PARIS The Department of Homeland Security's first tests of electronic-passport interoperability exposed technology flaws, including myopic and dyslexic smart-card readers. Some readers could not detect the presence of e-passport chips, many could detect the chips but could not read them and others were befuddled about what information they were supposed to display.
On the other hand, in the absence of a private data encryption requirement under the proposed U.S. scheme, readers in one test were able to spy on and copy sensitive personal data from a distance of 30 feet. That has some security experts and privacy rights advocates calling for a rethinking of the planned system.
The results of last month's three-day testing event, held at National Biometric Security Project facilities in Morgantown, W.Va., sent vendors scrambling to tweak their products in time for the second round of interoperability testing, which began last week in Sydney, Australia. But most technology providers said the technical difficulties were an inevitability for first-generation products based on varying interpretations of the International Civil Aviation Organization's e-passport spec.
The tests did show that e-passports based on the ISO 14443 Type B contactless interface had more problems than those using the Type A interface (see story, this page). The ICAO spec provides for the use of either interface but mandates that readers support both types.
Joerg Borchert, vice president and head of secure mobile solutions for Infineon Technologies North America, compared the tests to the PC industry's plugfests. USB, Ethernet and Firewire, he noted, were "never that precise in the beginning, but interoperability testing helped work out the details."
But it was intrusion, not precision, that was on the minds of the security experts and privacy advocates who expressed alarm last week at the results of a National Institute of Standards and Technology trial at Morgantown. Using a reader equipped with an antenna, NIST testers were able to lift "an exact copy of digitally signed private data" from a contactless e-passport chip 30 feet away, said Neville Pattinson, director of business development technology and government affairs for smart-card provider Axalto Americas.
The basic ICAO spec the basis for the U.S.approach does not require personal-data encryption. "Unless the government reconsiders its current position and decides to add a security mechanism beyond the digital signature to its e-passport," said Pattinson, the system will be insecure.
ICAO, for its part,"needs to raise its bar and step up" its requirements, he said.
An ICAO spokesman said the organization specifies a contactless "proximity" chip that can be read only within a distance of a few inches. He said he didn't know which chips had been used in the tests but called it "extremely unlikely" that proximity chips could read information from more than 4 inches away.
A Homeland Security spokeswoman confirmed the tests had "demonstrated that if the readers are not designed with appropriate shielding, the data transmitted from the chip to the reader could be detected several feet away." But she said it would be "unrealistic, under most circumstances, that people would have this equipment nearby and be able to use it in a covert manner."
While ICAO's proposals do not mandate personal-data encryption or the inclusion of biometric ID data, the spec calls for digital signatures based on the public-key infrastructure. Further, the organization recommends the inclusion of biometric data, although it leaves implementation decisions to its 188 member nations.
Some European countries plan to require active authentication schemes on-chip. But the request for proposals issued by the U.S. Government Printing Office for electronic passports, which had a deadline of Aug. 12, sought no additional security measures.
Some vendors are moving on their own to enhance privacy protection. Infineon has modified the microcontroller portion of its e-passport chip to make it less vulnerable to reverse-engineering. Supply-current transients have also been modified, to foil efforts to deduce the instructions being executed.
"Our job is to build technology according to the government's request. Its implementation needs to be determined by policymakers," Infineon's Borchert said. Infineon's strategy appears to be to provide all of the necessary hardware and software for a secure system and let individual agencies choose whether to use them.
"At some point," however, "the vendors need to rein in the deepest wishes of government officials who are neither experts in privacy nor have a sufficient understanding of technology and law," cautioned Gus Hosein, a fellow at the London School of Economics and a senior fellow at Privacy International, an advocacy group. Close scrutiny, he said, will "identify the industry officials who are overpromising solutions."
"Confidential data has to be protected by the application layer with encryption, exactly as we do for a contact smart card," said Jean-Paul Caruano, contactless center manager for ID at the Security Business Unit of smart-card provider Gemplus. "Basic access control using secure messaging provides a way to do this, and this technique is described in the ICAO specifications."
Michael Ganzera, marketing manager for e-government and smart identity products at Philips Semiconductors, said practical solutions to guard privacy are already available to the average citizen. If the ICAO's expanded privacy recommendations aren't implemented by the body that issued the passport, he said, "you can insert a piece of metal foil or put your passport in a metallized envelope to prevent [access]."
Americans may find that do-it-yourself solution compelling, since some privacy advocates fear the unprotected U.S. e-passport could broadcast its holder's national identity. "Criminals could use passport eavesdropping systems to figure out whom to rob," said Bruce Schneier, security technology expert and author of the books Secrets and Lies and Beyond Fear. It could also be used by terrorists "to figure out where the Americans are."
Questions about e-passport security extend beyond the passport and reader. "Today there are over 10,000 different birth documents accepted in the U.S. as sufficient proof of identity to obtain a passport. It is virtually impossible to authenticate documents from that many sources," said Barry Kefauver, former U.S. deputy assistant secretary of state for passport services and current technical working group chairman of ICAO.
Kefauver also speculated that at some point, the contactless chip and passport could be eliminated altogether. Instead, a person's biometric data would be measured at the point of contact and compared with information stored in a central database. That would shift the security concerns from the chip to the network.
Schneier agreed that the system "will require the creation of a huge back-end database . . . that will be vulnerable to attacks and abuses."
The e-passport backbone system would further require channels to move information to other countries for border-control verification. That foreshadows a globally distributed database of personal information, Hosein warned.
In January, when the United States began scanning foreign visitors and storing the data for a planned period of more than 50 years, many nations responded with alarm. Yet now some countries are following suit.
"We will soon see nations with appalling human rights records generating massive databases and then requiring our own fingerprints and face scans as we travel," predicted Hosein.
Additional reporting by Ron Wilson