Are U.S. passport cards and new state driver's licenses with RFID truly secure?

Starting this summer, Americans will need passports to travel to Canada, Mexico, Bermuda, and the Caribbean--unless they have passport cards or one of the enhanced driver's licenses that the states of Washington and New York have begun to issue.

Valid only for trips by land and sea, these new forms of identification are a convenient, inexpensive option for people who don't need to travel by plane. U.S. passport cards, which were introduced in July, cost about half as much as a full passport, and the extra cost of getting an enhanced driver's license rather than a regular one is even lower. Enhanced licenses have been available in Washington since January 2008 and in New York since September; other border states, including Michi­gan, Vermont, and Arizona, intend to offer them as well.

But not everyone is convinced that the new IDs are a good idea. The passport card and the enhanced licenses contain radio frequency identification (RFID) tags, which are microchips fitted with antennas. An RFID reader can radio a query to the tag, causing it to return the data it contains--in this case, an identification number that lets customs agents retrieve information about the cardholder from a government database. The idea is that instant access to biographical data, a photo, and the results of terrorist and criminal background checks will help agents move people through the border efficiently. RFID technology, however, has been raising privacy concerns since it was introduced in product labels in the early 2000s.

Meanwhile, although experts say that some RFID technologies are quite secure, a University of Virginia security researcher's analysis of the NXP Mifare Classic (see Hack, November/December 2008), an RFID chip used in fare cards for the public-­transit systems of ­Boston, London, and other cities, has shown that the security of smart cards can't be taken for granted. "I think we are in the growing-pains phase," says Johns Hopkins University computer science professor Avi Rubin, a security and privacy researcher. "This happens with a lot of technologies when they are first developed."

Borderline Security

The first of the new ID cards to be introduced, the federal passport cards and the Washington driver's licenses use similar technology, which has been reviewed and approved by the U.S. Department of Homeland Security. The cards' RFID devices, called electronic product code (EPC) tags, are much like bar codes. The tags are inexpensive and can, in ideal conditions, be read from about 150 feet away--an unusually long range for RFID, says Ari Juels, director and chief scientist at RSA Laboratories in Bedford, MA, which collaborated with researchers from the University of Washington to evaluate both cards.