually dependant upon that RFID tag? These questions have yet to be answered by DHS, so nobody knows for sure how much access that ID number could give you. If the processes surrounding the authentication of RFID-enabled documents are as vulnerable as the tags themselves, this system could be opening up US borders to anyone with $250 and an eBay account. I'd hope it's nowhere near that bad, but until DHS answer some questions it's impossible to say for sure.
The fact that it's just a number is irrelevant - it's what happens to that number and how it is used that's important
It is relevant because of how it's used. SSN, Visa, Drivers license numbers are all a means of identification outside of the government. The RFID number is only used inside the government. It's a subtle but important detail. This number is only used to grant a government official (ie border patrol) access to your personal information. It doesn't give anyone else access to that information. It can not be associated with you in any other way. In other words it has no meaning outside of that database and can't be considered personal information.
How? If a border patrol officer encounters a WHTI document with an incorrect or non-functional RFID tag in it, how will they respond?
Quote Frank Moss: "Cloning the chip is possible—it's essentially taking a digital photocopy of a chip. But cloning a chip doesn't mean you've made a fake passport that will get you into a country. [U.S.] passports also use watermarks, ultraviolet and infrared security features. And at the end of the day, you have the inspector doing checks on the passport and on you. If a reader were to crash because of the passport you were carrying, it would mean you'd be inspected more carefully."
That number alone isn't enough to get you through the border. That's what Border Patrol agents are for. They are the defense of the border. Whether they can be trusted to do their jobs or not is outside the realm of RFID.
SSN, Visa, Drivers license numbers are all a means of identification outside of the government. The RFID number is only used inside the government. It's a subtle but important detail.
You are correct, but only to a point. As I explain in the video, you can correlate the long-range EPC Gen2 tag against other short-range tags about your person (credit card, whatever) by using multiple readers at a choke point (a doorway, for instance). This correlates that ID number to an identity (digital photo is optional), which you can then track at a distance using the long-range Gen2 tag. Even without other tags, you can drive around taking digital pictures whenever you can see a tag - if you see the same tag twice, look for the person in both pictures. Instant identity.
As long as I can drive around downtown San Francisco harvesting cloned passport cards, there is a problem with either the shielding technology or the message that people are being given about the importance of it. Something is wrong here, and we need to find out what it is (and fix it if possible) before it's deployed to every drivers license issued by every state.
That number alone isn't enough to get you through the border. That's what Border Patrol agents are for. They are the defense of the border. Whether they can be trusted to do their jobs or not is outside the realm of RFID.
DHS has repeatedly claimed that RFID tags in identity documents add security (such as http://www.dhs.gov/xnews/releases/pr_1161115330477.shtm, where "enhancing the security of our citizens and travelers" is the third line). I want to know how. These tags are designed for cattle and shipping crates, not people - they have no security at all and are completely unsuited to this application. Aside from the warcloning issue there's still myriad different attacks against the system that bring it to its knees - how is there security here?
If there's no security being added by the RFID tag, then the security of the PASS card is dependant solely upon its other features and the ability of the CBP officer. Since CBP are now hand-inspecting every PASS card for verification, how has the RFID tag sped up the border crossing process?
We have no added security and no added speed through borders because of this RFID tag, so why exactly is it there? Given its distinct lack of benefits, is it really worth the risk that the bad guys can end up making realtime Google Maps mashups of large swaths of the population - in exchange for whatever meager arguments are left in favour of it?
The only thing that ID that you've stolen gives you is the ability to travel across the Mexican-US border and the Canada-US border. It doesn't serve as a form of ID like a drivers license. The EDL also contains a proximity chip (unless I misread) The proximity chip serves as a means of ID but not the vicinity chip. So you are worried about the bad guys being able to travel freely around NA?
@thomas_malkin: wow... 1984 much?? Hmm... which is faster? Reading a piece of paper and entering it in a computer or AUTOMATICALLY querying a reference number in a database from an RFID tag? Obviously RFID tags in passports speed things up and were included to shorten wait times in lines.
Watch out for that black helicopter flying over your head...
Was I the only one waiting for a white van to drive next to him on the street and throw him in?
Phewww...luckily when I go out in public, I wear an aluminum foil suit anyway! Don't want the government tracking me!
i will now use a wallet made of duct tape and tin foil
You guys don't really get the point I think, or maybe I'm just way off.. it doesn't mater if he can get any "information" of the card. I think the point he is trying to make is this way you can be tracked on a long range all over the country/continent. Because you can find these unique tags over such a long range by just driving by, you can easily be logged. It's a privacy issue. They don't steal all your personal information by doing this they just invade your privacy by tracking you everywhere. But then again they already do with cellphones
And only the government has the capability to pull off any kind of long distance tracking required for your scenario. So unless you are doing something illegal that woulg get the Gov a warrant for such a venture, you really have nothing to worry about.
Because governments (all of them) have such a wonderful track record for only pursuing bad people. They never make a mistake.
http://news.bbc.co.uk/2/hi/uk_news/4288682.stm
http://news.bbc.co.uk/2/hi/europe/6316369.stm
http://us.imdb.com/title/tt0854678/
Watch out!
@ z0phi3l
Once a government thought that killing jews was alright.
I don’t think the point is the fact that you personal info can be taken (SSN, DL, Address, ect.) by some would be ID thief because the thief would have to have access to the Government database in order to tie you RFID tag to you personal info. But the point is these tags do produce a unique number and who is preventing him from creating a database of his own and set up these receivers all over the city? Who is preventing the government from setting up receivers throughout the country to track where people are? They already have the database, they can just as easily set these up on the freeways to grab your info when you drive by. This guy is worried that they will start putting these RFID tags in all Drivers Licenses and Identification Card in order to expand there data base. How long until they start tagging Babies with RFID so they know who everyone is and where they are at all times?
"How long until they start tagging Babies with RFID so they know who everyone is and where they are at all times? "
How do you know this is not already being done?
you guys miss the real scary scenarios here
the cards can be read at 66ft, maybe not the data, but the rfid chip can be pinged
Only westerns carry rfid equipped cards, someone could tell how many westeners are in
a 132 ft radius. Or could find the unique code and use it to id someone, make sure you are
grabbing the right person.
Its a little more Hollywood then reality right now, but then again pre 9-11 flying planes in to buildings
was too
It has certainly been suggested in the past that it would be possible to ID US citizens remotely with this sort of tech
A few points:
1) This is a "vicinity read" tag rather than a "proximity read" tag like the regular passport. It's designed to be read at a range of 20-30 feet (which is what I get already), with suitable amplifiers and antennas it's possible to read these things from over a mile away. EPC Gen2 tags don't use a magnetic coupling like traditional RFID - it's much closer to RADAR.
2) Don't go smashing any RFID tags just yet. Nobody knows what the rules are if you try to get through the border with a disabled tag - I certainly wouldn't want to be the guinea pig.
3) WHTI needs to be scrapped because it explicitly calls for the inclusion of this tag technology in all WHTI-compliant documents. If you have a passport card, electronic drivers license, or any of the other 3-4 card types that make up WHTI, you have a vicinity-read RFID tag.
4) As for the tinfoil shields - according to UW, electronic drivers licenses can still be read when inserted into their protective sleeve. I'd rather just not have the tag in the first place.
RFID Chips were never made for security reasons but to slowly track everybody down when necessary. Big Brother will be watching you in the future even more. All that stupid "terrorist prevention". All the 9/11 "terrorists" traveled with their original passports anyway. That's what makes them so dangerous, nobody knows who they are. They don't need to disguise themselves.
It's depressing to see what we are becoming. Dumb cattle which doesn't mind to give up freedom because they think they get more security. It makes me sad to hear the national anthem these days, specially the part "Land of the free" with laws like the Patriot Act passed. Call me paranoid but the idea of getting arrested for an indefinite time with no right to see a lawyer because I am a terrorist suspect doesn't make me feel free. And the fact that upon release I cannot talk to anbybody about it doesn't help the situation either.
But hey, I've got a RFID chip up my ass all time to feel secure about my life.
Funny how the president doesn't have wifi in his office for security reasons. It looks to me that when it comes to security "over the air communications" is a big NO so why have those chips in my passport and ID?
Speaking about cattle, they already wear RFID tags in the ear.
What about people that think this (RFID) is the Mark of the Beast?
Hi all, so you might wonder "would the military industrial complex try to make a complete RFID tracking network on interstate highways in order to monitor warehouse supply chains and create Total Transportation Domain Awareness Centers of Excellence"? That sounds nuts, but as it happens in my day job I stumbled into 700+ pages of documents from the Minnesota Department of Transportation that spell out in precise detail how this plan is getting rolled out. You can download the whole darn thing, and you should! (Thank the MN Data Practices Act!)
http://www.politicsinminnesota.com/2008/aug/19/now-searchable-mndot-nasco-nafta-superhighway-document-stash
http://www.politicsinminnesota.com/files/nasco-documents-ocr.pdf
I did OCR on them so it is fairly searchable now.
It hasn't gotten the notice it should, but reading through this shows EXACTLY how RFID will be used by these guys to create a total tracking system - that could then be extended to catch items like RealID RFID'd drivers licenses using high-gain antennas. Also this is how you could implement a Big Brotherish "Mileage Tax" that they are going to try to do in Oregon.
The umbrella system is called NAFTRACS, and it was created by SAVI Networks which got bought out by Lockheed Martin. The agenda of the North American Super Corridor Coalition (NASCO) is to roll out NAFTRACS on I-35 and I-94, and nonprofit NASCO is effectively bankrolled by Lockheed and intended to be the "Systems Integrator" IE lead contractor controlling subcontracts, in a manner similiar to the "Deepwater" Coast Guard upgrade debacle.
NAFTRACS is supposed to 'clone' the Pentagon's main shipping container tracking system, which is I believe GTN or Global Tracking Network, controlled at some facility called The Lighthouse. The data feeds from this whole system would be then resold by Lockheed's business unit here in MN (Eagan), presumably so that Wal-Mart et al could subscribe to all the deep shipping data of their competitors, or whatever. The data would be congealed into "Total Transportation Domain Awareness Centers of Excellence" which I would judge to be like Jack Bauer's Traffic Control Office. (these "centers of excellence" are the latest "fusion center" contractor ongoing cash racket. See that nasty 'homegrown radicalization' bill for a parallel example)
The design of all these systems, from the emails of PR strategy to the federal grant applications, is spelled out in this block of multi-PDFs collected from several Data Practices requests, and I strongly encourage the Engadget set to look deeper into this. I was amazed by the whole thing, and yet have not been able to get word out about it far enough.... It is all part of the implementation of military-industrial tracking technology domestically, passive techs providing collection of yr tracking datas WITHOUT a warrant.
These are definitely the droids you're looking for. For further inquiry contact dan AT politicsinminnesota.com . Thanks guys & please get this out.
So what did he actually do on this video? All I see is a bunch of talking, whereas other researchers actually proved something.
I think this is just to try to create a lot of fear, and doesn't have much substance behind it. He basically drives around, and says that he picked up stuff, which could have true or false.
The ePassports are using 14443, not EPC Gen 2, so I am not sure how he was able to pick up any passports.
@Duy - he's picking up "Passport Cards" and "EDLs" (Enhanced Drivers Licenses) - new documents that allow you to drive a car or boat across a US border. About 700,000 of them have been issued to date.
Chris isn't picking up "traditional" ePassports (i.e. passport books), which are required for international air travel. There are millions and millions of them issued so far (most of the western world and a ever-growing percentage of the developing world).
The two use different RFID technology, and have VERY different use-cases. (Have loved the comments of everyone who's knowledgeable on this topic - I've learned quite a bit.)
The only way RFID security in passports is going to change is if someone sits in Reagan National Airport with an RFID reader, clones the passports of members of Congress, Executive Branch officials, and high ranking military officers as they walk past, and then posts the results on the web. Otherwise, the powers that be don't care.
Somebody go for it.
You'd have to get cheek-to-cheek to lift their passport data - that's the issue here. E-passports use H-field parts, you generally need to be within a foot or so to interrogate them. What Mr Paget is discussing is getting the serial number off of a PASS or EDL card, which is quite different, and is just a serial number. There's no passport info there. And none of the congresscritters would have a PASS or EDL card anyway.
I guess if you were hellbent on shooting Canadians, you could use PASS to pick them out of crowds.
Paget isn't talking about "cloning" an e-Passport or a RealID or whatnot. He's talking about EDL, but he's CALLING it a passport. It's not. EDL is similar to the State Department's PASS system. EDL/PASS are ways of pre-registering your passport and drivers license info so that you can bypass a lot of the border crossing bullcrap as you cross over into Canada or the US.
It's intended to speed that up. In order to do that, it has to be readable from a distance, so they embed a very simple UHF E-field serial number tag into the PASS or EDL. The serial number is used to look up the person's passport and DL info from the registration process. That's it. There is no other info on PASS or EDL. The idea is that you can be verified "on the fly" as you drive past the border checkpoint or walk through a turnstile at the border.
e-Passports and many other types of cards, including every RFID credit card that I know of and the proposed RealID parts, are H-field type RFID parts that cannot be scanned in this manner. You can't drive around with a UHF E-field reader and read e-passports. H-field and E-field tags are apples and oranges.
I'm going to claim shenanigans on this one. Paget does say "EDL" up front but calls it a passport after that. It isn't. PASS doesn't contain any of your passport info, beyond a simple serial number that's used as a unique index in a database which contains the info you provided at registration. PASS/EDL are INTENDED to be distance readable, that's why they're designed that way. It's not some amazing loophole he's discovered. I'd hope Paget's simply being sloppy about his nomenclature but I have to conclude that he's purposely trying to get you to draw a false association between EDL and e-passports.
Paget: " It's designed to be read at a range of 20-30 feet (which is what I get already), with suitable amplifiers and antennas it's possible to read these things from over a mile away."
Hang on, there, bubba.
UHF E-field parts like PASS and EDL are powered by the interrogator, and signal back with backscatter modulation. For the most part, that 20-30 foot range is set by the energy density in the interrogator's signal - too far and that old inverse-square law will reduce the power density at the tag below the point that the tag can operate. Of course, the backscatter return is eaten up by the same rule.
I can't imagine the gain of the antenna you'd need, and the exciter power you'd have to have, to deliver enough power to a simple E-field tag from a mile away to get it to operate. Mainly because I'm at home and don't have immediate access to a representative tag's data sheet to see how much power density it takes with a reasonable tag assembly. Maybe if you had a big parabolic on both sides, a few tens of kilowatts of input power? Certainly you couldn't do it with a credit card sized antenna at the tag end. The RFID systems I've seen, and to which I suspect you refer, are semi-active systems with batteries in the tags. Not RF-powered E-field parts like PASS.
You're correct that I'm cloning PASS cards and EDLs (as well as the other cards that make up the WHTI) - I've tried to be pretty clear about the difference but most media outlets seem to be confusing the two. The original source (at http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/ ) is much clearer.
As for upping the range to a mile - the kit I'm using puts out 1W into 6dBi of patch antenna (with unknown efficiency). Upping that to 15-18dBi of yagi and a few hundred watts of RF (legal limit is 1500W with a ham radio license) will certainly put you in the right ballpark for a 1-mile read. 65 meters has been demonstrated using 10W into 12dBi of transmit antenna - look at slides 14 onwards in http://www.slideshare.net/ravipappu/ravi-pappu-google-tech-talk-2008. They claim 100% successful reads at that distance, so far greater range should be achievable with relatively little hassle. Whether a mile is achievable or not, you can't argue that these cards can be tracked from a significant range - that's the important point here.
"As for upping the range to a mile - the kit I'm using puts out 1W into 6dBi of patch antenna (with unknown efficiency). Upping that to 15-18dBi of yagi and a few hundred watts of RF (legal limit is 1500W with a ham radio license) will certainly put you in the right ballpark for a 1-mile read."
I think the issue here is that you're losing power density at the tag as the square of the distance to the tag, and losing the backscatter return signal as the square of the distance back to the interrogator. In addition, the tag's simple antenna likely has very little gain on the return, depending on the design; I'd expect most of them to perform like a dipole. Which all means there is a HUGE difference between 65 meters and 1600 meters in terms of power available to the tag. But it also means that the very small return signal from the backscatter modulator, which is deriving its power from the interrogator's field and is far from 100% efficient, is going to have to make it back those 1600 meters and not fall below the noise margin of the receiver. I don't think you can hand-wave it quite so easily. In essence, backscatter modulation is modulating the reflectivity of the tag. Trying to pick out the tiny variations of passive RFID backscatter returns which are at the interrogator's frequency leads to really terrible SNR issues for distant tags. As you increase the outbound power to drive the tag at a distance, and as the tag's reflectivity changes become smaller and harder to pick out at a distance, you have both sides of the issue gnawing away at your SNR. It is one thing to pick out a microwatt of reflectivity change from 1W of outbound power, it's another to pick out a nanowatt of reflectivity change from 10,000W of excitation. So it's not just inverse square problems with signal amplitude, you have a hellacious SNR issue that's related to the fourth power of the distance. If you have an active tag operating at a different frequency, it makes your job much easier.
We've worked on several projects involving RFID tags in various systems I can't really discuss but I'd have given chunks of flesh to be able to easily interrogate E-field tags from such distances (or better, H-field tags). The only system I know of that does mile distance tags is being looked at for a military application, and they use something like 1500W in the interrogator with an antenna gain in the 18dBi range, and that's just to get the poll signal to the tag. The tags are semi-active and have batteries for the return, and aren't powered by the interrogator. It takes 1500W just to get the tags to spot the poll reliably given their crappy antenna systems, small apertures, random orientation and relatively low receiver and antenna gains. The return signal is much larger since it's powered by the battery, and the return signal is not identical to the interrogator's frequency to make it a lot easier to separate from the outbound signal.
At any rate, I guess I'm not that alarmed by PASS or EDL being 'pingable' at 10 meters. Unless you've got a way to access the database, I'm not sure what the serial number can tell you, other than "someone's got a PASS in the room". Even if you clone the number into a fake PASS, the border guards are supposedly pulling up your picture with the serial number to confirm your identity, so you'd have to clone someone's number that looks a bit like you in order to do much with it. If you were bent on havoc, you could just as easily take a walk through the woods somewhere and cross the Canadian border without dealing with the issue at all.
On first thought, it also seems like you'd have some serious issues with the numbers of tags that would lie within your footprint as well at a mile's distance, even with a Yagi. At first thought, I'd say you're going to have some issues running an aloha anti-collision algorithm with the huge number of tags you'd have, as the time to run it increases exponentially with tag number. It also strikes me (admittedly without putting in much time to analyze it) that using something like aloha you might find it tough to separate out responses from both very distant and close tags reliably.
I've been working with low power levels and relatively low-gain antennas so far, but the ranges I'm seeing match up well to an inverse square relationship with power and the stated gains of the antennas involved. Extrapolating outwards from the data I have supports the theory that 300W of RF into 18dBi of antenna should give you a mile. Clearly you've worked at the power levels I'm only theorizing about at this point though, so I'm curious to identify the discrepancy.
Two data points:
1W into 6dBi (my system): ~20 feet
http://www.slideshare.net/ravipappu/ravi-pappu-google-tech-talk-2008 (slides 12 onwards):
10W into 12dBi: 213 feet.
10x power gives sqrt(10)=3.1x range, and twice the range for every 3dB of antenna gives another 4x. 4 x 3.1 x 20 = 248ft, not far off (and explainable by their insistence on 100% successful reads - to me, any read is a success). Extrapolating forwards from the second setup, 300W into 18dBi (admittedly a lot of power into a lot of antenna) should give 4 x 5.5 x 248 feet = 5456 feet, or 1.03 miles. Clearly my math and your experience are discontinuous somewhere - I'm curious where.
I'm toying with the idea of starting up an RFID hackers forum, so as to continue this thread (and others) in a more suitable environment. If that sounds interesting to anyone, ping me an email - ivegotta@tombom.co.uk.
So, this title is wrong? This guy padgett is not reading PASSPORTS at all, just the "PASS-CARDS"?
I misspoke - the company that's doing the semi-active tag pitch to the Army is using an omnidirectional antenna with about 6 dBi gain with the 1500W exciter for the outbound link. You can switch between an 18dBi directional antenna and an omni with less gain on the receive side.
http://www.wired.com/gadgets/miscellaneous/news/2007/07/steel_wallet
Maybe it's time for the "RFID scrambling pendant". Wouldn't take but a few microwatts of emission to step on the return from any E-field tag you're carrying. Only $19.95 from TomCo.
Hang on, You don't see the issue? its always the same number... once you associate that number to a person that person is marked and can be tracked anywhere. This may not be an issue now.. but as it gains in popularity it will be. Much easier to try and stop it now rather than 2-3 years down the track when its too late.
I mean I'm the type of guy I would have a reader in my house and use it even just to see when people are in range of me. IE when my neighbour gets home or to know to get ready to expect a visit.
Whoa, this is very similar to what happened in Cory Doctrow's novel, Little Brother. Check it out, it's a good read.
The title's way off. He's not cloning anything, just reading the IDs. Yes he's in a car, which makes it slightly more interesting than the ton of other people who've already read the IDs in the past and flagged the security risks, but that's about it.
This video is mostly sensationalism and contains some incorrect/misleading technical information. Also, the UHF EPC tag shown here is very different from the secure encypted HF tag that is used inside ePassports. It's great that people are becoming more aware of potential security holes with RFID. But believe me the RFID industry is well aware of these and has created many security features to suite various applications. The real rfid security studies and hacks will never be published on public web logs like this, but simple testing as shown in this video serves a good purpose to keep up the public awareness.
Looks like somebody with too much time on their hands. Congratulations, you can read an RFID tag. Now what? Looks like someone that is confused about the whole "identity & privacy" issue.
If you are that concerned, get rid of your credit card, your cell phone and your on star equipped vehicle. All of which are trackable, traceable and all that goodness. Also, don't user the interwebs either. Better yet, don't register for a SSN card just to be safe. Oh, don't pay your taxes either.
Better yet, just kill yourself now.
Can anyone tell me why we need RDF tags in passports .... I mean really ???
"Clearly my math and your experience are discontinuous somewhere - I'm curious where."
Interesting - we had terrible SNR issues at those distances. Not to mention the issues with anti-collision problems. We were using a monostatic setup in an environment that was supposed to simulate MOUT, with lots o' multipath reflections. So the higher we cranked the output power, the worse the bounce got from buildings, cars, pavement, wiring and so on, and the more crap we got back from the antenna isolator. To be sure, you could use a bistatic antenna setup if you had the room and lose at least that contribution to bad SNR, with the downside being that as your antenna setup becomes more specialized it becomes more noticeable, which we were attempting to avoid. A Yagi and a circularly polarized UHF antenna with a nice reflector co-mounted with a rotator on a van roof looks ... odd.
Next, you're talking about using a Yagi, and I'm guessing that you are arranging the tag orientation in that case so that you get maximum reception. Most tag reading systems for real-world applications have to use a circularly-polarized interrogator antenna so that you can drive the card in more orientations, but that generally gives you less antenna gain than you'd get with a linearly polarized Yagi. The rule of thumb is that you lose about 3dB but the situation is often more complex. The guys I've seen at Black Hat talking about distance reads are using bistatic Yagi setups and very carefully orienting the cards for maximum coupling when held in an atypical framework, generally some plastic that's essentially transparent to UHF; I don't buy this as a real-world setup. You should have to test with cards in orientations you'd get on a person, and you should also either USE a person or a reasonable RF facsimile - people are a different load than free space, adding in the other stuff in their wallet will reduce your range considerably.
On the way to the tag, for simple cases the tag range in meters is given by (I don't think I can include mathcad formula jpg's - sorry for the format) -
Tag range = (L1 / 4PI) * SQRT( (Pt * Gt * G * p * t)/Pth))
where:
L1 : wavelength
Pt : transmitter power
Gt : transmitter antenna gain
G : tag antenna gain
p : mutual polarization efficiency
t : impedance matching coefficient between tag antenna and chip
Pth: tag operating threshold power for reads
This defines the range at which you can power the tag up for reads in free space. It's a lot more complex in an environment with reflections, or when the tag is on a person. The mutual polarization efficiency and impedance matching coefficient numbers are hard to come by, p depends on what sort of antennas you're using on both ends, and how they are oriented to each other.
For a circularly polarized transmit antenna and a linearly polarized tag, which is the typical configuration, the maximum p possible is 0.5. For a Yagi transmit antenna and a dipole tag that are tweaked to line up, it's more like 1.0. That shows that if you use an artificial setup like a Yagi, you can effectively double the read range. However, as I said before, I think that is unrealistic - for off-axis orientations of the card which will be the rule when it's on a person, the Yagi setup becomes much less efficient than the CP-LP setup.
As you can see, the dominant effect on powering up the tag is the inverse square of the distance. There's also a tag antenna gain factor, and another for chip-tag antenna impedance effects, and this is where the person comes in. A tag on a person behaves differently than a tag on a Teflon frame, and I've never seen an improvement on a person, it always cuts the distance.
This also assumes free space propagation. In a city environment, the multipath returns at the tag side can both enhance and reduce the available tag power, producing "dead zones" and "hot zones". For most environments we tested in, dead beat hot by about 2:1, but it is not predictable, especially with vehicles moving around. Sometimes you get lucky, but sustaining a reliable link in a busy environment at a distance is tough.
Now, that's the exciter-to-tag limit, which is set by the distance you can be and still power up the tag. Coming back from the tag is another matter. The simple equation is:
Pr = Pt * Gt^2 * G^2 * K * (L/ (4* PI * d))^4, where
Pr = power at receive antenna
Pt = transmit power
Gt = transmit antenna gain (this assumes a monostatic setup, if not then use GtGr instead of Gt^2)
G = tag antenna gain
K = modulation efficiency
d = distance
L = wavelength
This leaves out polarization efficiency, the percent of incident power consumed by the tag chip and thus not reflected and a few other bits and pieces, but you get the picture. The antenna gains help a lot, so anything you can do at the transmit end helps, but again it's a cheat to use a linearly polarized Yagi. The poor tag antenna gains hurt, and the big problem is that the distance to the tag comes in as an inverse fourth power, not an inverse square. This wreaks havoc with returns from distances. For most tag reads in sane ranges, the limit is the distance at which you can drive the tag. However, for a system in which you use high antenna gains and ungodly power to pump the tag, you'll run into the inverse fourth power signal loss issue coming back. The power input to the system comes in as a first power contribution but gets eaten away as a fourth power distance loss. That's an issue. In an environment where your receiver is seeing outbound power reflections from buildings, vehicles, the ground, wiring and the like, even assuming a bistatic antenna setup to ditch the stray returns from the isolator, you're going to be seeing a lot more of your drive signal than you are the return from the tags. You'll also be fishing around in the noise margin for the returns from a tag a mile away, and the RF noise in a city environment is pretty bad. Even using DSP techniques like correlating multiple reads and convolving the phase and amplitude modulation of the tag to differentiate the tag's signal from noise, you'll have trouble at a mile.
So you've got several biggies - getting enough power to the tag to drive it, the fourth-power path loss coming back, SNR issues with big drive power in a multipath environment, environmental RF noise and tag-person interactions (orientation, impedance, and tag antenna gain).
It's one thing to test in an open field with a Yagi and a low loss frame with optimal orientation. You might find it a bit more challenging on a moving person across downtown Tampa with a circularly polarized monostatic antenna and a large number of other Gen2 tags in your footprint.
It's an interesting subject and a fun hobby, although I get enough of it at work. At any rate, I think any RFID on your person should have been designed so that you have to press a membrane key on the card to allow it to respond, that would eliminate all of this and it's something easily designed in - some IC's support it but I've never seen it used.
A friend got me the passport holder from this company, www.difrwear.com, before I went out of the country last summer for two weeks. Not only does it hold a lot for its size, it has it held up really nicely, but it's subtle and doesn't scream tin foil hat.
Great article, Thomas! And I think most of us agree that this is an issue, and somewhat of a break of privacy.
Unfortunately, the WHTI cards issued so far are based on long read range RFID (UHF). And even worse, this long read range RFID doesn’t have security of any kind – they can be cloned and they emit all information in the clear to any sneaking reader.
Short read range can be achieved by either using a different kind of RFID (based on high frequency – 13.56 Mhz), or making appropriate changes to the UHF antenna designs to operate only in near field. This can protect against any off-the-shelf long range reader, such as the one shown in Paget’s video, reading all tags in a wide area.
Verayo provides a unique security technology that addresses the issue of cloning of the RFID chips. Verayo’s technology is a type of silicon ‘biometric’ technology that makes these ID chips effectively unclonable, and enables a strong and robust authentication mechanism based on a silicon chip’s fingerprints. With Verayo’s PUF technology, DHS can collect some silicon fingerprints of the ID chip in each WHTI card they issue, and then authenticate the card at the port-of-entry by comparing the ID chip’s fingerprint.
Additionally, I believe RFID should not store much information, beyond the equivalent of an identifier – a kind of vehicle number plate for the ID card. The mapping of this electronic ‘number plate’ to relevant personal data should happen in some secure backend server. If it is absolutely necessary to store information on the RFID chip it could be encrypted, such that only the authorized readers (like the DHS readers) can decrypt and make sense of it.
The technology certainly exists today, and I think it is matter of revising the current implementation. That will certainly address lot of the concerns.
I look forward to more on this story as it continues to unfold in the comments.
- Vivek Khandelwal, Verayo
As I say in "How to Be Invisible" (St Martins Press), on my website, and on my blog (http://invisible-privacy.com), there is no need to ever carry a driver's license or a passport unless you need the DL to rent a car, or the passport in order to travel. Otherwise, leave the DL in your car and your passport at home. Pay cash wherever your go.