ICAO denies alleged privacy flaw in biometric passports
A group of researchers from the University of Luxemburg may have detected a critical security flaw in the International Civil Aviation Organization (ICAO) 9303 security standard that identifies travelers by scanning the chip implemented in biometric passports, the team announced at the European Symposium on Research in Computer Security (ESORICS) in Vienna, Austria this week. The ICAO, however, denies the vulnerability is present in the specification’s current version.
The standard was first integrated in biometric passports in 2004, yet the privacy flaw was recently discovered. Initially, the security standard was meant to safeguard privacy and unlinkability, which means a hacker can not make the connection between two related elements.
Dr. Ross Horne, Professor Sjouke Mauw, PhD candidate Zach Smith and Master’s student Ihor Filimonov uncovered a vulnerability that lets non-authorized device scanning equipment gain access to biometric passport information.
“With the right device, you can scan passports in close vicinity and reidentify previously observed passport holders, keeping track of their movements,” Horne explains. “Thus, passport holders are not protected against having their movements traced by an unauthorized observer.”
This tactic has some limits. It does not have access to all passport critical information such as biometric details stored in the chip, but it still compromises the privacy of the passport holder and exposes that individual to further attacks.
“As most passports today use the same standard, this security flaw potentially has global impact,” continues Horne.
This security breach would be in clear violation of EU’s GDPR legislation that compels organizations and governments in Europe to safeguard user data, documents, and online privacy.
The results are presented in detail in the study “Breaking Unlinkability of the ICAO 9303 Standard for e-Passports Using Bisimilarity.” The paper also contains strategies and recommendations for biometric passport-manufacturers to improve privacy protection.
The ICAO, however, says that its experts, along with those from ISO, have found based on their initial analysis that the issue does not relate to the newest Doc 9303 specifications, which incorporate the PACE protocol as a more secure alternative to the BAC protocol, a representative told Biometric Update in an email. The concern is also considered more a matter of the verification system used, rather than the documents or their security measures, according to the the ICAO’s William Raillant-Clark.
“It’s also important to consider here that the described issue, which could be exploited for example at border controls or at other inspection system areas, would only allow adversaries to be able to know that somebody recently passed through a passport check – and even without opening their ePassport. The personal data stored in the contactless chip, however, would not be disclosed.”
A report from Future Market Insights (FMI) predicted earlier this year that the number of ePassports with integrated biometric technology will grow by 18 percent in 2019 from nearly 264,000 last year.
In August, Thailand’s Ministry of Foreign Affairs (MOFA) has awarded a contract for the supply of 15 million biometric passports over the next seven years to a consortium including Gemalto.
This article was edited at 3:01 Eastern on September 26 to include the response from the ICAO.