In the fall of 2007, a handful of officials from the Department of Homeland Security (DHS) were invited to attend a live demonstration of how a bomb hidden inside a commercial cargo container could be detonated by a homemade radio frequency identification (RFID) container tracking tag operating at a frequency that was mandated by the federal government for cargo containers within US port environments.
A cargo container RFID electronic tag, or seal, contains an electronic reader that receives a port’s RFID signal that prompts the container’s RFID tag to transmit to port authorities data regarding the cargo that’s been encoded on its RFID tag. But as the demonstration showed, it also can be used to close an electronic circuit when it receives a corresponding RF from a port RFID sender/receiver, thereby detonating the bomb.
Indeed. In the November, 2007 test, an RF receiver tuned to pick up a required US port RFID reader frequency triggered the small explosive that had been placed inside the empty container.
None of the DHS officials though – including officials from Customs and Border Protection (CBP) – who were invited to attend the demonstration showed up. Had they been present, they would have witnessed the homemade RF receiver – which had been assembled by a college student using about $30 worth of easily obtainable parts and programmed to operate at a frequency cargo container RFID tracking tags are required to utilize – successfully be used to trigger the detonation of the explosive in the container.
The video of the demonstration, which was obtained by Homeland Security Today, shows the explosion and documented the preparation of the RF trigger and its attachment to the explosive.
[Editor’s note: to view the video, you may need to make sure you have the Windows Media Player plugin for your browser installed]
What’s important about the demonstration is that the homemade RF receiver was operating at a frequency that not only was mandated to be used within port environs, but also was mandated to be made public despite the fact that “the process of selecting a frequency for container security was contentious,” Homeland Security Today was told by Powers Global Holdings, Inc. Chairman, Jim Giermanski, a former FBI agent who worked with CBP on border related security issues while in Laredo, Texas.
A former Air Force Col. who, as a Special Agent in the Air Force Office of Special Investigations concentrated on counterintelligence and clandestine base penetrations, Giermanski said “ultimately, a decision was made by the [Federal Communications Commission, FCC] to set aside a frequency of 433.5 to 434.5 MHz spectrum band, and their rule would allow these RFID systems to transmit for 60 seconds, rather than only one second. Against objections, especially those of the amateur radio sector, the spectrum and transmission time were approved by FCC for use with shipping containers and in commercial and industrial areas.”
And “as a result,” Giermanski asserted, “the US government mandated and published the specific frequency for RFID use with shipping containers. The fact that only approved and published RFID signals are required to be transmitted on a given frequency at US ports by both the private and public sectors, in effect, makes government policy usable as an instrument of terrorists’ tactics. The need for surreptitious port penetrations, elaborate electronics, intricate timing or other specialized terrorist tradecraft or operations in the United States becomes diminished, if not eliminated …”
And Al Qaeda at the highest level under Osama Bin Laden studied methods for using cargo containers to get bombs into the US.
For example, following 9/11, important Al Qaeda asset, US alien resident Saifullah Abdullah Paracha, a Pakistani who owned legitimate businesses that used cargo containers to transport the goods it manufactured to the US, was intimately involved in conceiving plots to transport bombs (possibly including radiological explosives) into the United States inside cargo containers.
In the “Secret” Joint Task Force- Guantanamo (JTF-GTMO) commander’s December 1, 2008 memorandum to the commander of the US Southern Command, Continued Detention Under DoD Control for Guantanamo Detainee, ISN US9PK-001094DP, Paracha was assessed to be a “high risk” of returning to Al Qaeda if “released without rehabilitation, close supervision and means to successfully reintegrate into his society as a law-abiding citizen.”
According to the classified report, Paracha “offered his assistance with the shipment of explosives into the US and advised [Al Qaeda] on shipping and port security," noting that “with his knowledge of international shipping, business connections and stature within Pakistan, [Paracha] was an extremely valuable asset to al Qaeda and its operations."
Prior to the Sept. 11, 2001 attack, Paracha “used his international business connections to help facilitate an Al Qaeda plan to procure chemicals and biological agents,” and “offered his assistance with the shipment of explosives into the US.”
He also advised Khalid Shaykh Muhammad’s nephew, Ammar al-Baluchion, on “shipping and port security,” and had “used his business as a cover for smuggled items …”
Continuing, the report on Paracha said “a plan [was discussed] for Al Qaeda to use [Paracha’s] textile business to smuggle explosives into the US,” and that Al Qaeda wanted to use [Paracha’s] business as a cover to ship primarily ready-made explosives,” which “would have been concealed in standard 20 or 40 foot long shipping containers used by [Paracha’s] textile business.”
Had events not taken place that resulted in Paracha not being captured and shipped to GITMO, counterterrorism officials told Homeland Security Today it’s not inconceivable that he might have tried to exploit the vulnerability exposed in the 2007 demonstration.
“You could say there was a serendipitous confluence of events” that may have prevented ‘this vulnerability from having been exploited,” the official candidly stated.
But this vulnerability might still be able to be exploited, and Giermanski wants to know “why it is that DHS/CBP has not yet addressed the current proven vulnerability of using the required 433.5 to 434.5 MHz spectrum in our ports [after] knowing and admitting in writing, along with the Office of the Secretary of Defense, that the vulnerability truly exists …”
“We probably had more people and interest from the [Gastonia, North Carolina] bomb squad [that provided the explosive for the 2007 demonstration] who couldn’t believe that 433 MHz for a whole minute transition time was required at our ports,” Giermanski said.
“The issue is that it would be real work to build a defense against certain RF frequencies (although they did it in Iraq) or stop its use,” Giermanski continued, pointing out that “at least a frequency could be chosen but not be made public except only for those cleared to use it – or something like that.”
“The demonstration was 100 percent successful, and it showed empirically the vulnerability of RFID transmissions as approved for use with containers passing through our international ports-of-entry,” said Giermanski.
“First,” Giermanski explained, “this demonstration proved beyond doubt that RFID usage can become a trigger of container IEDs in our ports. Second, this demonstration produced agreement among those present that because this vulnerability is real, it must be recognized by those government entities whose mission it is to protect the United States. Pointing out the vulnerability was relatively easy. Fixing it may be more difficult …”
Zapata Engineering, which was awarded a Department of Defense (DoD) contract for worldwide munitions removal – most of which is for work performed in Iraq and Afghanistan – worth up to $1.475 billion over a five year period, was contracted by Powers International, which received support from Raytheon Co., to demonstrate that RFID systems could be used as a triggering mechanism for an improvised explosive device. The project provided a proof of concept in support of future work on this newly identified vulnerability. Zapata fabricated the triggering mechanism and conducted the full scale field demonstration.
Giermanski said that “prior to the video [of the demonstration] we tested the concept without explosives – very easy to do. Then we got Raytheon to contribute some funds to support the project. The University of North Carolina Charlotte filmed a lot of it, too, and did metal fatigue tests on the container to see what happens to them in an explosion. The Gastonia [North Carolina] bomb squad was very happy to help and we had incredible support from them. They provided the explosives. We only used 16 ounces. We didn’t lock the [container’s] doors because it would have sent shrapnel everywhere. Their participation also showed the genuineness of the project – everything official, even briefings within the police headquarters’ building. We invited many, but hardly anybody showed up. No CBP, no Coast Guard, no ports, etc.”
The demonstration was attended, however, by congressional staffers and representatives of DoD, the latter of which admitted they found the vulnerability disturbing.
Due to its interest in, and extensive use of RFID, the Pentagon had sent two experts to see the demonstration: the chief engineer and the supervisor of DoD’s Joint Automatic Identification Technology program.
One of them, an expert on RFID and Improvised Explosive Devices (IEDs), wrote in a memo obtained by Homeland Security Today that they’d “observed the demonstration of an RF detection and triggering device [that was] utilized to detonate explosives in a CONEX container at the Gastonia [Police Department] ordinance range on Nov. 12, 2007. US Army representatives examined the device and wiring and confirm[ed] that a commercial RFID interrogator was used to ‘wake up’ a commercial RFID tag. When the RFID tag responded on the 433 MHz frequency, the relay closed, and the blasting cap set off the explosive charge.”
A year later, though, DHS downplayed the possibilitythat the use of a cargo container RFID tag as a bomb detonator poses a vulnerability that terrorists potentially could exploit. It was DHS’s opinion – and apparently still is – that this method of exploding a bomb hidden in a cargo container within a US port is highly unlikely.
But Rep. Henry Cuellar, D-Laredo, Texas, who at the time of the demonstration chaired the House Committee on Homeland Security’s Subcommittee on Emergency Communications, Preparedness and Response, said the demonstration "… does raise questions, it does raise concerns.”
Cuellar assured that his office would contact DHS officials "to provide us their side of the story."
In response to his subcommittee staff’s concerns about the implications of the demonstration, DHS responded by conceding that “… it is technically feasible that the detection of RFID emissions could be used to trigger an explosive device within a container.”
But the DHS official who wrote the response to the subcommittee assured “DHS does not agree with the [demonstration] report’s assessment that ports that employ RFID technology become more vulnerable to terrorist attack.”
The DHS official stated “communication with RFID tags (active or passive) that are internal to a conveyance, such as maritime containers, are severely limited in their communications ranges by the ability of the RFID tag to receive a transmission when shielded by the metal walls of the container or other cargo. In addition, certain characteristics of port operations in particular, and the global supply chain in general, would significantly reduce the likelihood of a successful coordinated attack using this approach …”
Other experts disagree – including some from DHS.
Five months before the demonstration, an official involved in supporting the test who’d been working with DHS had said in a memo obtained by Homeland Security Today that “senior DoD and DHS officials are concerned [about the vulnerability], but want to see if this can actually happen.”
The official acknowledged in the memo that a successful demonstration would “highlight this serious vulnerability.”
But more importantly, in glaring contrast to what DHS assured the House subcommittee in 2008, the official had pointed out in his June, 2007 memorandum that “what makes this [vulnerability] scary is that a sea container could be outfitted with an IED and pass harmlessly through overseas RFID readers” (because “they use a different frequency to interrogate), yet detonate upon landing and interrogation at a US seaport using the 433 MHz interrogator. No infiltration of the port by the bad guys is necessary.”
In addition, the official noted, “if sea containers supporting our military in Operation Iraqi Freedom have RFID tags and are using the 433 MHz interrogator, an IED could easily slip into a rear area or logistics base, causing casualties on the order of the 1983 Beirut Marine Barracks bombing … This worries me, and I feel that because we are aware of it, we have a … civil duty to highlight [this vulnerability] to those tasked with protecting our troops and our homeland …”
In further contrast to DHS’s claim to the subcommittee that “communication with RFID tags … are severely limited in their communications ranges by the ability of the RFID tag to receive a transmission when shielded by the metal walls of the container or other cargo,” Giermanski explained that “one of my graduate students [who was] a Charlotte reserve police officer and ham radio operator, his buddy and I went to a container storage facility with a high gain antenna,” and “we put the appropriate RFID receiver in a closed container along with his buddy. We then went about 500 meters away from behind multiple rows of containers, aimed the antenna attached to a transponder in the direction of the receiver and his buddy sent a signal.”
“The receiver in the container lit up, and his buddy opened the door and called for us to show us the receiver’s signal light,” Giermanski said. “So, depending on the antenna used, one could be away from the container and still get a signal to the container’s RFID device.”
Giermanski stressed that “all you need is an antenna in the container or in the container wall,” noting that “we put one in the container wall [of a cargo container] in Laredo, Texas for a demo in about ten minutes.”
"Because an explosive device can be easily wired to detonate with the proper RFID frequency signal … all our nation’s ports that employ the approved RFID frequency for shipping containers become more vulnerable to terrorist attack," the report of the November, 2007 demonstration stated.
"What that really means is that all a terrorist needs is an undergraduate and a case of beer,” Giermanski gruffly said.
Continuing, Giermanski said, “for me, one of the most troubling issues is that DHS admitted in writing to the vulnerability created by the federal requirement to use radio frequency identification frequency spectrum 433.5 to 434.5 MHz in US ports,” and that “its use to trigger an explosive device [was] confirmed by the Office of the Secretary of Defense.”
Giermanski said “former engineers at Powers International now believe that RFID usage, as approved for use in the United States, is a serious vulnerability because of the ease of detecting these RFID emissions. RFID emissions can serve as the trigger-mechanism for detonating an explosive device within the container … an explosive device can be easily wired to detonate with the proper RFID frequency signal at any of our nation’s seaports and land ports …”
There are contrarian positions, however. “The RFID radio frequencies are basic frequencies, and could have easily been discovered so that is not a real issue. But the other problem is the idea that there are so many ‘dead zones’ [within port environments]. In order to use RFID, you have to have readers strategically placed in the ports and this becomes a costly procedure,” said Laura Hains, a retired CBP supervisor who is a seaport security expert specializing in port security/intelligence, cargo, commercial vessel, container and cruise ship security who supervised all aspects of trade to include C-TPAT, the Secure Freight Initiative and outbound trade/enforcement. She also designed, implemented and supervised two intelligence units at the Port of Tampa, the Anti-Terrorism Targeting Unit and the Sea Passenger Analysis Unit.
Hains told Homeland Security Today that it would be difficult to use commercial RFID cargo tracking tags as the triggers for bombs because in order to improve the odds of success, the bomb would have to be hidden in a trusted shipper’s container, and many legitimate cargo shipping companies have been reluctant to use RFID tags as a container security device because of their cost. She said most shippers use other non-electronic forms of acceptable methods of ensuring that cargo containers haven’t been breached.
Hains acknowledged, though, that the type of homemade RF receiver that was used to detonate the explosive inside the cargo container in the November, 2007 demonstration could be used to detonate a bomb that’s been covertly hidden within either an inbound or outbound container. She disturbingly noted that it would be much easier to “pull off” this scenario using an outbound container if the intent is to detonate a bomb within a US port.
In its 2008 response to the House Committee on Homeland Security, DHS stated “it is significant to note that the abundance of currently existing RFID technology at each one of [the] several stops throughout the supply chain means that the explosive device would have the potential to be triggered by any one of a variety of available radio frequency signatures anywhere along the path the explosive device travels. In addition, the lack of a common standard RFID frequencies being used throughout the global supply chain precludes any control over an explosive device – the adversary would have no means to ensure detonation at any single point.”
Continuing, DHS told the committee staff that while “it is accurate that RFID systems are in use at US ports of entry (air, sea and land) and have been adopted by a number of private-sector companies for supply chain management, asset and shipment tracking and inventory purposes … RFID system used in maritime ports rely upon a variety of transmission frequencies for port and terminals operations, there is currently no one common RFID frequency in use throughout the global supply chain.”
But in his Powerpoint presentation, Exploiting RFID Signals, Jay Brown, head of Zapata Engineering’s Asset Management Solutions division, stated that “while tags are activated by various frequencies, logistics active tags respond on the 433.92 MHz frequency. Thus, identifying a signal at 433 MHz is all that is required to determine proximity to active RFID tags.”
“Many exploits [are] possible,” Brown said.
Brown demonstrated in his presentation that Zapata identified three vulnerabilities:
- “The ‘hot-wired’ [RFID] tag;”
- “Scanner device;” and
- “The $20 exploit”
Any of these methods easily could be used to construct a RF-triggered bomb, he stated.
Several counterterrorism authorities said because of the known frequencies that have been mandated for use within US ports, it’s “certainly possible” that terrorists might try to exploit this vulnerability. Or, they could try to use a completely different RF that could be activated by a high power RF sending device to activate a bomb’s RF receiver/trigger. But that would probably necessitate having to have someone inside the port where the container is destined and know when it has arrived.
Although an RFID trigger has been demonstrated to be able to detonate a bomb in a cargo container, other counterterrorism officials said the method falls into the category of vulnerabilities they call “the exotics,” which, they explained, means there are less potentially problematic methods for detonating a bomb within a port. Without divulging specific details about these vulnerabilities, they said there are numerous ways in which a port could be attacked if that was the goal of a terrorist organization. They also noted that there are other targets that present equally as catastrophic disruptions that wouldn’t require such an “iffy” probability of success.
“Or, why not just use a cell phone attached to a bomb as the trigger in a container,” Hains asked.
While the debate continues over whether an RF receiver attached to a bomb inside a cargo container tuned to a required US port RFID tag frequency poses a high risk, the fall 2007 demonstration certainly made clear that the scenario is viable. And that represents a whole new spectrum of potential threats, especially if terrorists tried to use this method in an area where cell phone signals are purposely being jammed to prevent them from being used as bomb detonators.
“No matter how you slice it, this is a demonstrated vulnerability,” said a veteran counterterrorism official. “The question is, with all the potential ancillary problems that seem to be associated with trying to exploit this vulnerability … successfully … terrorists might be more inclined to opt for a less troublesome way of exploding a bomb inside a port [if that is their intended target].”
Meanwhile, according to DHS, examples of the department’s use and continued development of RFID based technologies include:
- RFID systems under CBP’s cargo security and trusted traveler programs such as the Free and Secure Trade (FAST) program, the NEXUS program, and the SENTRI program;
- Ongoing testing and development by CBP for the possible future use in the monitoring and tracking of certain high-risk agricultural in-bond shipments;
- The Marine Asset Tag Tracking System device under development by the Science and Technology (S&T) Directorate. MATTS is a remote and adaptive multi-modal global communications and tracking tag for transmitting security alert information from ocean shipping containers based on IEEE Standard 804.15.4b at 2.4GHz;
- The Conveyance Security Device (CSD) for which CBP has published an Request For Information (RFI) to identify and test currently available CSD systems also requires communication based on IEEE Standard 804.15.4b at 2.4GHz.
The use of RFID tags in in-bond cargo shipments could pose yet another unique vulnerability.
“Given the nature of in-bond shipments transiting the United States, there is no government monitoring of its movement, or accessibility to the cargo,” Giermanski said in his recent Homeland Security Today "Guest Commentary," In-Bonds Shipments: A Security Vulnerability Waiting to be Exploited.
In its April 17, 2007 audit report, Persistent Weaknesses in In-Bond Cargo System Impede Customs and Border Protection’s Ability to Address Revenue, Trade and Security Concerns, the Government Accountability Office (GAO) determined that CBP frequently does not follow up on shipments processed through the in-bond system.
GAO stated “the limited information available on in-bond cargo also impedes CBP efforts to manage security risks and ensure proper targeting of inspections. In-bond goods transit the United States with a security score based on manifest information and do not use more accurate and detailed entry type information to re-score until and unless the cargo enters US commerce. As a result, some higher risk cargo may not be identified for inspection, and scarce inspection resources may be used for some lower risk cargo.”