Essay: ePassport Security
This essay was originally published in the February 2007 edition of the Global Intelligencer.
ePassport Security – is this an oxymoron?
Technology implementations and upgrades happen in all businesses and processes. Planning, testing, involving your customers and careful implementation can alleviate most but not all of the inconvenience caused by the differences and downtimes end-users experience through these changes. In my twenty-plus year career in the technology business, I have been apart of some excellent implementations. But I have seen some disasters as well.
I have also been traveling internationally for twenty-plus years, and am on my second
ePassport is the common name for the worldwide project where technology implementation meets international travel to provide more secure access for travelers. As some of the technology is not yet mature, ePassports have also generated concern about personal information, identity theft, and longer delays at immigration.
International travelers around the world should be aware of past and upcoming deadlines concerning ePassports. An ePassport (also called biometric passport) differs from previous passports in that it has an integrated computer chip that holds the same information printed on the passports data page, and in most cases contains additional biometric data, such as facial scans and fingerprinting. Before ePassports, passports had at most a magnetic strip that was scanned which contained some minor data such as name and passport number simply to ease the burden of typing in this information.
The U.S. Department of Homeland Security (DHS) says that as of October 26, 2006, any passport issued from a Visa Waiver Program (VWP) country must be an ePassport for VWP travelers to be eligible to enter the
In addition, the
Many security experts worldwide are recommending travelers apply for passports soon, before all new passports are ePassports. Bruce Schneier, Founder and CTO of Counterpane Internet Security and one of the leading authors and authorities on cryptography, is one such expert, writing in his recent blog:
In many countries, including the
ePassports utilized a technology called RFID (Radio Frequency Identification) which has been in use for many years. RFID is employed in tracking inventory in warehouses, preventing consumer goods from leaving stores without payment and other processes which require tracking items through short distance scanners. As it is a well-documented standard, it is also a target for hackers. In a presentation at last years’ DefCon security conference, Lukas Grunwald, who works for a German security company, not only discussed six different types of Generic RFID hacks but also demonstrated one of these for the audience with off-the-shelf equipment and open source software. Computer security experts have also demonstrated the ability to build a short-range RFID reader from off-the-shelf parts and software, and use it in brush-by readings, where the contents of an RFID object such as an ePassport can be read by simply walking close enough to the person carrying it. For an example of one of these and more information on building these scanners, see Adam Laurie’s excellent site RFIDiot (http://www.rfidiot.org).
Some of the ePassport implementations are protected with a security key (think password or passphrase). But, because the information in the ePassport must be conveniently read by scanners all over the world, many of the security keys are derived from the visible data on the passport. This makes the readers work, but it also makes cracking the key a simple matter of scanning the data and using enough computer horsepower to determine the code from that data.
These implementations are certainly not without controversy and implementation issues.
In a report released this month (February 2007) from the
The U.K. NAO report also questioned the efficiency of the RFID readers, stating that the guaranteed read time is eight seconds. Though these readers are not yet fully deployed, it brings response time concerns to airport officials already dealing with long security lines.
For cost purposes, memory size in the chips was sacrificed in some implementations. This implies that only a small amount of biometric data can be placed on the current ePassport. It further implies that a technology upgrade (i.e., exchanging your ePassport for a newer model) will be required to fully implement the amount of biometric data (facial scans, all ten fingerprints) that some governments desire.
ePassports also raise additional personal privacy concerns for people who wonder what is contained on the chip inside the ePassport. With previous passports the holder’s information was visible (with the exception of information contained on a magnetic strip). To ease this concern, some countries (
In addition to Mr. Schneier’s blog and newsletter and Mr. Laurie’s website noted above, the following links lead to information about the new ePassports:
- International Civil Aviation Organization, the body that sets international standards for machine readable travel documents (MRTDs);
- U.S. Department of Homeland Security details on Visa Waiver Program passport requirements;
- UK Passport Service information page on http://www.passport.gov.uk/general_biometrics.asp