Homeland Security ID Card Is Not So Secure
President Bush's proposed $2.57 trillion federal budget for Fiscal Year 2006 greatly increases the amount of money spent on surveillance technology and programs while cutting about 150 programs—most of them from the Department of Education. EPIC's "Spotlight on Surveillance" project scrutinizes these surveillance programs.
This month, "Spotlight on Surveillance" shines on the Department of Homeland Security's new employee access card and finds contains substantial security risks. The Department of Homeland Security Access Card (DAC) has vulnerabilities associated with its use of radio frequency identification (RFID) and Bluetooth technologies, biometric identifiers and PIN backup system. But there are also risks that come from the DAC's "mission creep"; the Department also wants the card to be used as a payment device for everyday items.1 The Department requests $6 million for the DAC program in FY 2006, and each card costs about $8.50.2
Beginning in May and through the end of the year, Homeland Security will issue the DAC to 40,000 of its 180,000 employees and contractors.3 According to Homeland Security, the card "can be used to access facilities and appropriate data stores across the DHS enterprise. The DAC also supports access to resources controlled by federal, state and local government entities as well as DoD and Foreign National resources."4 The DAC is about the size of a credit card and will carry a digital copy of the cardholder's fingerprint as well as other information.5 However, if the biometric identifier (the fingerprint) fails to be recognized by DHS card readers, the card also allows access through the use of a 6- to 8- digit PIN.6 The card will use RFID and Bluetooth technologies. The Department plans for the DAC to be used for accessing computers, entry into buildings, and to pay for items such as Metro train fares.
Homeland Security proposes that the DAC fulfills President Bush's August 27, 2004, Homeland Security Presidential Directive/HPSD-12. The directive calls for the establishment of a "mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contract employees.)"7 The directive goes on to define "secure and reliable forms of identification" as "that (a) is issued based on sound criteria for verifying an individual employee's identity; (b) is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation; (c) can be rapidly authenticated electronically; and (d) is issued only by providers whose reliability has been established by an official accreditation process."8
The DAC, however, has significant vulnerabilities, and it is not "strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation." Criminals, including identity thieves, can exploit the DAC's use of RFID and Bluetooth technologies to gain access to the personal information on the card, and to the computers and buildings linked to the card.
access Homeland Security's secure data
Use of RFID and Bluetooth technologies to store data could expose the information on the DAC to unauthorized personnel. "The purpose of an RFID system is to enable data to be transmitted by a portable device, called a tag, which is read by an RFID reader and processed according to the needs of a particular application. The data transmitted by the tag may provide identification or location information."9 It has been well documented that criminals are able to use readers to break the encryption systems in RFID tags. Recently, researchers at Johns Hopkins University and RSA Laboratories discovered serious security flaws in the RFID chips that are used to protect cars from theft and prevent fraudulent use of SpeedPass keys.10 The researchers easily were able to circumvent the cars' anti-theft protection system. They also were successful in extracting individual SpeedPass secret keys, and used them in another device that allowed for fraudulent charges to the SpeedPass accounts.
The vulnerabilities of Bluetooth technology have also been well documented. Bluetooth technology enables wireless communication among electronic devices in close proximity. For example, a Bluetooth-enabled computer could work with a wireless keyboard or mouse. In August, security flaws in Bluetooth-enabled mobile phones allowed criminals to access the information in the phones including contact information and text messages.11 In some cases the Bluetooth-enabled devices were accessed from a mile away, making clear that criminals do not need to be in proximity to their victims to retrieve their data.12
Homeland Security's Director of Authentication Technologies Joseph Broghamer has said that the card contains these wireless technologies to make the card more convenient, and that the transmissions between the DAC and readers will be encrypted.13 Swiping a card through a reader might be slightly less convenient than using a wireless card, but the non-wireless card would be much more secure. In a non-wireless card there would not be a transmission for a criminal to target. A non-wireless DAC also would limit the risks to privacy inherent in RFID tags, such as constant tracking of a person's location.14 Security risks also may arise if a federal employee with high-level clearances reveals his identity to an unsecured device. It would be difficult to determine the time and location where such a disclosure occurred.
The RFID- and Bluetooth-enabled DAC could be protected from unauthorized access by "Faraday shields." (Basically, the card would be encased in a sleeve made of aluminum foil.)15 However, the risk of unauthorized access increases with the amount of time that the card is outside the shield. If the card is used only to secure building entry and computer access, then there is little opportunity for criminals to target the card. The Department of Homeland Security, however, plans to make the DAC multi-functional, for instance enabling the DAC to pay for everyday items. Employees would pull the DACs out of the Faraday shields several times a day—in Metro stations, at lunch counters—in places where criminals could easily target them. The Department of Homeland Security seeks to fulfill the president's directive; yet the Department has increased the security risks associated with the DAC by broadly expanding its function, mission creeping, beyond that necessary for a secure access card.
The DAC identifies the cardholder and her level of access through the use of a biometric identifier—a fingerprint. A recent report by National Institute of Standards and Technology (NIST) showed that one-fingerprint identification systems had an accuracy rate of 98.6 percent, while the accuracy rate rose to 99.6 when two fingerprints were used and 99.9 when four, eight and ten fingerprints were used.16 The report also showed that the accuracy rate for fingerprint identification drops as the age of the person increases, especially for those more than 50 years old.17
EPIC recently highlighted problems with biometric technology in comments to the Transportation Security Administration about its upcoming test of the technology:
EPIC urged the agency to provide individuals with enforceable rights of access to their records and correction of any erroneous information contained in such records. Such protections would safeguard the privacy rights of federal employees and contractors.
Homeland Security has assumed that there will be some problems with the biometric identifier system on the DAC. The Department has a backup system built into the card—if the fingerprint identification fails, then the employee can gain access by using a 6- to 8- digit PIN. By allowing alternate access through the PIN, Homeland Security creates all of the vulnerabilities associated with allowing complete access to secure areas and information through one password. This is a significant security risk, as a criminal could bypass the biometric identification system by simply learning the PIN. The PIN could be coerced from the employee with the threat of violence against the employee or her/his family. Even without the PIN bypass there are risks to equipping the card with the power to access not only the Department of Homeland Security's resources, but also those of local, state and other federal government entities.
The president's Aug. 27 directive mandated that the entire federal government must start issuing cards to employees and contractors by Oct. 27, 2005. Many government agencies have created access cards similar to Homeland Security's DAC. In the fall, hundreds of thousands of personnel will have access cards equipped with personal information, biometric and wireless technologies, and the security risks associated with their use.