First they said it couldn’t be sniffed, now they say it’s not important

Passport RFIDs cloned wholesale by $250 eBay auction spree • The Register

To be sure, the RFID tags contain no personally identifiable information, but rather what amounts to a record pointer to a secure Department of Homeland Security database. But because the pointer is a unique number, the American Civil Liberties Union and other civil libertarians warn the cards are still susceptible to abuse, especially if their RFID tags can be read and captured in large numbers. Cloning the unique electronic identifier is the first step in creating fraudulent passport cards, they say.

The cards also amount to electronic license plates that could be used to conduct clandestine surveillance. Law enforcement officials could scan them at political rallies and then store them in databases. The tags could also be correlated to other signals, such as electronic toll-booth payment systems or RFID-based credit cards, to track the detailed movements of their holders.

Of course that number can be de-anonymized. And of course the DHS database is going to release information to unauthorized people. And of course that number is going to be used as a de facto identifier.

One of the things security people have learned over the decades is that it’s much easier to suborn a system when you have some kind of nominally-legitimate access than when you’re completely on the outside. And making easily-cloned passport rfids is that first step.

(Another risk that the Reg folks don’t really mention is that skimming enough numbers may give a black hat insight into how the id numbers are generated — assuming no one is stupid enough to just issue them in sequence — and thus mount attacks on passports they’ve never even seen, or that haven’t been issued.)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: