FB pixel

ICAO denies alleged privacy flaw in biometric passports

ICAO denies alleged privacy flaw in biometric passports

A group of researchers from the University of Luxemburg may have detected a critical security flaw in the International Civil Aviation Organization (ICAO) 9303 security standard that identifies travelers by scanning the chip implemented in biometric passports, the team announced at the European Symposium on Research in Computer Security (ESORICS) in Vienna, Austria this week. The ICAO, however, denies the vulnerability is present in the specification’s current version.

The standard was first integrated in biometric passports in 2004, yet the privacy flaw was recently discovered. Initially, the security standard was meant to safeguard privacy and unlinkability, which means a hacker can not make the connection between two related elements.

Dr. Ross Horne, Professor Sjouke Mauw, PhD candidate Zach Smith and Master’s student Ihor Filimonov uncovered a vulnerability that lets non-authorized device scanning equipment gain access to biometric passport information.

“With the right device, you can scan passports in close vicinity and reidentify previously observed passport holders, keeping track of their movements,” Horne explains. “Thus, passport holders are not protected against having their movements traced by an unauthorized observer.”

This tactic has some limits. It does not have access to all passport critical information such as biometric details stored in the chip, but it still compromises the privacy of the passport holder and exposes that individual to further attacks.

“As most passports today use the same standard, this security flaw potentially has global impact,” continues Horne.

This security breach would be in clear violation of EU’s GDPR legislation that compels organizations and governments in Europe to safeguard user data, documents, and online privacy.

The results are presented in detail in the study “Breaking Unlinkability of the ICAO 9303 Standard for e-Passports Using Bisimilarity.” The paper also contains strategies and recommendations for biometric passport-manufacturers to improve privacy protection.

The ICAO, however, says that its experts, along with those from ISO, have found based on their initial analysis that the issue does not relate to the newest Doc 9303 specifications, which incorporate the PACE protocol as a more secure alternative to the BAC protocol, a representative told Biometric Update in an email. The concern is also considered more a matter of the verification system used, rather than the documents or their security measures, according to the the ICAO’s William Raillant-Clark.

“It’s also important to consider here that the described issue, which could be exploited for example at border controls or at other inspection system areas, would only allow adversaries to be able to know that somebody recently passed through a passport check – and even without opening their ePassport. The personal data stored in the contactless chip, however, would not be disclosed.”

A report from Future Market Insights (FMI) predicted earlier this year that the number of ePassports with integrated biometric technology will grow by 18 percent in 2019 from nearly 264,000 last year.

In August, Thailand’s Ministry of Foreign Affairs (MOFA) has awarded a contract for the supply of 15 million biometric passports over the next seven years to a consortium including Gemalto.

This article was edited at 3:01 Eastern on September 26 to include the response from the ICAO.

Article Topics

 |   |   |   |   |   |   | 

Latest Biometrics News


Biometrics cutting the line of in-person payments innovations: Mastercard

Mastercard sees biometrics for in-store payments as a part of a broader shift towards seamless interactions of all kinds, as…


Innovatrics cuts fingerprint error rate by 20%, upgrades SmartFace platform

Innovatrics has reported its best-yet scores in NIST’s fingerprint biometrics testing, and added a new feature to its facial recognition…


Canadian cruise terminal gets Pangiam face biometrics for ID verification

The Vancouver Fraser Port Authority and U.S. Customs and Border Protection (CBP) have joined forces to implement face biometrics for…


Atlantic Council stresses importance of DPI, data for stronger digital economies

The Atlantic Council has highlighted the importance of digital identity and digital public infrastructure (DPI) in birthing and growing strong,…


Sri Lanka extends bid deadline for national digital ID project

The Government of Sri Lanka has extended the deadline for the submission of bids for the procurement of a Master…


Rights groups urge Clearview plaintiffs to opt out of settlement

Activist groups in California are urging members of a class action against Clearview AI to reject the settlement recently agreed…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events