Irrelevant Hacks

Irrelevant musings of a hack blogger

Airline RFID Baggage Tags & Security

Leave a comment

This year at DEFCON and on Twitter, I was asking people for their luggage tags for some research that I’m planning on doing. So I guess it’s time to explain what exactly I am looking into, what aspects of privacy I plan to maintain during my work, and the goals.

Why did I get started with this?

Simple, I saw a few youtube videos and read an article on them. Also, I am simply curious.

So, basically Delta Airlines is investing $50 million dollars in installing RFID baggage tracking infrastructure at multiple airports. That’s a lot of money, and the introduction of a new technology to a system that hasn’t changed much in the past 30 or so years (since the introduction of barcodes on luggage tags). These videos and article don’t really specify any actual information on the type of RFID technology used. Through a bit of initial research, I came across the IATA RP 1740c standard, which is based on ISO-18000-6c 900MHz tag standard. With a bit of googling, I managed to find a copy of the IATA Passenger Services Conference Resolutions Manual from 2010. This document, thankfully included the full specs and memory tables of the RFID tags used. An extremely useful document notwithstanding it’s age.

But in addition to carrier issued tags at airports, there are multiple companies which make multiple use tags which you can attach to your luggage. One such example is the Quantas Q Bag Tag. What the adoption of this standard mean for us as passengers? Well, it creates the possibility to automate check-in even further. You don’t have to glue on a tag that’s printed out, or anything like that. When your suitcase is weighed, the tag is programmed with all the required information, and then sent along.

What am I trying to find with this research?

Privacy

Well, the most elementary thing that I’m looking to identify with this research, is if these tags are active outside an airport, and the privacy aspect of this. ISO 18000-6c is an inherently long range standard. You can easily buy long range readers on eBay with a range of up to 25 feet (this standard is also used at parking garages). So, what I am trying to verify, is IF it possible to literally wander the halls of a hotel, reading luggage tags at a distance and gather the following data remotely:

  • Is the room occupied
  • Who’s room is it?
  • Where did they fly in from (origin airport, or full itinerary)?

This is just the most basic information that can be stored on the tag. If the tags aren’t deactivated when leaving an airport, then can this data can be read remotely? Hotels could also implement readers at their entrances to gather information on guests to improve their service (such as average flight time, time between the arrival of the flight and checking in, and if the person flies direct or through other airports). This information could be gathered without the knowledge of the passenger by just entering a hotel with a tag still attached to the bag.

These are at the moment “what if” situations regarding the RFID baggage tags. I am currently waiting for an ISO 18000c reader to arrive so I can start testing if the tags that I have are actually readable, and if I can access the memory blocks with the sensitive data. I also must add, that the IATA 1740c standard supports encryption of the data, along with a read password and a KILL password for the tags, but there seems to be no regulation on the actual implementation of these measures at the moment, just that they’re optional and at the discretion of the carrier or airport.

Offensive Attacks

With suitcases with built in RFID tags complying to this IATA standard, we’re getting to the point where bags will not have multiple methods of identification (both RFID & Barcode). From what I’ve seen, Delta appears to start wholly relying on RFID rather than the barcode data on the luggage tags. While it increases baggage processing efficiency, the only remaining check is what’s stored on the airline’s own baggage tracking database. Also, if the objective is to save money in the long run, implicitly trusting the data on the baggage tag (passenger name, frequent flier number, flight itinerary) would allow airports to simplify their baggage tracking systems and having it simply sort based on information on where the bag should go off of the Itinerary stored on it.

So, if there is implicit trust (or a push towards that), how can this be exploited?

I currently have multiple THEORETICAL attack types that may be possible using a malicious tag. Due to the sensitive nature of the subject matter, and the fact that these attacks cannot be tested in a legal way by me, I will not be posting any specifics at the moment.

What I need, & privacy measures in my research

IMG_7067

First and foremost, I need more of these luggage tags equipped with these RFID chips. The tags DO NOT NEED TO BE FROM DELTA. They are issued based on airport and not necessarily by airline. So, you might be flying any airline out there, which doesn’t openly support the RFID baggage tags, but end up with one either way. With a good quantity of these tags, I need to corroborate the following information:

  • Is the same data that’s printed on the tag (traveller name, flight information, 10 digit “license plate” number) also stored on the RFID chip?
  • Where are these tags issued (what airports nationally issue them)?
  • Are these tags deactivated (KILL command issued) when leaving the airport (and which destination airports actually do that)?

Privacy measures taken

As for personally identifiable data contained on donated tags, I will not include it in any published materials, or in any research notes. I will only note if the same information printed on the tag is included on the RFID chip or not, a simple TRUE or FALSE statement for each field. Any PI Data stored on the RFID chip but not printed on the tag will also not be published or stored in any research documents. At most I will state if a certain data field in the memory table is used or not. I also will verify if these tags are write locked or not.

After the the research is complete, all tags sent to me will be destroyed. Along with cutting through the RFID chip, I will shred the tags and burn them in order for them not to be reused or read by third parties.

Shipping of tags

Well, if after reading all of this you’re inclined to help out, please send any RFID equipped baggage tags issued by ANY airline, at ANY airport to me at the following address:IMG_7382

I prefer that the tags are as intact as possible so I can verify as much information as possible. So please don’t just cut out the RFID chip and not include the rest of the tag. If you wish, you can wrap the tag in aluminum foil when you send it out.

Anyways, to whomever is interested in helping me out, thank you. I will be looking to publish/present what ever I find hopefully next summer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s