In just two weeks, the province of British Columbia will be launching the new BC Services Card. If you haven’t already heard about the new province-wide identity management initiative, it’s not your fault; the government only began its public relations campaign for the Services Card initiative six weeks before the card was set to hit wallets and hospitals across the province. In fact, the government’s been so unforthcoming about the new Cards that, just six weeks before it’s release, the British Columbia Office of the Information and Privacy Commissioner is racing to adequately review the program. To be clear: this isn’t a new initiative, but one going back several years. The unwillingness to disclose the documents necessary for the Commissioner’s review is particularly troubling since the Services Card is just one component in a much larger transformation of the province’s movement to its integrated identity management program. Will similar tardiness to assist the province’s privacy czar pervade this entire transition? Will the public be as excluded from future debates as they have from the Services Card development and deployment regime?
The Services Cards feature a host of security enhancements, including layered polycarbonate plastics, embedded holography, laser etchings for images and text appearing on the card, and the integration of a Near Field Communications (NFC) chip. For this post, I focus exclusively on the NFC chip, that is meant to ‘secure’ your identity when presenting the card to government agencies, either in person or online.
The BC government has been touting NFC as an enhanced security feature in the Services Card initiative. While this technical feature might enhance the perception of privacy (especially when buttressed by official provincial political rhetoric), they actually entail serious flaws. These flaws could leave the personal information of BC residents and government databases vulnerable to attack; the security ‘features’ could be the beachhead that leads to serious privacy breaches.
I begin by providing a brief explanation about what NFC is and the government’s proposed deployment strategy linked with the chip. From there I discuss why including the chip matters for BC residents, with attention given to the multitude of security and confidentiality problems that are presently associated with the technology. I conclude by arguing that, in the face of such problems, the BC government ought to be transparent about how it has engaged with these thorny – and perhaps intractable – security issues, as well as questioning the relative value of including the NFC chip in the first place.
What is a Near-Field Communications Chip?
Near-Field Communication (NFC) is an emerging technology that is gaining popularity across the payment card industry. Similar to the ‘chip’ you might find on your current credit or debit card, which is based on existing radio-frequency identification (RFID) technology, the new Services Card will contain an embedded NFC chip. The difference between many current RFID-equipped cards and those with NFC is that NFC is a ‘contactless’ communications protocol. Current RFID cards insist that the card is inserted into the payment terminal. NFC, by contrast, requires the user to ‘tap’ the card just a few centimeters away from the NFC reader. A small charge is passed between the chip on the card and the reader. This charge initiates a data exchange between the card and reader, such as a data exchange associated with a payment transaction. However, in the case of the BC Services Card, the exchange would be at a government point-of-service and the information exchanged would authenticate your identity, not pay for a service.
There are many types of data that can be stored on NFC smartchips and, correspondingly, there are different use cases for the chips. For example, the chips are integrated with Japanese student IDs to facilitate class registration and small payment purchases (e.g. food). Also, the technology is used for mobile phone-based payments in Japan and South Korea. In Canada, you might have encountered advertisements from Rogers or CIBC; the two companies have partnered to launch a trial NFC-based mobile payment system. Notably, Canada is a world leader with regards to deploying contactless NFC readers.
Whenever we think about NFC it is important to keep in mind that full use of the technology relies on both the NFC tag (embedded in the Services Card) and the reader (eg. government point-of-service). Instead of a data identifier of a cash balance that might appear on your credit card, the chip on the BC Services Card will contain a personal identifier number associated with the card’s owner. For BC residents using the new Services Card, the user will ‘tap’ the card at a government point-of-service to authenticate their identity which will, in turn, associate that particular point-of-service with the relevant information from a government database registry. While earlier reports – and research interviews – suggested that the unique numerical identifier stored on the chip would be encrypted in the new Services Card, it is unconfirmed on the public record whether this will actually be the case.
British Columbia’s Adoption of NFC Thus Far
According to interviews with government officials, the BC government is also trialing NFC chips to be used in conjunction with mobile phones. The idea behind these trials is that, using mobile phones, every BC resident with a NFC-enabled smartphone will have quick and easy access to government services and the personal information that the government retains about the resident. If the government integrates Service Card functionalities with the mobile environment, residents could ‘tap’ their Services Card on the NFC reader that is integrated with their device to call up their personal data from relevant government databases. As an example, you might be able to present your personal pharmaceutical history on your phone. While this phase of development is still at a conceptual stage, it is being enthusiastically embraced by officials in government as a realistic next step in the expansion of the BC Services Card delivery model.
These chips will be embedded in every newly issued BC Services Card. The adoption of this chip-based approach to identity authentication constitutes a significant change with regards to managing identities, and is very different from placing data on the ‘magnetic-stripe’ on today’s CareCards. Specifically, the chips are integrated with BC’s wider identity management systems; whereas the CareCard magstripe is used exclusively when you’re involved with the BC healthcare system, the NFC chip will be used by the Ministry of Health, Citizen Services, Education, and more.
To date, the BC government has insisted that moving to NFC technology will improve the security of personal data of BC residents though, for reasons unknown, it appears that the province has backed away from its decision to activate the new chip. To be clear: in research interviews conducted late last year the NFC chip was heralded as a key part of the Services Card’s security design, and ICBC documents provided under Access to Information legislation suggested that the chips would be active from day one. So, while we don’t know when the government will implement their NFC-based data governance scheme (while a 3-5 year implementation windows has been stated, the government has routinely failed to meet such windows), we do know that the Services Cards that are given to residents starting in February will have NFC chips embedded in the cards. Those chips just won’t be activated yet.
So, while the government is not immediately implementing NFC, this has not been accompanied by a public acknowledgement of the problems with this means of identity authentication. In what follows I discuss some of the problems with this technology and, consequently, why it should not be included in the BC Services Card.
Security, Authenticity, and NFC in BC
Identity management system and privacy-protective cryptography expert Stefan Brands has stated that “[w]hile it is true that smartcards enhance the perception of privacy, perception and fact are two very different things” (Brands 2000). Brands’ statement aptly characterizes the disjunction between the government’s position ragarding NFC-related security enhancements and today’s technical reality. In short, these ‘enhancements’ may actually pose a serious risk to provincial data networks and the mobile devices of BC residents. In what follows I draw on research conducted with Christopher Parsons to outline a few ways to attack – and compromise – the integrity of NFC-based identity authentication. After outlining these threats I discuss what these vulnerabilities actually mean for the security of provincial data networks and for the security and integrity of sensitive personal information of British Columbians.
NFC chips are meant to be read in very near proximity to a reader (about 10cm), which is intended to prevent third parties from intercepting the communication between the card and a reader. However, this communication protocol, which should be an improvement on previous ‘magnetic-stripe’ cards, is vulnerable to eavesdropping. Eavesdropping is possible because of a ‘relay attack’, or an instance where a third party actually mimics a reader, which initiates a data transfer and consequently can ‘read’ the information that a card transmits.
This kind of eavesdropping was proven by research conducted by Gerhard Hancke (.pdf source). He found that an attacker can relay a message to the card, and receive a response from the card in return. The attacker can then capture this information remotely, and either store it immediately (for subsequent decryption, if necessary), or can redirect the information to a reader terminal that is also controlled by the attacker. There are a range of subsequent nefarious uses for this data, such as using the intercepted data to commit identity fraud (e.g. using intercepted data to enhance the legitimacy of counterfeit documents).
Jamming the NFC signal is another way of disrupting the security-enhancements associated with NFC-equipped technology. This kind of attack requires only rudimentary engineering skills to perform. Just by relying on basic over-the-counter jamming equipment, which will only cost a few hundred dollars, an attacker can disrupt the information protocol between the NFC chip and the reader. While there is very little to gain by way of jamming, apart from interrupting the informational transaction between the NFC chip and the reader device, it is fair to imagine how jamming systems could be deployed in critical situations for the ‘lulz’, or for more disruptive purposes. As medical environments become increasingly dependent on NFC technologies – whether in health sensing equipment or in patient records – the implications of a disruption will increase. Online sources that teach how to jam NFC-specific services, such as Google Wallet, are already readily available. There is no reason why similar ‘how to’ demonstrations won’t be created to help pranksters, troublemakers, and malicious actors to similarly disrupt NFC communications associated with the BC Services Card.
NFC Reader Vulnerabilities
In the Health IT sector, mobile-based NFC technologies have been cited as a user-friendly way for doctors, nurses, and even patients to access patient-specific electronic health records in real-time. While NFC in health sensing equipment might be some years down the road, the BC government is entertaining the prospects of integrating the BC Services Card into the mobile environment. The government is already testing the Service Card’s NFC functionality with a Google Android device.
Adopting mobile devices as NFC readers in the BC Services Card initiative would open the mobile device (such as a phone or a tablet) to attack from a malicious third party. Mobile devices that can read NFC are notably insecure; bugs in how the mobile operating systems have implemented the NFC technical protocol, bugs in how specific applications parse NFC tag data, and underlying insecure operating systems mean that there are (at least) three core vectors to upset the ‘security’ afforded by NFC communications. Importantly, this kind of attack means that the NFC chip that is presented to a reader does not have to ‘prove’ itself as authentic to the reader: the aim is actually to insert fraudulent or malicious data on the chip to subsequently take over the mobile device.
The suggestion that mobile devices are vulnerable isn’t theoretical; researchers such as Charlie Miller have identified serious vulnerabilities (.pdf source) with how NFC technologies are presently implemented on mobile platforms. His research methodology has not, as far as we have been able to learn, been mimicked by the BC government; security does not seem to have been terribly high on their overall lists of priorities. Miller’s research, in brief, revealed how attackers can exploit well-known vulnerabilities in NFC technology (particularly in popular Android systems 2.3 and 4.4.1 as well as in Nokia smartphones) that would let a third-party invisibly monitor the smartphone and surreptitiously extract a broad range of data (such as personal files, saved passwords, photos, and so on). Or alternatively, the attacker could gain access to the browser on the device to also use it as a proxy to conduct further attacks against the mobile phone’s operating system itself.
This capacity to attack the mobile device is significant, insofar as the personal information that is stored on the device itself could be exfiltrated. Moreover, since the BC Services Card requires some kind of access to government networks, a further concern exists that an attacker could compromise a government system – via a reader hooked directly to the BC government’s computer systems – to subsequently breach the government’s networks. In essence, any attempt to move the BC Services Card into the mobile environment presents very serious risks to privacy and security in BC.
It’s important to note that, while I’ve focused on mobile readers integrated with smartphones and tablets, there’s no reason a dedicated identity thief couldn’t steal a non-mobile reader attached to a doctor’s office’s computer and subsequently figure out the readers’ specific vulnerabilities. In other words, the inability of a third-party to conduct illicit research on how to break the non-mobile NFC readers is as strong as the locks – or glass – to your local GP’s office. Crowbars and bricks are cheap, and academic research (Anderson 2007, Brands 2000) has revealed that identity thieves are increasingly willing to take advantage of cheap – but highly skilled – labour in China and India to break the security systems meant to secure identity documents.
To date, no BC government ministry or other independent auditors have publicly addressed any of the vulnerabilities mentioned in this post. A murky commitment that security audits are being performed in January 2013, just a few weeks before the release of the card, casts serious doubts that all the risks associated with the Services Card project will be pre-emptively managed; instead, patches and fixes will be issued only after the cards are in people’s wallets. Without any concrete and public review from the government on the dangers associated with NFC, and under currently existing circumstances, the likelihood of NFC chips providing significant security benefits are unfounded. What’s more, the chips themselves might be turned into the very weapons responsible for compromising BC residents’ most sensitive personal information. Consequently, the government’s claims that NFC chips guarantee heightened security and privacy protections are dubious, at best, and reckless at worst.
At this point, taxpayer dollars have already been poured into including NFC technology in the physical design of the card, even while the security and privacy benefits of such technologies have not been proven. Indeed, the government has yet to adequately demonstrate that the NFC chip provides any genuine value to the new Services Card initiative. Unfortunately, to date, the provincial government has decided that this is not a discussion worth having with the public. The decision to include NFC chips in the physical design of the card without adequate security audits and inter-governmental review from the BC Office of the Information and Privacy Commissioner demonstrates continued imprudent mismanagement of the Card’s deployment. In the face of yet another significant problem associated with the new BC Services Card initiative, the BC government ought to be transparent and forthcoming about how it plans to proceed with this technology, a technology that may threaten – rather than protect – the privacy interests of BC residents.
S. A. Brands. (2000). Rethinking Public Key Infrastructures and Digital Certificates. Cambridge, Mass.: The MIT Press.
R. Anderson. (2007). Security Engineering (Second Edition). Indianapolis: Wiley.