Friday, February 01, 2008
Dr. Ari Juels explains overlooked nuances of security and privacy for the upcoming U.S. Passport card.
The U.S. Passport card or PASS (People Access Security Service) card, a new travel document, is slated for issue by the federal government in the spring of this year. A poor cousin to the standard passport, it's more compact and less expensive, but valid only at land and sea points of border entry into the United States, not for air travel. The PASS card emerged as part of the Western Hemisphere Travel Initiative (WHTI), which phases out drivers' licenses as border-crossing documents for the U.S.
Like versions of the U.S. Passport, the PASS card will carry a wireless microchip (RFID tag). The Department of Homeland Security selected EPC (Electronic Product Code) Gen-2 tags for this purpose. EPC tags are cheap (very roughly $0.10 apiece). They also have the relatively long read range of some 30 feet, a feature that enables rapid, drive-through border control. In preparation for inspection at a border crossing, the driver and passengers of a motor vehicle place their PASS cards on the vehicle dashboard for scanning. Unique identifiers in cards enable the computer of a border-control agent to reference a centralized database, pulling and displaying the bearers' photos and personal data. (Agents may also examine the visible security features in PASS cards, e.g., holograms.)
I've heard two starkly contrasting opinions on the security of the PASS card:
The PASS card is dangerously flawed: EPC tags are effectively just wireless barcodes. They were designed for consumer items, not security applications. These tags can be clandestinely scanned (under ideal conditions) at a distance of tens or hundreds of feet, and can be easily copied. Unlike the chip on a true U.S. passport, PASS card chips have no cryptographic protections against skimming or counterfeiting. A terrorist can secretly skim the credentials of a U.S. citizen with a passing physical resemblance and gain entry to the U.S. on a forged PASS card.
The PASS card offers strong security: It is true that the serial number on an EPC tag can be easily copied into a new tag. The TID (tag identifier), a manufacturer-programmed serial number in an EPC tag, is immutable, though, and therefore prevents cloning attacks. Even if a tag were cloned, the border-control process involves live photographic identification of travelers. An imposter has no better a chance of success against PASS than one with a stolen conventional passport. Moreover, a PASS card carries no personally identifiable information.
Neither view is strictly fair. Rather than coming down on one side or the other, I'd simply like to highlight what seem to me some oft-overlooked nuances:
1. Cloning and the TID: The TID ("Tag ID" memory) of an EPC tag can carry a tag-specific serial number that prevents copying of one EPC tag into another. (Description of the TID in the DHS Privacy Assessment Impact for PASS as a "powerful tool...to remove the risk of cloning" is correct in this strictly limited sense.) An EPC tag, though, can be simulated in a spoofing device that need not resemble a chip. (The inevitable open-design experimental RFID tools for EPC will eliminate any need for special expertise in the construction of such a device.) There is limited benefit even in a border control agent's inspection of the visible security features on travelers' cards. While the cards in an agent's hands may be perfectly authentic, these cards may not be the same devices as were scanned when a given car drove up.
2. Better authentication: While a matter of straightforward engineering to build an EPC spoof device, there are some simple techniques to reduce the risk of EPC skimming.
3. Photo inspection: The aim of the PASS card is to speed travelers conveniently across the border, and it seems likely that border-control agents will not carefully compare the photos their computer screens with the faces of travelers. The need to peer through car windows to inspect travelers will not help--particularly when they are bundled up in coats, hats, and so forth at the Canadian border in winter.
4. Privacy and function creep: The PASS card will come with a radio-opaque sleeve to protect against skimming when the card is not in use. But what are the chances of bearers retaining and using these sleeves? By way of the Enhanced Driver's Licenses (EDL) program, the PASS chip is wending its way into other identity documents, such as the Washington state driver's license. Are the owners of these cards also expected to use protective sleeves? Will state governments be as well equipped to manage EDL as DHS is to manage PASS? And who ultimately will have access to the PASS database? How will it be protected?
Those with the liberty to ignore other considerations can easily quibble with any technical design. And the effectiveness of passenger identification at border control as a national security tool is hardly obvious. Discussions with colleagues and DHS staff have left me with no question that DHS earnestly sought to achieve the strongest possible privacy and security within the budgetary and political constraints of WHTI. The PASS card may prove adequate, though not ideal.
That said, the PASS system is a brittle one. Adopted and adapted by other organizations--such as state agencies issuing driver's licenses--its security could well degrade. Cloning of PASS cards by imposters is a worry. Cloning of the PASS architecture by state governments and other organizations is a serious worry too.