The Consequences to Citizen Privacy and National Security in Adopting RFID Technology for Identity Documents
Neville Pattinson, CIPP, CISSP
Neville Pattinson is the Vice President for Government Affairs at Gemalto, Inc. based in Austin, Texas. Pattinson serves as a Board member of the Smart Card Alliance and is Chairman of its Identity Council. He is a founding member of the Secure ID Coalition. Neville presently is serving a 3-year appointment as a Special Government Employee to the Department of Homeland Security's (DHS) "Data Privacy and Integrity Advisory Committee" (DPIAC). As a disclaimer, the article does not reflect the opinion of DHS or the DPIAC Committee.
Simple low-cost electronic tracking devices are positioned to revolutionize the supply chain by providing up-to-the-minute information about the location of the products to which they are attached. It may therefore come as a surprise to learn that Radio Frequency Identification Devices (RFID) also are under consideration for use to identify our citizens as they attempt to cross our land borders. Both the proposed State Department-issued PASS cards, a low-cost alternative to U.S. passports, and now the newly emerging border state-issued Enhanced Driver's licenses, are to incorporate a technology devoid of sufficient security features for use as a border document. Furthermore, the lack of security features within the tags and the system implementation architecture create several new national security vulnerabilities at our borders. There also are issues related with real-time access by DHS border patrol officers to multiple border-state driving license databases, along with access to the State Department's PASS card database.
So How Did We Get Here?
As RFID tags make their way through the product manufacturing and supply chain distribution system, readers at key locations can interrogate the tag and then follow the associated products' progression. Each tag is created with one mission in mind: to faithfully transmit the tag's unique serial number to the surrounding vicinity each and every time the tag is stimulated by a suitable radio frequency source. During the design of this simple architecture there was no need to give significant thought to the security, privacy or confidentiality of the tag's ID number, nor was consideration given to what the tag was going to be attached to. After all, the tag merely provides basic identification information to a specific tracking system. In order to be meaningful, the back-end system must contain the information which ties each specific tag to whatever it has been attached to and where it is now located.
This is the basis of a fundamental architectural problem if RFID technology is applied to applications outside the original design. Consider the following evolution of the system design. This time, the same RFID tag is given to a human for identification purposes. The tag is able to faithfully transmit its unique number each time it is stimulated, in some cases up to a design distance of 30 feet. An identification system would register the presence of the RFID tag's number and uses it to index directly into a central database containing the enrolled identities of the tag holders. By using only the tag's unique number, a corresponding row in the database would be accessed giving some personal identifying information of the tag holder. On the face of it, this design seems reasonable: A unique tag for each identity; present the tag and the corresponding identity record is retrieved. No actual personal identification information is contained in the storage-restricted tag. Without automation for identity-verification, the system obviously will rely on a visual and potentially verbal human verification process between the tag holder presenting the tag and the person attempting to adjudicate identity.
Unfortunately there are several privacy shortcomings to this approach. One such vulnerability arising from this technology is directly related to the fundamental RFID architecture which specifies transmission of the tag number in the clear, exposing the tag number to interception during the wireless communications. Once the tag number is intercepted, it is relatively easy to directly associate it with an individual and to subsequently track an individual surreptitiously. Another privacy issue concerns the ability to steal a genuine identity by cloning the person's RFID tag. If this is done, then it is possible to make an entire set of movements posing as somebody else without that person's knowledge. A further privacy concern is associated with maintaining all the identity information within a centralized database and assuming it will remain accessible to only authorized individuals (Ref: http://breachalerts.trustedid.com/?cat=191). Under the Western Hemisphere Travel Initiative (WHTI), U.S. citizens will be required, when returning to the U.S., to present one of a small set of specific documents to verify their citizenship. One of these new documents is known as a PASS card or Passport card. Equally important under the REAL ID Act of 2005, states are required to meet minimum standards established by DHS in order for state driver's licenses to be accepted for federal purposes. Although the DHS final rule for REAL ID has not yet been published at the time of the writing of this article, it is unlikely to specify any significant automated human real time or electronic document authentication technology. In an effort to consolidate identification programs, DHS proposed that several states conduct pilot programs for something being termed an Enhanced Driver's License (EDL). In border states, such an identity card would serve as both a land border crossing document (substituting for the proposed PASS card) and a state issued-driver's license under Real ID.
DHS is currently promoting the incorporation of RFID tags for several of these citizen identification programs (Ref: www.dhs.gov/xnews/releases/pr_1161115330477.shtm). The PASS card, which will serve as an alternative to a Department of State-issued passport, intends to incorporate RFID technology. A second program, the proposed Enhanced Driver's License, also is slated to incorporate the same RFID technology (Ref:www.associatedcontent.com/article/190545/washington_to_offer_enhanced_drivers.html).
RFID Is Not the Answer for Border Security
Quite frankly, RFID technology cannot provide the necessary security to protect our borders. Furthermore, the proposed RFID technology will not include appropriate or adequate privacy safeguards for U.S. citizens. RFID technology has been designed for warehouse supply chain and inventory management applications (Ref: http://epsfiles.intermec.com/eps_files/eps_wp/SupplyChainRFID_prod_web.pdf), for example, tracking toilet paper and dog food, and not for human identification card applications (Ref: www.dhs.gov/xlibrary/assets/ privacy/privacy_advcom_12-2006_rpt_ RFID.pdf privacy/privacy_advcom_12-2006_rpt_ RFID.pdf).
The RFID proposed for the enhanced driver's license does not have any security features that protect the transmitted information. Because there is no security designed in the chosen RFID tags, they can easily be copied and duplicated (as demonstrated by the Smart Card Alliance & Secure ID Coalition recently on Capitol Hill (Ref:http://www.smartcardalliance.org/articles/2007/07/18/smart-card-alliance-and-secure-id-coalition-host-briefing-to-educate-congress-on-the-importance-of-securing-identity) to create fraudulent driver's licenses and border crossing documents. Adding external paraphernalia to the card (i.e. a protective RF sleeves) will not solve the national security threat that RFID technology poses when used for human identification purposes.
As proposed by DHS, the simple RFID-enabled land border identity cards have many vulnerabilities and will be open to attacks from hackers, identity thieves and possibly even terrorists. Such attacks include skimming, cloning and denial of service. DHS is aware of these potential attacks and corresponding vulnerabilities but is proceeding with the program without addressing them.
There are some further issues in specifying this technology in the current environment.
- Implementing an RFID technology would essentially duplicate the reader infrastructures as they would be incompatible with the new ePassport infrastructure being deployed at all U.S. border entry points, adding significant, unnecessary cost to the programs.
- So far, there has been limited, if any, practical testing of this technology at the border and, in fact, the one test that was conducted as part of a Government Accountability Office (GAO) review (GAO-07-248) reports numerous performance and reliability problems, including failure of RFID readers to detect a majority of travelers' tags during testing. One possible consequence of the inherent unreliability of RFID read-rates is that it will force DHS's border patrol officer to fall back to visual/manual inspection and use of outdated printed machine-reading technologies, adding significant delays to border processing times.
There are several other areas where testing might be expected to reveal that:
- The lack of strong cryptographic features in the proposed RFID tags makes it impossible to effectively authenticate the enhanced driver's license or PASS card. As a result, more time will be required by the Customs and Border Protection (CBP) officer to manually authenticate the driver's license using the other security features on the card. This will mean that the officer has to physically touch the card, dramatically increasing the time the officer spends processing each citizen, increasing the queue lengths, and impeding commerce across the border. When queue lengths increase and pressure is either placed on the CBP officer to move more quickly, the check of the biometric image shown on the officer's workstation with the individual in the car may become perfunctory, allowing someone looking similar to the legitimate citizen to pass the inspection point using a copied driverlicense.
- Reliance on real-time access to central databases and networks as opposed to having the biometric and biographic data electronically locally available maintained on the enhanced driverâ€˜s license will have undesirable consequences in the event of infrastructure failures. Networks fail, as they did recently in Los Angeles on August 11, 2007, causing several thousand passengers to be delayed on arrival (Ref: http://www.examiner.com/a-877182~ Long_Delays_for_Some_LAX_Arrivals. html~ Long_Delays_for_Some_LAX_Arrivals. html). In the case of land border crossing, an offline electronically verifiable token would eliminate such a backlog. Reliable data would be available for the border patrol officer to verify the identity of the individual and cached watch list data could have provided adequate checks until the network returned to operation and the watch lists updated.
We should be very concerned about a potential backlash and public outcry resulting from citizen identification applications that do not incorporate the necessary security features to protect the identity information and privacy of the card holder. There is a simple solution to this problem that can avoid citizens from being put at risk. It requires using the more sophisticated smart card architecture that can incorporate critical security features including: shorter read-range of the card, encryption and electronic authentication of the document as well as having the ability to more likely support security technologies specified in the future. The selected technology would not impede or slow down border crossing applications and would be a valuable aid to the CBP officer in determining identification verification. The challenges of reliably reading a number of long-range passive RFID tags that are held within vehicles will make it difficult for DHS to realize the efficiencies assumed for the vicinity-read RFID technology.
There are already several identification card programs in use within the federal government today that do satisfy these tough challenges. One only has to look at the implementation of secure RF identification technology in the Department of State's e-Passports and FIPS 201 Personal Identity Verification federal employee ID programs for shining examples of how to protect privacy, identity and electronically authenticate the document along with its bearer.
The long-range nature of the RFID tag introduces exploitable system vulnerabilities:
- The readers can be rendered useless by a commercially available RFID transceiver being pointed at the CBP antennas, making the system inoperable. Such a denial-of-service attack will wreak havoc by slowing the processing of returning citizens, and could facilitate the movement of individuals with forged RFID tokens across the border.
- Many car windshields are covered with metallic films to reduce visual glare or electrical heating wires for de-icing. Both of these features attenuate the radio signals from being able to reach the RFID tag(s) inside the vehicle. In this situation the failure to read the RFID tag will force the Customs and Border Patrol (CBP) officer to manually enter the driver's license data into the workstation before the watch list data and other databases can be consulted.
- UHF radiation is subject to reflections, making it possible to confuse the CBP system as RFID numbers from adjacent vehicle lanes confuse the system, slowing the work of border patrol officers as they match biographic/biometric data to the citizen in the expected vehicle lane.
Possible attacks enabled by the vulnerabilities inherent in the RFID technology:
- A denial-of-service attack is possible by flooding the local reader system with multiple forged cards all with the same (identical) valid RFID number. Manually performed card reads by a CBP officer may pull up the same or different record, adding to the confusion.
- A variation of the denial-of-service attack also is possible by flooding the local system with multiple forged cards all with valid but different RFID numbers. Again, manual card reads by a border patrol officer may pull up the same or different identity records.
- Another subtle attack is the presentation of a single forged card that looks genuine (with printed photo of imposter, etc.) — using a valid (cloned) RFID number that points to the record of an enrolled person in the database. If presented at the same time as the cards of multiple travelers in the same vehicle, the discrepancy may be overlooked.