RFID's Security Problem Are U.S. passport cards and new state driver's licenses with RFID truly secure?
By Erica Naone Technology Review January/February 2009
Starting this summer, Americans will need passports to travel to Canada, Mexico, Bermuda, and the Caribbean--unless they have passport cards or one of the enhanced driver's licenses that the states of Washington and New York have begun to issue.
Valid only for trips by land and sea, these new forms of identification are a convenient, inexpensive option for people who don't need to travel by plane. U.S. passport cards, which were introduced in July, cost about half as much as a full passport, and the extra cost of getting an enhanced driver's license rather than a regular one is even lower. Enhanced licenses have been available in Washington since January 2008 and in New York since September; other border states, including Michigan, Vermont, and Arizona, intend to offer them as well.
But not everyone is convinced that the new IDs are a good idea. The passport card and the enhanced licenses contain radio frequency identification (RFID) tags, which are microchips fitted with antennas. An RFID reader can radio a query to the tag, causing it to return the data it contains--in this case, an identification number that lets customs agents retrieve information about the cardholder from a government database. The idea is that instant access to biographical data, a photo, and the results of terrorist and criminal background checks will help agents move people through the border efficiently. RFID technology, however, has been raising privacy concerns since it was introduced in product labels in the early 2000s.
Meanwhile, although experts say that some RFID technologies are quite secure, a University of Virginia security researcher's analysis of the NXP Mifare Classic (see Hack, November/December 2008), an RFID chip used in fare cards for the public-transit systems of Boston, London, and other cities, has shown that the security of smart cards can't be taken for granted. "I think we are in the growing-pains phase," says Johns Hopkins University computer science professor Avi Rubin, a security and privacy researcher. "This happens with a lot of technologies when they are first developed."
...