Federal agents attending this year’s DefCon hacker convention were in for a surprise when top RFID researchers revealed that they scanned five convention attendees’ and potentially one Federal agent’s RFID-enabled cards. Researchers set up an RFID reader with a web camera that skimmed RFID-enabled cards and took a picture of their owners as they passed within two to three feet. Using information read on an RFID chip, a hacker could clone the chip and impersonate the card’s owner. Depending on the chip, a hacker could also discover personal information about the owner. Federal agents, including those from the FBI and Department of Defense, only found out about this project when they were told by a DefCon staffer. One former agent’s response: “I saw a few jaws drop when he said that.”
RFID chips aren’t just found in government IDs–several states are currently issuing enhanced drivers’ licenses (EDLs) that incorporate vicinity-read RFID chips as part of the Western Hemisphere Travel Initiative. The State Department’s new PASScard (passport card) also incorporates the same RFID technology. We have seen independent demonstrations of how easily RFID chips can be skimmed using inexpensive, off-the-shelf equipment. Vicinity-read RFID chips in particular are more vulnerable to being scanned because of their ability to be read at a greater distance. The security researchers at DefCon have once again highlighted the risks insecure, long-range chips may pose to the privacy and security of the cardholder.
Vicinity-read RFID technology was developed for tracking inventory; the risks to privacy and security the technology poses to EDL and PASScard holders far outweighs the justifications asserted for its use in human identification credentials. Citizens should be given the option of applying for cards without vicinity-read RFID—or at least consider more secure RFID technologies. The privacy and identity theft implications are why CDT urges Congress to reject the use of vicinity-read RFID technology in PASS ID.