Re: "Enhanced" WA Driver's License?

Electronic Driver's Licenses (EDLs) and "passport cards" that may be used for border crossings between the US and close foreign nations* fall under the Western Hemisphere Travel Initiative or WHTI. The RFID used in WHTI Cards is in the 900MHz band and is EPC Class 1, Generation 2.

Here's what I meant when I said above "It's already broken (Sort of)": It isn't really broken, because there is nothing to break.

• The number is transmitted to the reader in the clear. There is NO encoding of the number. Also, there is no handshaking with other card data to verify the number.
• The format of the numbers is already known**
• The equipment to read the EDL is readily available. The Motorola XR400 is a good example, and has been found on eBay for less than $100.
• The equipment and blank cards needed to clone the number are also readily available.

So it isn't 'broken' in the sense that its crypto has been figured out, because there is no crypto to figure out.

Chris Paget has done a lot of work on this, including an excellent talk at ShmooCon 09. During that talk, he cloned several EDLs in less than a minute.

http://hackaday.com/2009/02/02/mobile-rfid-scanning/

http://hackaday.com/2009/02/16/shmoo...-cloning-talk/

The State Department's official stance on this so far has been that since only the ID number is transmitted, and "it's just a number", that the real data (i.e. the true value) lies in the US Government database which is tied to the number, and that the database will not be available to anyone outside of the government. (AND only for official government purposes.) Even if the database was never leaked in any way, the problem with the idea that 'it's just a number' is that there is an inherent assumption that the number exists in a vacuum, and can never be associated with the name, address, DOB, etc. This is patented false. It would be trivial to harvest this information in any number of ways.

Of course, your Social Security number 'is just a number', and we all know what can happen when you get that little bit of information.


* The countries you can use the cards for travel to/from the US:
Anguilla
Antigua and Barbuda
Aruba
Bahamas
Bermuda
British Virgin Islands
Canada
Cayman Islands
Dominica
Dominican Republic
Grenada
Jamaica (except for business travel)
Mexico
Montserrat
Netherlands Antilles
St. Kitts and Nevis
St. Lucia
St. Vincent and the Grenadines
Turks and Caicos


** The format for the ID number is a 24 character hexadecimal number. On the initial release of cards, the first 14 characters are known to be "2C2835433D1A02". Full format: 2C2835433D1A020000000000

Re: "Enhanced" WA Driver's License?

It's already broken (Sort of). I'm traveling, & posting via mobile phone. Will detail in future post when I can get to a real computer.

Re: "Enhanced" WA Driver's License?

Oh, no. I don't want one. I just want someone else to break it. I went out of my way to get a passport before the RFID craziness, and I'm apprehensive about my driver's license expiring in a year and a half. I'm hoping that the new "enhanced" DL doesn't become required stuff.

Re: "Enhanced" WA Driver's License?

Problem is, until the final product is in the hands of the end user, there is so much rhetoric, bullshit and FUD flying around it's hard to make any informed decisions about how the technology will fare other than the usual Murphys law of 'They'll find a way to screw it up'

If you are so inclined, I'm sure that MM, myself or someone else would'nt mind if you 'lost' one in the mail to us and had to get a replacement :)

Edit: w00t, 1001 posts