EPC RFID Tags in Security Applications:
Passport Cards, Enhanced Drivers Licenses, and Beyond
Karl Koscher
University of Washington
Ari Juels
RSA Labs
Tadayoshi Kohno
University of Washington
Vjekoslav Brajkovic
University of Washington
ABSTRACT
EPC (Electronic Product Code) tags are industry-standard
RFID devices poised to supplant optical barcodes in many
applications. They are prevalent in case and pallet track-
ing, and also percolating into individual consumer items and
border-crossing documents.
In this paper, we explore the systemic risks and challenges
created by increasingly common use of EPC for security ap-
plications. As a central case study, we examine the recently
issued United States Passport Card and Washington State
“enhanced” drivers license (WA EDL), both of which incor-
porate Gen-2 EPC tags. We explore several issues:
1. Cloning: We report on the data format of Passport
Cards and WA EDLs and demonstrate their apparent
susceptibility to straightforward cloning into off-the-
shelf EPC tags. We show that a key anti-cloning fea-
ture proposed by the U.S. Department of Homeland
Security (the tag-unique TID) remains undeployed in
these cards.
2. Read ranges: We detail experiments on the read-
range of Passport Cards and WA EDLs across a vari-
ety of physical configurations. These read ranges help
characterize both issues regarding owner privacy and
vulnerability to clandestine “skimming” and cloning.
3. Design drift: We find that unlike Passport Cards,
WA EDLs are vulnerable to scanning while placed in
protective sleeves, and also to denial-of-service attacks
and covert-channel attacks.
We consider the implications of these vulnerabilities to
overall system security, and offer suggestions for improve-
ment. We also demonstrate anti-cloning techniques for off-
the-shelf EPC tags, overcoming practical challenges in a pre-
vious proposal to co-opt the EPC “kill” command to achieve
tag authentication.
Our aim in this paper is to fill a vacuum of experimen-
tally grounded guidance on security applications for EPC
tags not just in identity documents, but more broadly in
the authentication of objects and people.
Key words: authentication, cloning, EPC, PASS,
passport card, RFID, WHTI.
1. INTRODUCTION
EPC (Electronic Product Code) tags [19] are RFID de-
vices poised to supplant optical barcodes in a wide variety
of applications. Today EPC tags figure most prominently
in the tracking of cases and pallets in supply chains. Propo-
nents of the technology envision a future in which tagging
of individual items facilitates a full life-cycle of automation
from shop floors to retail points of sale, in home appliances,
and through to recycling facilities.
As one example of this application, EPC tags are see-
ing a landmark deployment this year in the U.S. in identity
documents used at national border crossings. The United
States Passport Card (also known as the PASS Card), a
land-border and seaport entry document first issued in the
summer of 2008, incorporates an EPC tag. This identity
document was issued in response to the Western Hemisphere
Travel Initiative (WHTI) [46], which, among others, phases
out exemptions in document requirements for border cross-
ing (previously, United States and Canadian citizens only
had to present photo ID and a birth certificate). Certain
states have issued or plan to issue Enhanced Drivers Li-
censes (EDLs), WHTI-compliant documents, which will also
make use of EPC. Washington State started issuing EDLs in
early 2008 [32], with New York State following in September
2008 [2].
To date, the only form of EPC ratified as a technical stan-
dard by EPCglobal, the body that oversees EPC develop-
ment, is the Class-1 Gen-2 tag. (For brevity, we refer to
this tag simply as a “Gen-2” or “EPC” tag in this paper.)
Passport Cards and other WHTI documents will incorpo-
rate this type of EPC tag, and it is likely to see the greatest
use in barcode-type RFID applications as well for some time
to come. EPC tags are attractive for their low cost (below
ten U.S. cents each). Also, thanks to their operation in the
Ultra-High Frequency (UHF) spectrum (860–960 Mhz), they
have a relatively long read range—tens of feet under benign
conditions [39].
Gen-2 tags, however, are essentially wireless barcodes,
with no specific provisions to meet security and privacy
needs. Just as their optical counterparts are subject to pho-
tocopying, Gen-2 EPC tags are vulnerable to cloning attacks
in which their publicly visible data are scanned (“skimmed”)
by an adversary and then transferred to a clone device—be
it another tag or a more sophisticated emulator.
1.1 Our contribution: vulnerability analysis
In this paper, we consider the use of EPC tags in security
applications. We emphasize a systemic approach, examining