Feds: Wrap Up Those RFID E-Documents in Tin Foil
July 12th, 2009Via: Washington Post:
To protect against skimming and eavesdropping attacks, federal and state officials recommend that Americans keep their e-passports tightly shut and store their RFID-tagged passport cards and enhanced driver’s licenses in “radio-opaque” sleeves.
That’s because experiments have shown that the e-passport begins transmitting some data when opened even a half inch, and chipped passport cards and EDLs can be read from varying distances depending on reader techonology.
The cover of the e-passport booklet contains a metallic sheathing that can diminish the distances radio waves travel, presumably hindering unwanted interceptions. Alloy envelopes that come with the PASS cards and driver’s licenses do the same, the government says.
The State Department asserts that hackers won’t find any practical use for data skimmed from RFID chips embedded in the cards, but “if you don’t want the cards read, put them in an attenuation sleeve,” says John Brennan, a senior policy adviser at the Office of Consular Affairs.
Gigi Zenk, a spokeswoman for the Washington state Department of Licensing, says the envelope her state offers with the enhanced driver’s license “ensures that nothing can scan it at all.”
But that wasn’t what researchers from the University of Washington and RSA Laboratories, a data security company in Bedford, Mass., found last year while testing the data security of the cards.
The PASS card “is readable under certain circumstances in a crumpled sleeve,” though not in a well maintained sleeve, the researchers wrote in a report.
Another test on the enhanced driver’s license demonstrated that even when the sleeve was in pristine condition, a clandestine reader could skim data from the license at a distance of a half yard.
Will Americans consistently keep their enhanced driver’s licenses in the protective sleeves and maintain those sleeves in perfect shape – even as driver’s licenses are pulled out for countless tasks, from registering in hotels to buying alcohol?
The report’s answer: “It is uncertain … ”
And when the sleeves come off, “you’re essentially saying to the world, ‘Come and read what’s in my wallet,'” says Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C.
By obliging Americans to use these sleeves, he says, the government has, in effect, shifted the burden of privacy protection to the citizen.