Is the RFID chip in e-passports read-only or is it read-write?

Is the RFID chip in e-passports read-only or is it read-write? - Black Tablet Computer Behind Books

Is the RFID chip in e-passports read-only or is it read-write?

If it's read-only, is all of the data locked-down when the passport is issued? Is the read-only portion extensible so that additional data can be burned on later?

If it's read-write, can passport country in any country we pass through enter or change data in the passport? For example, to record entries and departures?

Update: I ask for two reasons. The first is that the only biometric I recall giving when I applied for my passport is my photo and I wanted to know if my government could add other biometrics (iris scan, fingerprints) at a later date — either beknownst to me or surreptitiously at a border station. #tinfoilhat

Second, I wanted to know if foreign governments could add entry or exit or visa e-tags to my passport, especially when passing through automated gates.



Best Answer

Passports conforming to the ICAO doc 9303 specification use a smart card conforming to ISO 7816, which is very broadly speaking not just a storage device, but rather a miniature computer.

It is possible to restrict read or write access to parts of its storage to only properly authenticated entities.

Looking at the relevant part of the specification (parts 10 and 11 at the referenced ICAO site), there only seem to be commands relating to reading basic data, cryptographically authenticating the travel document or authenticating the reader to the document in order to access sensitive information like fingerprints.

Without any command to actually modify data on a smartcard, it wouldn't be possible to do so.

It is of course possible that the issuing country implements additional commands, for example for the purpose of correcting information after issuance. However, such commands, if they even exist, would very likely require authentication of the reader before any write or delete access to the storage would be granted.

Regarding your specific question about the issuing authority adding biometric data after issuance, this does seem to be allowed under the specification:

Only the issuing State or organization shall have write access to these Data Groups. Therefore, there are no interchange requirements and the methods to achieve write protection are not part of this specification.

As there is nothing in the specification regarding write access to the general writable area, it seems to be up to the issuing country to specify access privileges (for reading or writing) to these memory areas.

Theoretically, countries could agree on commands for accessing these optional storage areas outside of the ICAO specifications, of course, but I consider that quite unlikely:

If the intent is to exchange travel data, why not just exchange it out-of-band, for example through server-side systems communicating passport numbers? This seems much simpler and more effective.




Pictures about "Is the RFID chip in e-passports read-only or is it read-write?"

Is the RFID chip in e-passports read-only or is it read-write? - High Angle Photo of Person Reading an E-Book
Is the RFID chip in e-passports read-only or is it read-write? - Photo of Person Holding Tablet
Is the RFID chip in e-passports read-only or is it read-write? - Green and Grey Circuit Board



What device information from the chip in an electronic passport?

An e-passport is a biometric identification card that comes embedded with an electronic chip that holds the same information as printed on the passport's data page such as the holder's name, date of birth, and other details. The biometric data of an individual is also saved in the chip.

What is RFID passport?

Since August 2007, all U.S. passports have come embedded with an RFID chip, intended to deter fraud and improve security. The chip contains the same information as on the passport's picture page, including a digital version of your passport photograph. (You can still use a pre-2007 passport that doesn't contain a chip.

Are US passports biometric or machine readable?

US Government Passport As of August 2007, all passports issued by the Government Publishing Office for the United States Department of State are biometric passports.



Consumer NFC devices read ePassports




More answers regarding is the RFID chip in e-passports read-only or is it read-write?

Answer 2

Just to answer the "tinfoil hat" aspect, a standard doesn't prevent a country from making passports and readers which implement features in addition to the standard.

So, a country could easily issue passports which e.g. record entries and exits or store recent photos taken by the border control of that country in your passport. Passports could also store information about border control in other countries, even if foreign border control equipment isn't actively writing to it (thanks @jcaron). This information could be read out when you return to your country, and be used to estimate how many countries you have visited during your trip. If those countries have accessed information which requires active authentication, it may also be possible to know which ones you have visited.

Answer 3

I am a firm proponent of that belief that the black-hats will always win. Hackers have eventually broken every known encryption and data protection protocol. The hope is that with anything that matters the white-hats can update and move ahead of the black-hats, but with a system as slow and expensive as international treaties and immigration control, it is unlikely that white-hats will always be ahead. Even the digitally signed portion of your data is more likely to be broken into eventually than not.

Passports last 10 years in the U.S. Imagine what computing and encryption looked like 10 years ago, how about 20 years ago when the standards lag starts taking effect? Given the other answers on this page, it's all read-write, or will be soon.

Sources: Stack Exchange - This article follows the attribution requirements of Stack Exchange and is licensed under CC BY-SA 3.0.

Images: Perfecto Capucine, RF._.studio, RF._.studio, Craig Dennis