65

Is the RFID chip in e-passports read-only or is it read-write?

If it's read-only, is all of the data locked-down when the passport is issued? Is the read-only portion extensible so that additional data can be burned on later?

If it's read-write, can passport country in any country we pass through enter or change data in the passport? For example, to record entries and departures?

Update: I ask for two reasons. The first is that the only biometric I recall giving when I applied for my passport is my photo and I wanted to know if my government could add other biometrics (iris scan, fingerprints) at a later date — either beknownst to me or surreptitiously at a border station. #tinfoilhat

Second, I wanted to know if foreign governments could add entry or exit or visa e-tags to my passport, especially when passing through automated gates.

Community
  • 1
RoboKaren
  • 16,010
  • 4
  • 44
  • 79
  • 2
    There is an ICAO standard which specifies the technical features of such passports. The answer is probably somewhere in there. – Nate Eldredge Sep 05 '18 at 01:13
  • Well, the data has to get onto them somehow... – PlasmaHH Sep 05 '18 at 09:22
  • 3
    Why would you need it read/write? All you need is the Passport Number and then the rest can be stored in government cloud servers. – Stewart Sep 05 '18 at 09:47
  • 6
    @Stewart There's a lot more than just passport number on those chips (they'd frankly be pretty pointless if that's all they stored). You can try it out using a NFC-capable phone. – Lightness Races in Orbit Sep 05 '18 at 10:46
  • 3
    Also lol at the notion of the government using the cloud to store immigration/citizen data. Perhaps you just meant "servers". – Lightness Races in Orbit Sep 05 '18 at 10:47
  • @LightnessRacesinOrbit OK, I meant in theory, technically that's all you need. If internet access goes down - or for speed - then storing other data is practical and useful. – Stewart Sep 05 '18 at 11:22
  • @Stewart These chips are for security. You cannot have that by storing just a passport number. Technically, in theory, whatever. It has nothing to do with internet access. Take a look at jpatokal's answer to see all the technical information involved with these chips. – Lightness Races in Orbit Sep 05 '18 at 11:27
  • @LightnessRacesinOrbit I see it. The private / public key-pair sounds more useful for data protection than security, so that (if the data was stored on a server) the border guard could only access data pertinent to the passport he/she is presented with. The biometric data - having that locally on the chip saves a heavy download, which is useful when processing 500 tired people getting off a flight. – Stewart Sep 05 '18 at 11:42
  • 1
    @Stewart I'd consider that part of (but not an exhaustive list of) the security features. – Lightness Races in Orbit Sep 05 '18 at 11:46
  • @LightnessRacesinOrbit Oh I see. I had considered security to be mainly about identification of the person holding the passport. The biometric data could be on a server. Having it locally on the chip is a convenience. Similar to an ATM card really - all you ultimately need is the account number; the server can verify the correct authority (ie PIN) – Stewart Sep 05 '18 at 11:50
  • 4
    @Stewart "which is useful when processing 500 tired people getting off a flight": many countries start processing passengers' data while the passengers are checking in, so it's not such an intensive process. "The biometric data could be on a server": government servers do not necessarily talk to each other. The country issuing a passport may keep the biometrics on its servers, but in most cases the country being entered will not have access to those servers. – phoog Sep 05 '18 at 16:20
  • @phoog Good point. There I was assuming NSA had everything backed up planetwide ;) – Stewart Sep 05 '18 at 20:50
  • 1
    @Stewart They might, but they aren't so likely to share that with, say, the immigration officers of Iran. – reirab Sep 06 '18 at 20:39
  • @reirab Wait; Iran has immigration officers? – Stewart Sep 07 '18 at 04:46
  • Perhaps this question would be better answered by security.stackexchange.com? – Ian Kemp Sep 07 '18 at 07:53
  • "The first is that the only biometric I recall giving when I applied for my passport is my photo" Oh? They wanted my fingerprints as well. Not that anyone in the country has the equipment to read those fingerprints in any meaningful manner at the moment, but they're definitely stored on that chip. – Mast Sep 07 '18 at 13:12

4 Answers4

70

TL;DR: It's complicated, but for practical purposes, currently e-passports are read-only.

Long version: The specification for e-passports contains two types of data.

enter image description here

  1. Dedicated Files (DF) are writable and is meant for storing visas and various authorizations in the future. However, this is currently not used, and most e-passports out there don't even include this capability.

  2. What is in active use is the Logical Data Structure (LDS), which stores biometrics etc and is by design read-only. Anybody with access to the key stored in the passport's machine-readable section (the swipable bit at the bottom) can read data from here, and the data is electronically signed, so anybody reading it can confirm that the contents have not been tampered with.

In practice, e-passports are implemented using EEPROM memory, which expands to the somewhat paradoxical Electrically Erasable Programmable Read-Only Memory. For practical purposes, these are read-only, a casual reader can't go in there and change or add anything.

The catch is that the EEPROMs are also by definition erasable, so the contents can be erased and rewritten from scratch. However, since EEPROMs can typically be locked/"frozen" to prevent any further changes, any attacker would need to work around this. What's more, since the LDS contents are digitally signed, if a malicious country or agent were to gain access and erase & rewrite them, they would also need to provide a new valid signature, which they can't do without the original issuer's private key. They could reprogram your Sylvanian passport's chip to return data signed by Borduria instead, but I presume this would be caught pretty easily, since it would now be out of sync with what the machine-readable stripe says. And this is also why the originating country is also unlikely to change any data on the chip, even if they technically can, because it would now risk having the information physically printed on the passport from being out of sync with the digital copy in it.

Some more reading on the topic: https://www.researchgate.net/publication/221406395/download (free PDF download)

Edit for clarity: I'm not claiming any of this makes e-passports secure or tamperproof. However, if the question is "are countries I visit recording things in my e-passport when I pass through immigration", the answer is pretty unequivocally "no".

lambshaanxy
  • 99,649
  • 41
  • 569
  • 806
5

Passports conforming to the ICAO doc 9303 specification use a smart card conforming to ISO 7816, which is very broadly speaking not just a storage device, but rather a miniature computer.

It is possible to restrict read or write access to parts of its storage to only properly authenticated entities.

Looking at the relevant part of the specification (parts 10 and 11 at the referenced ICAO site), there only seem to be commands relating to reading basic data, cryptographically authenticating the travel document or authenticating the reader to the document in order to access sensitive information like fingerprints.

Without any command to actually modify data on a smartcard, it wouldn't be possible to do so.

It is of course possible that the issuing country implements additional commands, for example for the purpose of correcting information after issuance. However, such commands, if they even exist, would very likely require authentication of the reader before any write or delete access to the storage would be granted.

Regarding your specific question about the issuing authority adding biometric data after issuance, this does seem to be allowed under the specification:

Only the issuing State or organization shall have write access to these Data Groups. Therefore, there are no interchange requirements and the methods to achieve write protection are not part of this specification.

As there is nothing in the specification regarding write access to the general writable area, it seems to be up to the issuing country to specify access privileges (for reading or writing) to these memory areas.

Theoretically, countries could agree on commands for accessing these optional storage areas outside of the ICAO specifications, of course, but I consider that quite unlikely:

If the intent is to exchange travel data, why not just exchange it out-of-band, for example through server-side systems communicating passport numbers? This seems much simpler and more effective.

lxgr
  • 208
  • 1
  • 4
  • 2
    Further, as far as I'm aware, while multiple countries have made possession of a biometric passport a condition of (easy) entry, none of them have required that it works. – origimbo Sep 05 '18 at 17:59
4

Just to answer the "tinfoil hat" aspect, a standard doesn't prevent a country from making passports and readers which implement features in addition to the standard.

So, a country could easily issue passports which e.g. record entries and exits or store recent photos taken by the border control of that country in your passport. Passports could also store information about border control in other countries, even if foreign border control equipment isn't actively writing to it (thanks @jcaron). This information could be read out when you return to your country, and be used to estimate how many countries you have visited during your trip. If those countries have accessed information which requires active authentication, it may also be possible to know which ones you have visited.

Dmitry Grigoryev
  • 10,060
  • 30
  • 58
  • And the information would be lost with the passport (if lost, destroyed...) whereas the information on the servers would remain. However, what they could probably do is make a note of accesses to the passport and read the information when you get back "home". Not sure if there's a way to detect which country is reading the passport? In that case they could know which countries you have visited (provided those countries actually used the RFID chip). – jcaron Sep 06 '18 at 08:32
  • 2
    @jcaron That's a possibility only when reading the EAC-protected fields (i.e. the "sensitive" ones like fingerprint or other biometrics). The "public" data is protected only by using the MRZ as a key (BAC), which does not allow identifying the reader. (Again, if the reader voluntarily discloses its identity, it is free to do that; but then it might just also report its identity and the passport number server-side to the issuing country.) – lxgr Sep 06 '18 at 12:44
  • 3
    @lxgr the issuing country may want to know where its citizens go without letting the visited countries know they record that. It is also easier to read a chip when it comes by than setting up interconnects between immigration services to transmit data back to the issuing country. – jcaron Sep 06 '18 at 13:10
-2

I am a firm proponent of that belief that the black-hats will always win. Hackers have eventually broken every known encryption and data protection protocol. The hope is that with anything that matters the white-hats can update and move ahead of the black-hats, but with a system as slow and expensive as international treaties and immigration control, it is unlikely that white-hats will always be ahead. Even the digitally signed portion of your data is more likely to be broken into eventually than not.

Passports last 10 years in the U.S. Imagine what computing and encryption looked like 10 years ago, how about 20 years ago when the standards lag starts taking effect? Given the other answers on this page, it's all read-write, or will be soon.

Sam
  • 229
  • 1
  • 6
  • 1
    I think you greatly underestimate how long encryption algorithms are used. AES was first published 20 years ago and was adopted by NIST 17 years ago. The Diffie-Hellman key exchange algorithm was published in 1976. Cryptographic algorithms are used for so many years that it's even common for processors to have built-in instructions specifically for accelerating a particular algorithm. – reirab Sep 06 '18 at 20:51
  • @reirab you have my full attention :-) Do you happen to be able to point at a specific (processor, algorithm, instruction set) triple? – Tobia Tesan Sep 06 '18 at 20:54
  • 2
    @reirab, How long did it take for the blue ray and hd-dvd keys to get out? – Sam Sep 06 '18 at 21:20
  • 1
    @TobiaTesan Wiki: AES instruction set. If you want a specific triple: (any Intel or AMD x86 processor with AES-NI, AES, AESENC) – reirab Sep 06 '18 at 21:55
  • 5
    @Sam Leaking a key and breaking an encryption algorithm are two very, very, very different things. – reirab Sep 06 '18 at 21:55
  • @TobiaTesan Wait, sorry, I missed the word 'set' in your comment. An example triple of what you asked for would be: (i5-7300U [really, practically any i3/i5/i7/i9 or Xeon CPU since around 2010], AES, x86-64 with AES-NI extension) – reirab Sep 06 '18 at 22:09
  • 3
    @reirab, I'm sorry I misspoke. – Sam Sep 06 '18 at 22:30