RFID-enabled e-passports may be fraught with data pilferage risks, contactless skimming

The government's budget proposal to introduce e-passports that verify citizens using embedded radio-frequency identification (RFID) chips may create another avenue for hackers to steal data and identities unless adequate safeguards are put in place.

RFID chips can store a unique identification number corresponding to the data of a citizen, which can be read electronically to discern nationality, address other relevant information. This information will be transferred to a computer with the help of RF receivers, and this transfer of data is an area that criminals could target, experts said.

Data, for instance, can be stolen by a process known as skimming, according to Rajesh Maurya, regional vice president, India and SAARC, at cybersecurity firm Fortinet. “Skimmers used in RFID systems are contactless. This means the attackers need to install these skimmers on their laptop or mobile phone, and just need to drive or walk past the toll or wherever they’ve set them up, turn on their laptop, download the information, and walk away,” he explained.

RFID skimmers are not particularly new and are well known for being used by criminals to steal credit or debit card information. They give hackers an edge since they do not have to touch anything and risk getting caught.

“With suitable equipment, hackers will be able to access data embedded into the RFID chip. It was already demonstrated that RFID chips can be read from long distances,” said Liad Mizrachi, security expert at Check Point Software Technologies, another security firm. In July 2010, a hacker named Chris Paget demonstrated that RFID tags can be read from 66 meters away at DEFCON, which is the most famous hacker conference in the world.

Despite concerns though, security experts said security of data will depend on what data is actually stored on these chips. For instance, if everything from a person’s name to address, date of birth and other identifiable information is stored on the chip, then hackers can access that by skimming these chips.

CheckPoint’s Mizrachi said all the data in a passport shouldn’t be stored on a the RFID tag. “If the whole data that is located in the passport will be there that might be very problematic for privacy,” he said.

On the other hand, data security also depends on the security of locations where the data is finally stored, i.e. data centers etc. For instance, in the 2018 Winter Olympic Games in South Korea, hackers were able to shut down all data centers in the Seoul regions, which led to RFID-based security gates malfunctioning.

“RFID is merely a way to collect and store data locally in the object. The bigger issue is the network communication and IT infrastructure — network, servers, storage, software — that collect and process data,” said Kumar Ritesh, chief executive and founder of cybersecurity company Cyfirma.

The challenge is that most data today is stored in a combination of legacy and modern cloud storage solutions, called hybrid cloud. 

“The security challenge for hybrid IT is that most legacy networks operate from a position of implicit trust, where users and devices inside the perimeter are assumed to be reliable and secure,” said Fortinet’s Maurya, adding that malicious actors who breach the network are free to search and steal data and resources, or even hold it for ransom.

“The most significant challenge most governments have is spending time and resources doing architecture analysis, auditing, incident response, and red teaming on their applications,” said Aamir Lakhani, Global Security Strategist and Researcher at Fortinet. Red teaming is a security testing protocol, where policies and measures are repeatedly tested to find loopholes.

According to Lakhani, sometimes the cost of such exercises could be as much as the solution itself. “Most people would instead meet the minimum compliance requirements and hire the cheapest firms,” Lakhani warned.