14 DAY TRIAL // Security consultant Chris Paget has used equipment acquired for $250 on eBay to put together a system that allows him to read RFID tags from government-issued passports and enhanced drivers' licenses, from a moving vehicle. During a 20-minute drive, the researcher has sniffed the electronic product codes (RFID tags) of two passport cards.
Mr. Paget has challenged the security of the RFID technology before. He wanted to prove the vulnerability of RFID tags manufactured by a company called HID at the Black Hat conference in 2007, only to be stopped by the firm, which claimed he violated its patent. This time, however, he has focused his attention on RFID tags used by the government.
The fact that RFID-equipped passport cards and EDLs are vulnerable to attacks is not new. The concept has been documented by security researchers from the Washington University and the RSA laboratories who released a report back in October 2008. Even so, this doesn't seem to have stopped some 750,000 people from applying for the new "enhanced" documents.
So, why would Mr. Paget go through all this trouble in the first place? Well "It's mainly to defeat the argument that you can't do it in the real world, that there's no real-world attack here, that it's all theoretical," the ethical hacker argues, according to The Register. "It's one thing to say that something can be done, it's another thing completely to actually do it," he concludes.
In order to pursue his practical endeavor, the hacker used a Motorola-flavored Symbol XR400 RFID reader along with an AN400 antenna from the same manufacturer. He employed an Ethernet cable to connect the reader to a laptop running a custom application he wrote and cleverly concealed the whole system in his Volvo car. This setup allows him to read RFID tags at a distance of 30 feet (roughly 9 meters), but Paget claims that with more professional and expensive equipment he could cover an area of over 1 mile (1,6 km).
Government officials underline that the cards come with protective sleeves to prevent such attacks, and that, even if they occur, there is little the skimmers can do with the captured information, as it only consists of an electronic identifier, which points to a record in a secure government database. However, civil liberties groups do not agree, pointing out that even this identifier opens the door to abuse, and could be used for tracking, stalking, or counterfeiting.
Chris Paget plans to present his concept and release his custom software later this month at the upcoming ShmooCon 2009 in Washington. "His previous hacks include HID cloners, WPAD-based LAN hijacking, GDI messaging attacks, and out-drinking Dan Kaminsky. Chris spends most of his days trying to break into eBay faster than the bad guys, and in his spare time likes to hack into just about anything he can legally get his hands on," the ShmooCon organizers write about him.
Here's Chris Paget's demonstration video: