Elvis died in 1977. But that didn’t prevent hackers from inserting his digital photo into a U.K. passport, and using it at a self-service passport machine at Amsterdam's Schiphol airport to gain clearance to board a plane.
This incident occurred in September 2008. But this security vulnerability persists, as proven by the recent assassination of Mahmoud al-Mabhouh, a senior Hamas operative, in a Dubai hotel on January 20.
The alleged killers of Mr Mabhouh included 11 people holding U.K. and other European passports. All of the killers used passports containing fake photographs and signatures.
Naturally, this wasn't supposed to happen. When governments began issuing digitally encoded passports a few years ago, it was supposed to improve border security. For instance, Maura Harty, former U.S. assistant secretary of state for consular affairs, told a Congressional hearing in 2004:
"Embedding biometrics into U.S. passports to establish a clear link between the person issued the passport and the user is an important step forward in the international effort to strengthen border security."
Only, the technology doesn't work. Indeed, the "ultra-secure" RFID chips digital passports contain can be cloned with about $100 worth of off-the-shelf electronic equipment. As a result, we have teams of assassins and who-knows-who-else roaming the world with digitally modified passports. Indeed, digital passports actually are far less secure than their predecessors.
The reason is that digital passports—and indeed digital data in general—suffers from an inherent security flaw. If you take a non-digital passport and try to modify it physically, it's very hard to do so without leaving some evidence of what you've done. There might be smudges, ink marks, or microscopic impressions of a razor blade used to cut out an old photo and insert a new one. But with our new "ultra-secure" digital passports, if you figure out how to change the data on the RFID chip, the earlier data vanishes. There's absolutely no trace of the tampering.
Now of course, encryption is supposed to protect us from this type of tampering. But even before governments issued the first digital passports, hackers cracked the encryption codes. Indeed, as far back as 2006, hackers demonstrated how a simple microchip reader purchased off the Internet could clone all the information in a U.K. passport's "ultra-secure" RFID chip.
Surely, the governments that assured us that RFID passports represented a huge security advance knew the risks of relying on digital technology. The only possible conclusion was that they had a hidden agenda for introducing them—an agenda having nothing to do with security.
What was that agenda? I believe it is to create a "global travel database." The purpose of the database is to create a "lifetime personal travel history" of anyone who holds a passport. Your photograph, your fingerprints, and details of each entry, exit or transit will be part of your dossier in a “biographic and biometric travel history database.” This data can be shared with anyone your government chooses. Potentially, it could be shared with any of the 150 countries that have introduced, or have promised to introduce, RFID-equipped passports.
The blueprint for this system comes from the International Civil Aviation Organization (ICAO), which has issued a series of "best practice" standards for biometric passports. One standard reserves memory space on the RFID chip to create a log of border crossings or other situations in which the chip is queried. Presumably, this data could be read—and potentially modified—by anyone with a passport reader and the appropriate software. The result would be a permanent log of the date, time, and place of your international departures and arrivals, the hotels you stayed in, etc.
Doesn't that make you feel safer?
Copyright © 2010 by Mark Nestmann
What good would it be as a "global travel database" if someone can easily change the data on the RFID chip. The authorities could never really trust the data accumulated on the passport.
Steve H
Posted by: Steve Head | March 03, 2010 at 09:19 PM
Good point, but I think governments will increase the security on this to keep the average person from modifying the chip, and make it so that only organized crime and intelligence agencies that devote a lot of energy and resources to cracking the chip will be able to get in. In the meantime, the global travel database will be created.
Posted by: Mark Nestmann | March 04, 2010 at 02:11 PM
How many countries currently exchange minor criminal records? Am most curious as to which records are shared with the USA.
In a lifetime it's hard to avoid having at least a minor infraction. I know that the USA shares DUI/DWI information with Canada and that Canada will refuse entry. Even if for example you simply refused to take a breathalyzer test in the USA. I forget the length of the ban to enter Canada.
Does anyone know the status of criminal records sharing or fingerprint database sharing across country borders?
Posted by: Anonymous | March 04, 2010 at 09:27 PM
They can modify the photo on the RFID chip, but what about the physical photo on the info page?
Posted by: Marquelle | March 05, 2010 at 12:25 AM
Marquelle,
In the Elvis impersonation, the actual physical photo wasn't modified, just the digital representation in the RFID chip. But the hackers succeeded in obtaining a boarding pass anyway, because the passport reader just read the information on the chip. The assassination team that targeted Mahmoud al-Mabhouh carried passports with both the digital and physical photographs faked, along with a fake signature.
Posted by: Mark Nestmann | March 05, 2010 at 01:34 PM
Is there a penalty for "wasting" the chip in a US passport.
I mean if the chip was microwaved and made unsuable, is there a penalty?
I got new passport last year and it has one of those dammed chips.
I really don't want to monitored and marked like this.
Posted by: russ | March 06, 2010 at 03:45 PM
Yes, Title 18, Section 1543 of the U.S. Code provides for a 25 year prison sentence for "Whoever falsely makes, forges, counterfeits, mutilates, or alters any passport or instrument purporting to be a passport, with intent that the same may be used."
Posted by: Mark Nestmann | March 08, 2010 at 11:23 AM
Using technology for the wrong purposes surely is very disastrous.
Posted by: Cheap Computers Canada | April 13, 2010 at 01:45 AM