The U.S. Government has been pushing what they consider a better passport since August 2007. It contains a contactless smart card in the back cover that contains the same data about you as what is printed in the passport itself. The idea is that this is supposed to make passport forgery impossible for the evil-doers of the world. The official website lists off several potential attacks which the cards are supposedly protected against including skimming, eavesdropping, tracking, and cloning.
Which all sounds really good except that since the cards were introduced a number of hackers and researches have demonstrated that almost of the protections in place can be successfully attacked and compromised with very minimal resources. The Wikipedia entry for biometric passports has the details and links about the attacks if you’re interested. It doesn’t help that not all of the security measures are mandated with things such as Active Authentication and Extended Access Control being optional.
In short, cloning data on a passport is not difficult at all nor is burning it to a blank passport, something that was done back in 2006 before they were even being issued regularly. More difficult is modifying the data as there is a cryptographic hash used to verify the data, but that relies on the scanner reading the passport making use of it (not all do).
You’d think, given all of the above, that the government would at least take steps to make sure the chips aren’t compromised before they’re ever issued. Perhaps, say, ensuring that they’re produced in a highly secure facility someplace within the United States?
Don’t be silly. The chips are currently being made in Thailand and have been for years:
Security of U.S. Passports Called Into Question – ABC News
The U.S. government agency that prints passports has for years failed to resolve persistent concerns about the security risks involved in outsourcing production to foreign factories, a joint investigation by ABC News and the Center for Public Integrity has found.
“On a number of levels this is extremely troubling,” said Clark Kent Ervin, a former inspector general at the Department of Homeland Security . “Something like that ought to be produced only in the United States, under only the most rigorous security standards.” A report on the outsourcing of U.S. passports to high-risk countries can be seen on World News with Diane Sawyer tonight.
Despite repeated assurances they would move production to the U.S., a key government contractor has continued to assemble an electronic component of the nation’s new, more sophisticated passport in Thailand.
The factory is near the same Bangkok suburb where a notorious terrorist extremist was captured in 2003. There have been bursts of violence in the industrial city, Ayutthaya, as recently as last month.
Both the inspector general at the Government Printing Office and the agency’s own security chief have warned specifically against producing the computer chip assembly in the Thai facility. One internal report obtained by ABC News and the Center for Public Integrity warned of a “potential long term risk to the [U.S. government’s] interests.”
All this bullshit talk by the Powers That Be about making things More Secure™ and not only are the chips being used easily cloned for a couple hundred bucks, but the factory that’s producing them is in an unstable area of a foreign country where terrorists are known to operate. The reason this is such a concern is because the U.S. Government, in its infinite wisdom, has made owning one of their fancy e-passports a shortcut past some of the more stringent security procedures — one official describes it as an EZ-pass — that would otherwise apply to people entering the United States.
Oh, but that’s not the best part. No, the cherry-on-top that I just know you’re going to love is the fact that there is absolutely nothing in place to make sure blanks don’t fall into bad guy’s hands:
GPO’s inspector general has warned that the agency lacks even the most basic security plan for ensuring that blank e-Passports — and their highly sought technologies – aren’t stolen by terrorists, foreign spies, counterfeiters and other bad actors as they wind through an unwieldy manufacturing process that spans the globe and includes 60 different suppliers.
This disturbs Rep. John D. Dingell, D.-Mich., who wrote letters to the agency two years ago raising questions about passport production.
“Regrettably, since then, our fears have been realized because the inspector general and other people in charge of security at the government printing office have pointed out that the security is not there,” Dingell told ABC News. “There is no real assurance that the e-passports are safe or secure or are not in danger of being counterfeited or corrupted or used for some nefarious purposes by terrorists or others.”
Feel safer yet? Oh, and there are stolen blanks out there from several different countries including a big heist of U.K. blanks in 2008.
Supposedly, most of the production of the chip has already been moved out of Thailand and officials are pledging to have the last bits moved out by the end of July. Also, as far as anyone is aware, no one has successfully made a forgery of a biometric passport using cloned data and a stolen blank chip. Given the number of vulnerabilities that have already been demonstrated it’s probably only a matter of time before someone figures out how to clone and modify a passport that’ll pass as real.
Sadly, all of the concerns and problems with this system were known by the U.S. back in 2004 having been raised by numerous security and privacy experts. Rather than take the time to address the issues raised they decided to just ignore them instead and pressure everyone else to adopt our flawed standard. That is, after all, the American way.