Although the researchers stipulate the flaw does not allow for the compromising of biometric data, it could leave passport holders vulnerable to having their movements traced.
Researchers at the University of Luxembourg have discovered a privacy flaw in biometric passports which could leave their holders vulnerable to attacks.
According to Dr Ross Horne, one of the researchers, “With the right device, you can scan passports in close vicinity and reidentify previously observed passport holders, keeping track of their movements. Thus, passport holders are not protected against having their movements traced by an unauthorised observer.”
Although these passports could be traced, “the flaw does not allow attackers to read all information from a given passport or to compromise biometric information stored in a chip inside the passport,” according to the Uni communiqué.
Horne stated the flaw “potentially has global impact”, with the Uni adding: “Governments have the responsibility to protect individual privacy and to ensure that official documents are bulletproof against such attacks.”
ICAO, Uni researchers respond
According to William Raillant-Clark, communications officer, office of the secretary general of the ICAO, who reached out to Delano in response:
"ICAO and ISO experts have thoroughly reviewed this research and their initial analysis is that it is not linked to Doc 9303 specifications in their current version. This is especially the case given that the newest Doc 9303 specifications incorporate the PACE protocol, which is considered a more secure alternative to the BAC protocol.”
The research unit in charge of the study at the University partially disagrees with this response, saying:
“The attack is valid for the current ICAO 9303 specification (7th edition published in 2015). Firstly, ICAO include both the old BAC and new PACE protocols in their current specification. Secondly, even if a passport responds to the new PACE protocol, they tend to also respond to the old BAC protocol. Thirdly, we agree that the PACE protocol does address known security concerns with the BAC protocol, reducing significantly the risk of personal data inside e-passports being read. However, PACE has not been shown to address the unlinkability concern highlighted by this research at University of Luxembourg.”
Raillant-Clark of the ICAO added:
“Additionally, the concerns being expressed are seen as pertaining more to the verification systems used to read ePassport data, rather than the documents themselves or their self-contained security measures.
"It’s also important to consider here that the described issue, which could be exploited for example at border controls or at other inspection system areas, would only allow adversaries to be able to know that somebody recently passed through a passport check-- and even without opening their ePassport. The personal data stored in the contactless chip, however, would not be disclosed.”
The university research unit agrees with the additional statements, but added: “a possible course of action is to recommend that manufacturers of e-passport readers ensure they have checked that the privacy risk highlighted by this research is mitigated. We do not suggest that mechanisms inside the e-passports themselves should be modified in response to this concern, only that e-passport readers should be checked.”
While the research unit agrees that since personal data in the chip is protected, a potential attack is not a security concern and emphasises that privacy and security concerns are not one in the same. It adds, “although the attack is a privacy concern, [it] is of limited scope”, adding that it agreed with the ICAO’s explanation about “allow[ing] adversaries to be able to know that somebody recently passed through a passport check--and even without opening their e-passport.”
Updated on 26 September with response from the ICAO.
Updated on 1 October with additional comments from the research unit at the University of Luxembourg.