US RFID credentials – update

I blogged back in February about Chris Paget’s successful attempts to read US-issued RFID credentials while simply driving past their owners… so I was a little surprised to see the same “news” cropping up in this article from Saturday’s LA Times. However, by the fourth paragraph they did acknowledge the date of Paget’s experiment, so I read on – and there’s plenty in the rest of the article to make that worthwhile.

I owe @haroonalrasheed, by the way, for the link to the LA Times article, and I regret that, like him, I am quite unable to come up with a sensible interpretation of this quotation from the CPO of the Dept of Homeland Security:

The purpose of using RFID is not to identify people, says Mary Ellen Callahan, the chief privacy officer at Homeland Security, but rather “to verify that the identification document holds valid information about you.”

There I was thinking that the clue was in the acronym.

The article is particularly interesting on the subject of read distance. It seems that each time the implementing departments publish a figure, researchers have consistently succeeded in reading the cards from much further away – whether that’s a yard instead of 4 inches, or 30 feet instead of a yard (1 metre, 10 cms, 10 metres respectively, if you are decimalised).

Those are just the numbers for trying to read the chip directly. In another experiment, the researcher went for the communications link between the chip and the reader instead, and is reported as having intercepted that traffic successfully from 160 feet away (50 metres). I haven’t tracked down the research paper in question, so can’t check, for instance, whether that was direct interception or whether, as proposed in this 2005 paper by Hancke and Kuhn, it makes use of ‘relays’ to extend the distance between the eavesdropper and the chip. Bear in mind, though, that in the most common places you would expect to show your passport – that is, at an airline check-in counter or at an airport security check, there is generally somewhere within 160 feet where it is perfectly legitimate for someone to be using a laptop…

(If anyone has a link to the “160 foot intercept” paper, perhaps you could include it in a comment).

Apart from the continuing bickering over read distance, then, what conclusion can one draw? Principally, I think, that any form of remote reading raises significant and legitimate concerns over user awareness and therefore consent. It’s clear that the confidentiality of embedded RFID chips has to reside in factors other than distance – and equally clear, from the article cited, that different implementations are being designed with different levels of protection against interception. I have yet to see one, though, which offers the user any information about or control over when the chip is read, and I think that is a fundamental design flaw.

Advertisements

3 thoughts on “US RFID credentials – update

  1. Dave Birch says:

    Tried to post a comment but "my OpenID credentials were not verified" through VeriSign.

  2. Re: verifying the identity document: see the footnote on http://www.theregister.co.uk/2009/07/09/id_cards_nir_tory_lib_plans/page3.htmlThe RFID data is there to detect tampering in the printed data.

  3. Robin Wilton says:

    Thanks, Andrew. Yes, I can undersdtand the rationale there, but I still think that – in the limited context I could see – Ms Callahan's comment is somewhere on the scale from disingenuous to misleading.The functional requirement you describe (and she refers to) – namely, of providing a copy of the passport's printed contents which can be verified electronically, can be met without RFID – i.e. by means of a contact chip rather than a contactless one. That's the relevance of this point in the context of privacy, consent and drive-by scanning of passport chips.Conversely, the Austrian Government has done some very interesting work on equivalent human-and machine-readable paper documents with embedded digital signatures, which I saw demonstrated by their Govt CIO, Dr Posch. The document's integrity can be electronically checked, and there's no need for a chip. Fascinating stuff.

Comments are closed.