According to the Department of State, around 42 percent of all U.S. citizens—roughly 136 million people—hold a valid U.S. passport. If you’re one of them, congratulations! It’s a truly amazing document capable of opening the door to travel and adventure in foreign lands. Despite the safe passage to life-changing excursions (as well as soul-crushing business travel) that your passport provides, how much do you really know about it?
By the time you finish reading this, your answer will be “a lot.”
To get the skinny on how U.S. passports are made and secured, we recently spoke with representatives from the U.S. Department of State, the International Civilian Aviation Organization (ICAO), and a hacker who specializes in bypassing the security of radio frequency devices.
Brenda Sprague is the U.S. Department of State’s assistant secretary for Passport Services. She oversees a network of 28 agencies and centers that are responsible for the acceptance, adjudication, and issuance of U.S. passports.
Michael Holly is the director of International Affairs Staff at the U.S. Department of State and chairs the International Civilian Aviation Organization’s (ICAO) Machine Readable Travel Document Working Group—an agency of the United Nations set up to administrate the working agreements and guidelines surrounding air travel and travel documents for 192 participating countries.
And then there’s the man known only as Tinker. He’s a member of the Dallas Hacker’s Association. When he and his pals aren’t busy figuring out new ways to ethically mess with our digital world, he spends his days working as a professional penetration tester: a job that sees him hacking into computers and breaking into buildings by reading and cloning radio frequency identification (RFID) building-access badges.
Let’s get started!
Who’s responsible for making U.S. passports?
There are two entities responsible for creating passport books. The first is the U.S. Government Publishing Office (GPO), which assembles the passport books, using the various components that go into them. Once the books are published, the U.S. Department of State is responsible for personalizing the books to be used by U.S. citizens by adding their personal data to its pages and RFID chip.
Where are passports made?
Many places. In 2008, the Washington Times ran a series of stories that claimed that the U.S. government was outsourcing the manufacturing of passports to companies in foreign countries. In one instance, one of the contractors, located in Thailand, was said have been infiltrated by Chinese Intelligence. The story led some conspiracy theorists to suggest that the Chinese government is somehow tracking U.S. travelers or stealing their data. According to Michael Holly, there’s a grain of truth to this.
“The story regarding Thailand revolved around the electronic inlay that we used back in 2004 and 2005,” says Holly. “Smartrac was the entity that was producing the inlay for us at that time.” In response to the issue, explains Holly, the U.S. Department of State and the GPO have moved to ensure that the majority of the components that go into a passport are manufactured on U.S. soil. In the time since the Washington Times story dropped, almost all of the vendors contracted by the GPO to put the books together have set up shop in the United States. Those that haven’t are in allied nations.
And before you ask, no, the Chinese government isn’t tracking your every move through the paper in your passport book.
“The passport page is and has always been done by the Crane Paper Company,” Sprague adds. “I believe they manufacture it in Massachusetts. There are other components to the passport, all of which are manufactured in the United States, with the exception of some inks and foil and some threads that are made either in the U.K. or Australia. But if you were talking about domestic content on a U.S. passport, I would guess that it’s well over 98 percent.”
Open your passport book up to the data page with your photo on it. See the information there? According to Sprague, this same information is what’s stored on a passport book’s RFID chip. You’ll also find that the chip contains biometric information of the passport’s owner and a cryptographic signature that permits border officials from the Department of Homeland Security to verify that the passport hasn’t been tampered with or altered in any way. That’s it.
How is the information stored on a passport’s RFID chip secured?
We just discussed the cryptographic signature stored in your passport’s RFID chip, so let’s start there. The ability to read this signature and unlock the information on the chip is complex and, for obvious reasons, well guarded by the Department of State. But it’s not dissimilar to the security used to keep the contents of your bank account safe.
“Basic access control is similar to what you get with an ATM machine,” explains Holly. “You put in your card, then you put in your PIN number, and only then will you start to get money. Basic access control requires the passport to be open and the machine readable zone to be read. From that machine readable zone, a PIN number is derived and only then does the chip release the information to the reader. That information is encrypted. We also use random user identification (RUID) in order to prevent tracking. When a chip is queried by the reader, the first thing that is provided is the chip’s serial number. In our case, each and every time the chip is queried, a different identification number is provided.”
Are U.S. Customs & Border Patrol agents the only ones who can read this information?
Nope. The U.S. Department of State’s public key infrastructure is shared with 52 other nations so that they can verify, when a passport is used at their borders, that the information on the chip has not been altered in any way.
Can hackers read the information broadcast by a passport’s RFID chip?
According to Holly and Sprague, in order for a passport’s RFID chip to be read, it needs to be within six inches of an RF reader. Thanks to a special piece of security tape buried in the cover of your passport, the data on the chip cannot be read when the passport book is closed. This makes it almost impossible for anyone to hack your passport’s RFID chip as you wander around an airport or travel destination.
In theory. According to our hacker pal, Tinker, RFIDs are fairly easy to read.
“Most off-the-shelf technology allows a person to read [an RFID chip] as long as they’re within a couple of feet to a couple of inches,” Tinker explains. “This length depends on the antenna and power supply.” Tinker admitted that he’s seen skilled individuals prove that they can read an RFID chip from up to several feet away. But the hardware needed to do so isn’t very portable. That makes it less than ideal for clandestinely reading someone’s passport data. Should someone manage to read the chip, there’s not much information there for them to see. The only thing that someone snooping out your RFID chip would be able to see is the ever-shifting cryptographic signature that Michael Holly mentioned.
Tinker was quick to add that there’s a very slim chance that the information required to read the cryptographic signature could be floating around the Internet. He’s not aware of any public data dumps that contain such information, but he admits that he hasn’t seen any of the data that was stolen as part of a U.S. government data breach in 2016 in a cyber attack on the Office of Personnel Management. The data needed to read some passports could, hypothetically, be in there.
But honestly, having data stolen from your passport isn’t something you need to worry about.
Can a passport chip be used to track people?
Yes, but according to Tinker, it’s not easy or worthwhile.
“If you walk around with your passport open,” explains Tinker, “folks can still read your [passport] number easily. They may not have any other info, but they can tie that number to you. At that point, they can track your movements in physical space if they have multiple RFID readers set up in an area.”
As Tinker mentioned earlier, setting up such RFID readers is cumbersome. Many retail outlets use a similar technique to track the Bluetooth and cellular signals broadcast by their customers’ cell phones to track where they wander inside of a store and what they stop to look at. Using this technique on a larger scale, in the case of tracking someone’s passport, would be a logistical nightmare.
If you want something to be paranoid about, fret over your smartphone—it’s far easier to track than a passport will ever be.
Given that the only people who can read what’s on your passport book’s chip are border officials with the right cryptographic credentials, there’s no compelling reason to buy a RFID signal-blocking sleeve, also known as a Faraday sleeve, for your passport. That said, a Faraday sleeve is cheap and a great way to help protect your passport from physical damage as it bumps around in your carry-on bag.
Passport cards are another story altogether. They’re designed to make the re-entry of an U.S. citizen to the United States a speedy process. They can be read from upwards of 25 feet away by an RF receiver. Because the security risk is greater, the Department of State doesn’t place as much data on these cards as they do in a passport book; the only thing on the card is a unique identifying number. Additionally, when a new passport card is sent to its recipient, it ships with its own Faraday sleeve. Despite how little information the cards contain, it’s a good practice to only take the card out of its sleeve when presenting it to border officials. If you’ve lost your sleeve, you’ll want to buy a new one, right away.
What happens when a passport gets lost or stolen?
Did you lose your passport? You’re not alone. Close 350,000 U.S. passports are lost or revoked, every year.
When a passport is reported lost or stolen, the Department of State notifies the Department of Homeland Security. DHS provides them with the passport’s number and the day of issue. This information is also fired off to INTERPOL to include in its Stolen or Lost Travel Document Database, as well as the Asia-Pacific Economic Cooperative’s Regional Movement Alert System. Doing so, according to Michael Holly, is the State Department’s best bet for keeping the passport from being used for anything nefarious.
“A point that travelers should know is, once you have reported your book stolen, there’s no going back. It’s dead to you. You will have to get a new book,” adds Sprague. If your passport and you do part ways while you’re outside of U.S. territory, it doesn’t mean that your travels will have to come to an end.
“We have a worldwide database that is available at every embassy and consulate, “says Sprague. “In really short order, they can pull you up by your name and date of birth. They’ll verify that it is you and you can obtain an emergency replacement passport to continue your travels.” This emergency passport doesn’t have all of the security bells and whistles that a regular U.S. passport book comes with. It contains just enough information to keep you traveling when you reach an international border or get you back into the United States when you’re ready to return home. Once your trip is over, you can expect a replacement passport to show up at your home address.