IATA and Airlines have been testing RFID equipped luggage tags since the early 2000's. Their RFID Standard includes multiple PII fields and security information, but, how are these tags actually used. With over a year of luggage tags donated by travelling hackers, I have compiled a survey of these tags as implemented by US carriers.

1. RFID Luggage Tags
IATA vs Real Life

2. Why the interest?
●
Delta Airlines in 2016 publicized the use
of RFID chips in their luggage tags for
baggage tracking.
●
Consider my curiosity piqued!

4. So who decides on the
standards?
IATA
International Air Transport Association

5. IATA
●
Formed in 1945 in Havana, Cuba
●
Private Organization (NGO)
●
280 airlines (Passenger & Cargo)
●
Coordinates business standards between
airlines (ticketing, baggage & cargo
handling)

6. The key documents
●
Passenger Services Conference
Resolutions Manual
– Issued Yearly
– Resolutions
●
Set time frames to implement Resolutions
– Recommended Practices
●
Set standards

7. Interesting Recommended
Practices
●
RP1740c
– Radio Frequency Identification (RFID)
Specifications for Interline Baggage
●
RP1745
– Baggage Information Services
●
RP1800
– Automated Baggage Handling on the IATA
License Plate Concept

8. RP1740c Trials
●
First one in 1998
●
Both High Frequency (HF) and Ultra High
Frequency (UHF) Tags Tested
●
Read accuracy vs Bar-code based tags
●
International Intra-operability
●
Las Vegas & Hong Kong only airports
fully using UHF RFID for tracking
●
Delta RFID tests: Read Only mode

9. RP1740c – How it works?
●
Based off the ISO 18000-6c standard
●
Also called EPC Gen2
– Electronic Product Code (evolution of UPC)
– EPC Global Class 1 Generation 2
●
860-960MHz
●
Also commonly used for parking lot
entrance stickers & Toll Roads

10. EPC Gen2 Memory Structure
Memory Bank
00
RESERVED (Reserved
Memory)
4 words
Memory Bank 01 UID (Unique Item Identifier) 10 words
Memory Bank 10
TID (Tag Identification
Memory)
6 words
Memory Bank 11
USER (User Defined
Memory)
2 words
(EPC)

11. RP1740c Memory Bank Use
●
Bank 00 – Not Used in the standard
(contains read/write/kill password)
●
Bank 01 – License Plate Number & Flight
Date
●
Bank 10 – Not used in the standard
●
Bank 11 – Space available can be much
larger than in the EPC standard.

12. RP1740c Memory 01 Contents
●
License Plate Code
– Obligatory
– 10 digit (alphanumeric)
●
Flight Date
– Conditional requirement
– Three digit number (1-365/366)

13. RP1740c Memory 11 Contents
(Optional)
●
Security Information
●
Baggage Routing
●
Flight Data
●
Passenger Name
●
Frequent Flyer Level
●
Screening Airport Code
●
Destination Airport Code
●
Internal Airport Status
●
Door-to-Door Delivery Service

14. Paper or Plastic
●
Delta and Las Vegas McCarran Airport issue
paper backed tags ($0.03-0.10 each)
●
Qantas has the Q-Bag Tag for Frequent Fliers
●
3rd
Party “Rebound Tag” which contains both
an NFC, and ISO 18000-6c chips.

15. Security & Privacy Issues
●
Tags are not “killed” when leaving an
airport
●
Tags maintain their previous data until
rewritten (reusable tags)
●
Third party readers/writers are easily
available
●
Difficult to implement a universal
read/write password due to large
number of independent actors (airlines)

16. Security & Privacy Issues
●
What if:
– Ride sharing/Taxis require the
installation of a reader in the trunk
of vehicles?
– Hotels install readers at their
entrance?
– Reading tags through hotel room
doors to identify who is staying in a
room

17. Accidental Discovery
●
Flying with multiple, used tags, in a
suitcase
●
LAS baggage processing systems cannot
cope with more than one tag in a
suitcase
●
Forced airport to resort to manual
baggage processing when all tags could
not be removed

18. Malicious Possibilities
●
Creating a malicious tag that can:
– Duplicate nearby tags
– Rewrite it’s self
– Rewrite/modify nearby tags

19. DDoS a Baggage Processing
System
●
Have multiple suitcases with malicious
tags that duplicate and replay data
from other nearby tags
●
Can a baggage processing system
respond to suitcases popping up in two
or more places at one time?
●
Does the airport need to stop processing
to resolve this problem?

20. Stop! You Can’t go on! Oh
wait...
●
The RP1740c standard defines the
possibility of including security
processing information.
●
Can a malicious tag bypass the baggage
screening process by changing the
security information on itself?
●
How about changing our suitcase’s
destination?

21. Overbooked? Not for long...
●
How about changing information on other
tags?
●
Can we force passengers off a flight in
order to have their luggage manually
inspected?
●
Can we change the destination of other
suitcases?

22. Sooner Rather Than Later
●
Resolution 753
– All Airlines must implement full baggage
tracking (irrelevant of technology) by
June 1st
2018
●
RFID Bag Tag Initiative (June 6th
2018)
– Global Deployment of Tags using the
RP1740c Standard by 2020

23. Airlines! We want to help!
●
There are two years until RP1740c
becomes the de-facto industry standard
●
Let us help you test and implement these
tags in a secure manner for both
infrastructure security and possible
privacy issues!

24. Documentation
●
RFID Business Case
http://www.passengerselfservice.com/w
p-content/uploads/RFIDforbaggagebusi
nesscase21-1.pdf
●
EPC Tag Data Standard
https://www.gs1.org/sites/default/files/d
ocs/epc/TDS_1_9_Standard.pdf

25. Passenger Services Conference Resolutions Manual

26. Continuing Research
●
Flying and want me to catalog your tag
to see how and when RP1740c is
implemented? Send it here:
AdmFord
836 S. Arlington Heights Rd
Box 159
Elk Grove Village, IL 60007

27. Thanks to all who attended this talk or
watched it!