Drive By Passport Cloning

Fearghas McKay ukcrypto at chiark.greenend.org.uk
Mon, 2 Feb 2009 09:47:07 +0000 

http://www.theregister.co.uk/2009/02/02/low_cost_rfid_cloner/

Using inexpensive off-the-shelf components, an information security  
expert has built a mobile platform that can clone large numbers of the  
unique electronic identifiers used in US passport cards and next  
generation drivers licenses.
The $250 proof-of-concept device - which researcher Chris Paget built  
in his spare time - operates out of his vehicle and contains  
everything needed to sniff and then clone RFID, or radio frequency  
identification, tags. During a recent 20-minute drive in downtown San  
Francisco, it successfully copied the RFID tags of two passport cards  
without the knowledge of their owners.

Paget's contraption builds off the work of researchers at RSA and the  
University of Washington, which last year found weaknesses in US  
passport cards and so-called EDLs, or enhanced drivers' licenses. So  
far, about 750,000 people have applied for the passport cards, which  
are credit card-sized alternatives to passports for travel between the  
US and Mexico, Canada, the Caribbean, and Bermuda. EDLs are currently  
offered by Washington and New York states.

"It's one thing to say that something can be done, it's another thing  
completely to actually do it," Paget said in explaining why he built  
the device. "It's mainly to defeat the argument that you can't do it  
in the real world, that there's no real-world attack here, that it's  
all theoretical."

Use of the cards is expected to rise as US officials continue to  
encourage their adoption. Civil liberties groups have criticized the  
cards and a travel industry association has called on the federal  
government to suspend their use until the risks can be better  
understood.

The cards make use of the RFID equivalent of optical barcodes known as  
electronic product code tags, which are widely used to track cattle  
and merchandise as it's shipped and then stored in warehouses. Because  
the technology employs no encryption and can be read from distances of  
more than a mile, the tags are highly susceptible (PDF) to cloning and  
tracking, researchers have concluded.

Paget's device consists of a Symbol XR400 RFID reader (now  
manufactured by Motorola), a Motorola AN400 patch antenna mounted to  
the side of his Volvo XC90, and a Dell 710m that's connected to the  
RFID reader by ethernet cable. The laptop runs a Windows application  
Paget developed that continuously prompts the RFID reader to look for  
tags and logs the serial number each time one is detected. He bought  
most of the gear via auctions listed on eBay.

And if you read on, we'll show you video proof that the thing actually  
works.