Video: Hacker war drives San Francisco cloning RFID passports
by Thomas Ricker 
posted Feb 2nd 2009 at 3:51AM
Think of it this way: Chris Paget just did you a service by hacking your passport and stealing your identity. Using a $250 Motorola RFID reader and antenna connected to his laptop, Chris recently drove around San Francisco reading RFID tags from passports, driver licenses, and other identity documents. In just 20 minutes, he found and cloned the passports of two very unaware US citizens. Fortunately, Chris wears a white hat; his video demonstration is meant to raise awareness to what he calls the unsuitability of RFID for tagging people. Specifically, he's hoping to help get the Western Hemisphere Travel Initiative -- a homeland security project -- scrapped. Perhaps you'll feel the same after watching his video posted after the break.
Read -- Western Hemisphere Travel Initiative
Read -- RFID passports cloned
Reader Comments (Page 1 of 2)
ILoveApple @ Feb 2nd 2009 3:56AM
Pffft, Motorola. What a noob.
Setnev @ Feb 2nd 2009 7:27PM
Ya that "noob" using Motorola hardware cloned someones drivers license and passport information. Any "noob" with similar hardware could potentially do the same, but i guarantee that they wont use the information as kindly as he did.
JAmerican @ Feb 2nd 2009 3:56AM
Reason why my RFID-enabled license card and passports will be meeting with my friend Mr. McMagnet.
cromas @ Feb 2nd 2009 4:05AM
...that would work better if RFID used magnetism at all.
http://www.wikihow.com/Protect-Your-RFID-Enabled-Passport
Oli D @ Feb 2nd 2009 4:23AM
haha read that article,
cover it in foil or microwave it
or just hit it with a hammer.
Jason @ Feb 2nd 2009 4:28AM
Actually, what you need is a Faraday cage:
http://www.emvelope.com/
It should be easy enough to test whether it works.
OneLove @ Feb 2nd 2009 2:31PM
Don't forget to get your free grand slam breakfast from Denny's tomorrow. :)
loosely_coupled @ Feb 2nd 2009 5:58PM
Magnets won't do anything, but a big boot will do the job on a passport quite readily...
kc1man @ Feb 2nd 2009 9:16PM
I do not think a magnet would help. You would need to prevent the RFID chip from getting read. The chips work by sending their data via radio waves. You need to shield your RFID passport or credit card with something like this protective RFID blocking sleeve: http://www.rfid-shield.com/products.php
Ian @ Feb 2nd 2009 4:04AM
scary shit.. i hope his work has the government thinking. i hope i never carry around an RFID tag
dan @ Feb 2nd 2009 4:29AM
"i hope i never carry around an RFID tag" - erm, why?
Just because this particular kind of RFID tag isn't that suitable for being used in passports doesn't mean RFID can't be a cool and useful technology. The tags that are being used are EPC tags, designed for tracking products around the supply chain. There are loads of tags more suitable for use in passports, with much smaller read range, integral encryption, etc.
Don't be tempted to consign an entire technology to the rubbish heap because of one dumb implementation.
ironman @ Feb 2nd 2009 11:17AM
In 20 minutes he actually found and cloned 10 passports, but reported 2. Perfect Cover!
Omar @ Feb 2nd 2009 4:06PM
TAG! your it.
Oli D @ Feb 2nd 2009 4:04AM
Big Brother just got owned by a fat english hacker.
Justice at its sweetest.
Will H. @ Feb 2nd 2009 4:27AM
I can't wait til the mainstream media gets a hold of this. $5 they call this guy a 'terrorist'.
Sarig @ Feb 2nd 2009 7:13AM
Mainstream media has already been all over the new fancy chipped passports several times, as have loud security experts in every nation they've been introduced.
All for deaf ears.
Will @ Feb 2nd 2009 4:54PM
Wow, wonder why they did not compare standards from Seoul and Tokyo. I've been using RFID in both places for almost 5 years without any security issues...
David P @ Feb 2nd 2009 8:36AM
What's his beef with WHTI? That program has nothing to do with RFID (the link points to just one part of the program). Its primary goal is to reduce the amount of acceptable documents one can use to enter the country,
Was he able to crack the information on the RFID or just copy it? He kind of slips off into confusing talk at the end. Having the data is still no good if you go through clearance, since your face and other biographic data pops up when the CBP officer scans your passport.
djko3000 @ Feb 2nd 2009 4:57AM
I hope people recognize what a good thing he's doing by doing this. By making people aware RFID has huge problems, it may result in greater national security because instead of ignorance allowing all sorts of ne'er-do-wells to get people's private data, perhaps a more secure system that at least needs physical contact might be used for these kinds of things. I mean, it wouldn't be that hard to put flash memory with a good layer of encryption (to be handled off site, unlike the encryption on current credit card RFID tags,) in a credit card sized/passport sized device. It might even be something of a challenge to spoof. Maybe. It'd be better than RFID system atleast.
Arian Kooshesh @ Feb 2nd 2009 5:08AM
good job man!
FILA @ Feb 2nd 2009 5:13AM
EZ-Pass also has a RFID tag in its casing. Now thats some scary shit, hed be able to see where your going as long as you got scanned underneath a toll
Information Central @ Feb 2nd 2009 5:04PM
YOU'RE. Where YOU'RE going.
TroyG @ Feb 2nd 2009 5:18AM
One should note that he's talking about a "passport card" - which is the new EDL, or Enhanced Drivers License. These cares are combo passports & drivers licenses, and only work at specific drive-through & seaport checkpoints. Border states are the only ones who are issuing them (presently), such as Washington, Vermont, and Arizona.
http://www.dol.wa.gov/about/news/priorities/edl.html
As far as I can tell, he wasn't able to read normal ePassports - which have a protective material built into the cover.
Additionally, the number he was pulling is a number that only has meaning to the EDL/CBP databases. As I understand it, a person would "wave" their card at a checkpoint, and the reader would capture the number (just like Chris did). The number itself is meaningless until the system looks up name, address, picture, other biometrics, etc, and either a human officer, or a biometrics matching system would verify the individual and border crossing rights (i.e. citizenship & residency).
So getting your number alone would do no good, unless you were also able to fool the biometrics information. There is no "personal data" on the RFID chip (and yes, I do realise the def'n of "personal data" could be debated).
But I don't disagree with the purpose of his exercise - I'd much rather have a smart card (which requires physical contact) for this application.
TroyG @ Feb 2nd 2009 5:29AM
I will also add that his comments re: correlating multiple RFID tags are also spot on! However, this can be done with ANY RFID tag (including those little speedpass tags, your office keycards, RFID credit cards, etc) - it's not just an issue w/ the Passport Cards and EDL's.
Dan @ Feb 2nd 2009 10:01AM
"So getting your number alone would do no good, unless you were also able to fool the biometrics information. There is no "personal data" on the RFID chip"
Only a very small subset of RFID chips are "ID only". The large majority of chips contain a manufacturer embedded, non-volatile ID, like the one referred to in the article, but they also contain varying amounts of user-writeable bits.
The big-picture problem with RFID use in situations where personal data is used is that clueless implementors store actual user information in that user writeable space, not in the private, hard-to-access centralised database. It allows systems to operate neatly without a centralised database (no need to lookup the ID, you can get all the info you need from the chip), but it's ripe for exploitation, both by users tweaking their own chips and by others cloning them.
Benson @ Feb 2nd 2009 12:24PM
@Dan:
OTOH, info in the central database is vulnerable to attack and seizure of all (or large parts) of the data, completely out of my control. Data in an RFID in my tinfoil wallet lies within my responsibility, and my ability, to protect.
(Of course, I might be advocating this for someone other than the devil, if it wasn't quite likely the data is exposed on a central server anyway in most such systems, so you're adding, not replacing, vulnerabilities...)
Dale @ Feb 3rd 2009 11:38PM
Normal US passports with built in shielding are still a risk because of the natural tendency of the cover to open slightly. Also even with the best shielding whenever you open it to be read anyone in the area will be able to read and record it. 2-D bar codes can be used for most things RFID are being used for.
http://www.youtube.com/watch?v=DBo_dnQrkCw
http://en.wikipedia.org/wiki/Datamatrix
paul-engadget @ Feb 2nd 2009 5:51AM
I just got a cheap RFID reader from tikitag.com. It recognises my UK issued passport, but says as it's not a tikitag I can't associate it with an application. I'm definitely going to get some tinfoil and verify I can protect the tag from being read!
lduvall @ Feb 2nd 2009 7:25AM
I expect him to get a call from the Homeland Insecurity, charging him with a crime - probably a list of "crimes" so that one of them might stick.
butts @ Feb 2nd 2009 1:23PM
Why bother? They can just 'extraordinarily render' him to a friendly (read: totalitarian) nation and have him tortured indefinitely without making a single charge.
ExcaliburXVII @ Feb 2nd 2009 6:44AM
Smash it with a hammer. It's easier.
chase17 @ Feb 2nd 2009 8:01AM
They are issued with a sleeve that has aluminum foil as an inside liner.
Arthur Nonamiss @ Feb 2nd 2009 8:10AM
This guy is a hero. Thank Jesus we have white-hat hackers like this working for the public good. Imagine how much damage this guy could do if his intentions were malevolent. I would bet there are probably dozens of black-hat hackers doing this type of thing as we speak, but unfortunately, they don't publish their videos on Engadget.
Jesus @ Feb 3rd 2009 5:58AM
You're welcome.
JR @ Feb 2nd 2009 9:18AM
The RFID passports are proximity cards:
http://en.wikipedia.org/wiki/Proximity_card
Which means he'd have to get that crazy device of his 0-3 inches in order to read the tag. Didn't people notice he was trying to scan them? Also how did he read them driving by? It takes a couple of seconds to read the card. Maybe he ran them over and then scanned them...
thomas_malkin @ Feb 2nd 2009 11:29AM
Once again: regular scanners need close proximity to read RFID tags of this sort. One simply needs to use an irregular scanner, running at higher power, to read them from longer distances up to several yards... OK? We've been at this for years now. The vendors are full of it, they are lying, not telling the true, I am questioning the veracity, it is not a fact, a falsehood is being told. The cards can be read from a distance. The experiments are many and this is one of them.
Do you actually think they made us carry those cards for fun? They're conditioning us to accept the things. Reading a passport with eyeballs has worked fine. The RFID cards are no less copyable than a paper passport. Those cards can be scanned from a distance, in large numbers, by the proper equipment, and believe me, they possess the proper equipment. They are crowd scanning devices in embryonic form. What other purpose could they have?
JR @ Feb 2nd 2009 12:17PM
I used to work for a firm that made RFID dongles (see SDiD forums) and I know for a fact that while you can increase the power of the reader antenna to make the card receive the signal the reverse is not true. The card will only generate an output for proximity based on 0-3 inches. You CAN'T read data from the card past that level. Period.
Benson @ Feb 2nd 2009 12:29PM
@JR: Wow. So it's impossible to use amplifiers and/or high-gain antennae to pick up weak signals beyond design range? Godd to know, then.
I'm going to chalk it up to ignorance (Heinlein's razor), but you need to be aware that you could look like part of a conspiratorial coverup when you identify as one of ''them'' and spew forth reassuring nonsense. If you don't know it, don't talk like you do.
JR @ Feb 2nd 2009 2:05PM
I pray you are joking/trolling Benson, if not then I guess I'll pray for your mental health.
He wasn't using a high gain antenna. Look at it. Do you even know what one of those is?
Even if there is a conspiracy, this guys bogus and a liar. He's a fear-monger plain and simple and if people like him get to decide policy we'd all be living in log cabins cowering around our windows with shotguns. Boo Luddites, boo.
Chris Paget @ Feb 2nd 2009 2:48PM
"He wasn't using a high gain antenna. Look at it."
I wouldn't call it high-gain but it's certainly directional - 6dBi gain over a 60 degree beamwidth. It's a Motorola AN400 if you want to look up the specifications - I'm planning on replacing it with a pair of 15dBi yagis at some point.
"Even if there is a conspiracy, this guys bogus and a liar."
You seem to be confusing "vicinity read" technologies (such as the EPC Gen2 tags in EDL and PASS) with more conventional "proximity read" technologies (such as my previous work cloning HID cards). EPC Gen2 has a designed read range of 20-30 feet. Might I suggest you watch the video, come to Shmoocon and see my demonstration (and examine the kit up-close if you'd like), do some googling for "epc gen2 read range", and then re-think your comments?
JR @ Feb 2nd 2009 4:04PM
EPC cards are vicinity RFID tags and are usually 15693 which have a much larger range. That's because you want the large range in a warehouse. The e-Passort is made with proximity tags which according to this article:
http://www.rfidjournal.com/article/view/1951/1/1
"The ISO 14443 specification permits chips to be read when an e-passport is placed within approximately 10 centimeters of an RFID interrogator (reader)". Last time I checked 10cm was around 3 inches.
I stand by what I've said. I've done the engineering, I've done the research. I've made an attenuated bidirectional antenna and you can't get the range. Myself and the rest of the RF engineers weren't able to do it. None of our competitors were able to either. We worked on this stuff for 2 years trying to squeeze an extra centimeter out of that crappy 14443 spec. You can't do it. This guy is a bold faced liar and a fear-monger.
Chris Paget @ Feb 2nd 2009 4:29PM
Wow.
EPC Gen2 (aka ISO18000-6) - 900MHz.
ISO14443 - 13.56MHz
ISO15693 - 13.56MHz
Totally different systems based upon a totally different communication mechanism (electrical modification of the tag's reflectivity coefficient versus differential power consumption via a magnetically coupled pair of coils) and operating at a totally different frequency. Saying that EPC tags are "usually 15693" just demonstrates your lack of clue since they really couldn't be more different. The specification is online at http://www.epcglobalus.org/dnn_epcus/KnowledgeBase/Browse/tabid/277/DMXModule/706/Command/Core_Download/Default.aspx?EntryId=292 if you want to go read it. ISO14443 and 15693 tags cannot be read at long-range - but these aren't either of those specifications, and are actually wildly different from them.
The RFID firm that you used to work for - let me guess, HID?
JR @ Feb 2nd 2009 4:39PM
Nope Wireless Dynamics (read above).
Here's the thing ePassports don't use EPC tags. I've never read anything that says they do. You are probably right, he could drive through a warehouse and picked up some tags. Who cares? He's saying that you can do that with ePassport and you can't. They aren't EPC tags. Feel free to post a link saying they are if you still think they are.
FYI Still sticking with what I said before...
JR @ Feb 2nd 2009 5:06PM
So here are a couple more links. This one is from the EPC global site asking questions about security:
http://www.epcglobal.org.hk/enews/epc_page.php?newid=374
Quote: "So you need to keep that data more secure. For that reason, the ISO 14443 chip architecture, with its very short read range, is used [for the passport]."
Here, this one talks about the bidding wars for A and B variants of 14443:
http://www.eetimes.com/news/latest/showArticle.jhtml;jsessionid=JWPXZYTYCXYT0QSNDLPSKHSCJUNN2JVN?articleID=52200157&_requestid=19538
Also the one I posted earlier. So how did you do it Chris? How did you read short range (10cm or less) card (that take up to 2 seconds to read) in a car by driving by people?
Chris Paget @ Feb 2nd 2009 5:39PM
OK, I think I see your confusion here. I'm cloning the PASS card - http://travel.state.gov/passport/ppt_card/ppt_card_3926.html You're correct that the passport uses 13.56MHz chips - the PASS card and Electronic Drivers License use EPC Gen2 tags. Different system.
JR @ Feb 2nd 2009 6:25PM
I guess we did have a bit of miscommunication back there. If you weren't talking about passports I apologize. You were right that unsecured PASS cards can be read from 20-30 feet. But...
PASS cards are for North American travel only and all they have on them is a number that is looked up on a database to retreive information. They are also supossed to be kept in a metallic sleeve:
Frank Moss: "I also think that it is noteworthy to mention that even in the PASS card, the vendors proposing a solution must provide a [metallic] sleeve to keep that card from being read until it is removed from the sleeve."
http://www.epcglobal.org.hk/enews/epc_page.php?newid=374
Leaving you self open for attack this way is as dumb as leaving you Visa laying around. Just keep it in the sleeve until you need it.
The vicinity chip portion of the EDL contains only a unique number as well. From the Washington State website:
"The passive RFID tag embedded in your EDL/ID doesn’t contain any personal identifying information, just a unique reference number."
http://www.dol.wa.gov/driverslicense/edlfaq.html#rfidpersonal
It also comes with a sleeve. Both of these documents don't contain personal info and they will be checked by border patrol as well.
Here's the kicker. There isn't any personnal information on the card only a unique number. You don't have any way to associate that number with a person that you read it from. So what's the scandal?
Chris Paget @ Feb 2nd 2009 7:14PM
Leaving you self open for attack this way is as dumb as leaving you Visa laying around. Just keep it in the sleeve until you need it.
Two points here - firstly, RFID is an unknown technology to most people. If they don't understand that their tags can be cloned from 20-30 feet away, why should they bother to protect them? Secondly, according to the UW research paper at http://www.rsa.com/rsalabs/node.asp?id=3557 , the sleeves supplied with Washington-state EDLs are ineffective at shielding the tags from a standard reader (albeit with reduced read range). If you have no viable way to protect the identity documents which are vital to your everyday life, what are you supposed to do?
"The passive RFID tag embedded in your EDL/ID doesn’t contain any personal identifying information, just a unique reference number."
Your credit card is just a unique reference number, as is your SSN. Both are considered sensitive information by themselves, due to the purpose that they serve. The fact that it's just a number is irrelevant - it's what happens to that number and how it is used that's important.
It also comes with a sleeve. Both of these documents don't contain personal info and they will be checked by border patrol as well.
How? If a border patrol officer encounters a WHTI document with an incorrect or non-functional RFID tag in it, how will they respond? How much security at the border is actually dependant upon that RFID tag? These questions have yet to be answered by DHS, so nobody knows for sure how much access that ID number could give you. If the processes surrounding the authentication of RFID-enabled documents are as vulnerable as the tags themselves, this system could be opening up US borders to anyone with $250 and an eBay account. I'd hope it's nowhere near that bad, but until DHS answer some questions it's impossible to say for sure.
JR @ Feb 2nd 2009 7:45PM
The fact that it's just a number is irrelevant - it's what happens to that number and how it is used that's important
It is relevant because of how it's used. SSN, Visa, Drivers license numbers are all a means of identification outside of the government. The RFID number is only used inside the government. It's a subtle but important detail. This number is only used to grant a government official (ie border patrol) access to your personal information. It doesn't give anyone else access to that information. It can not be associated with you in any other way. In other words it has no meaning outside of that database and can't be considered personal information.
How? If a border patrol officer encounters a WHTI document with an incorrect or non-functional RFID tag in it, how will they respond?
Quote Frank Moss: "Cloning the chip is possible—it's essentially taking a digital photocopy of a chip. But cloning a chip doesn't mean you've made a fake passport that will get you into a country. [U.S.] passports also use watermarks, ultraviolet and infrared security features. And at the end of the day, you have the inspector doing checks on the passport and on you. If a reader were to crash because of the passport you were carrying, it would mean you'd be inspected more carefully."
That number alone isn't enough to get you through the border. That's what Border Patrol agents are for. They are the defense of the border. Whether they can be trusted to do their jobs or not is outside the realm of RFID.
Chris Paget @ Feb 2nd 2009 10:14PM
SSN, Visa, Drivers license numbers are all a means of identification outside of the government. The RFID number is only used inside the government. It's a subtle but important detail.
You are correct, but only to a point. As I explain in the video, you can correlate the long-range EPC Gen2 tag against other short-range tags about your person (credit card, whatever) by using multiple readers at a choke point (a doorway, for instance). This correlates that ID number to an identity (digital photo is optional), which you can then track at a distance using the long-range Gen2 tag. Even without other tags, you can drive around taking digital pictures whenever you can see a tag - if you see the same tag twice, look for the person in both pictures. Instant identity.
As long as I can drive around downtown San Francisco harvesting cloned passport cards, there is a problem with either the shielding technology or the message that people are being given about the importance of it. Something is wrong here, and we need to find out what it is (and fix it if possible) before it's deployed to every drivers license issued by every state.
That number alone isn't enough to get you through the border. That's what Border Patrol agents are for. They are the defense of the border. Whether they can be trusted to do their jobs or not is outside the realm of RFID.
DHS has repeatedly claimed that RFID tags in identity documents add security (such as http://www.dhs.gov/xnews/releases/pr_1161115330477.shtm, where "enhancing the security of our citizens and travelers" is the third line). I want to know how. These tags are designed for cattle and shipping crates, not people - they have no security at all and are completely unsuited to this application. Aside from the warcloning issue there's still myriad different attacks against the system that bring it to its knees - how is there security here?
If there's no security being added by the RFID tag, then the security of the PASS card is dependant solely upon its other features and the ability of the CBP officer. Since CBP are now hand-inspecting every PASS card for verification, how has the RFID tag sped up the border crossing process?
We have no added security and no added speed through borders because of this RFID tag, so why exactly is it there? Given its distinct lack of benefits, is it really worth the risk that the bad guys can end up making realtime Google Maps mashups of large swaths of the population - in exchange for whatever meager arguments are left in favour of it?
JR @ Feb 3rd 2009 10:19AM
The only thing that ID that you've stolen gives you is the ability to travel across the Mexican-US border and the Canada-US border. It doesn't serve as a form of ID like a drivers license. The EDL also contains a proximity chip (unless I misread) The proximity chip serves as a means of ID but not the vicinity chip. So you are worried about the bad guys being able to travel freely around NA?