For over a decade, most passports have contained an NFC chip that holds a set of electronically readable data about the document and its holder. This has resulted in a much quicker passage through some borders as automatic barriers can replace human officials, but at the same time, it adds an opaque layer to the process. Just what data is on your passport, and can you read it for yourself? [Terence Eden] wanted to find out.
The write-up explains what’s on the passport and how to access it. Surprisingly, it’s a straightforward process, unlike, for example, the NFC on a bank card. Security against drive-by scanning is provided by the key being printed on the passport, requiring the passport to be physically opened.
He notes that it’s not impossible to brute force this key, though doing so reveals little that’s not printed on the document. The write-up reveals a piece of general-purpose technical knowledge we should all know. However, there’s a question we’re left with that it doesn’t answer. If we can read the data on a passport chip, could a passport forger thus create a counterfeit one? If any readers are in the know, we’d be interested to hear more in the comments. If you are into NFC hacking, maybe you need a handy multitool.
Header: [Tony Webster], CC BY-SA 4.0.
One would guess that the unique key on the passport has to be signed by a private key owned by the country issuing the passport and EITHER each country shares the corresponding public key with every other country, OR there is a next level key held by some common issuing authority (the UN? etc) which signs country keys (so they can also be on the passport) and publishes a public key for validating those. I’m guessing it’s probably the former.
This means that a forger can’t just create a key for a passport because they can’t create a correctly signed key to put on the passport
No sane entity will trust the UN with secure information.
I’m not (merely) being sarcastic, it’s just not within the scope that they could keep a secret like that.
True, and also they are simply not trustworthy in general. Creating some kind of international authority has always been incredibly fraught, yet people still act like it’s a thing that we can do trivially and handwave it.. We can’t do it at all.
There are 3 protection mechanisms for passport NFC chips. 1) symmetric key printed on the photo page. 2) the passport has a blocking cover so NFC can only be read when the passport is open. 3) there are a very limited number of attempts (like 4 or 5) allowed before the chip will brick itself and you won’t be getting any data off it.
3) Maybe a larger number than 4 or 5, else that’s a candidate for DoS attack preventing users from using the chip expeditiously, going forward
I’m not sure that’s quite accurate. While there is a password printed on the photo page, that’s not the same as the private key the data are signed with. My passport reads just fine with the cover closed. And, as I say in the post, I was able to send multiple wrong attempts without the passport bricking.
Obviously, different countries may have different protection levels. But what you’ve said isn’t right for UK passports at least.
Following the links got me to a commenter who has received documents ‘protected’ by the Polish equivalent of a social security number. Which is pretty terrible because the Polish one is 11 digits with a check digit. Whereas the one in the US is only 9, and I think the first 5 are based on when and where you were born.
Needless to say if I can manually crack a 3 digit attache lock in under 5 minutes a computer can probably trivially brute force some SS#. I’m always leery of those stupid ‘pick your month and get a nickname’ posts on social media. Seems like you could ask AI to aggregate that stuff and give you people’s actual SS#
And that’s why they changed the assignment/encoding to be more random, in 2011. The “area numbers” no longer indicate the area you were born, because the whole number is random (well, as random as can be while skipping assigned ones and a few special things like not starting with 666 and not having all zeros in any one group).
Actuallly Wrong on both accounts, of the 666 and no 0’s.
For 1)Mine Starts with 666 and I was born in 1980 and 1980 didnt start with the area code as I was born in Calif, and under an 818 area code, and NOT even close to that obviously was i given an 818 prior to 2011.
2) 000s that start with that are out of country births, meaning, parents of the US who are on vacation and give birth over seas in another country, have birth parents who are US citizens, but born in anohter country denote start 000’s with out of country births. I only know this because of my Wife, US citizen, but birth outside the US this was also in the 80s. And from what I have been told via our friends and neighbors, starting 000’s still denote out of country births as a few have given birth outside of the US and their childs SS starts with 000.
so please make sure you do have a little bit more information or fact check, before you make broad statements like that.
And or clarify what you mean, just dont make broad statements with almost fake information.
SSN digits never had anything to do with telephone “area code”, but my SSN, my wife’s, and our first three children all start with the same two digits because my parents filed for mine when I was a small child (but not at birth), she obtained hers after obtaining permanent residency, and we filed for those children’s at birth before the change.
Our youngest was born after the system change, hence has completely different digits.
Telephone area codes are not the same as social security area codes.
You are 100% correct.
Did you buy your social security card from a guy downtown? Because neither of your points makes sense. Of course a SSN area code isn’t going to be the same thing as a telephone area code.
I was birth to US parents while there were working in Africa in the early 90s and my SS number does not start with 000
As I think to recall from looking into it long ago there are 2 types of images, a low resolution one that is easy to read and a secure high-resolution one not accessible to normal people.
In fact the data that ‘we’ can read is deliberately limited compared to what the authorities can access I think.
Might be hard to forge.
https://youtu.be/bnKyw5-_E6o
Oh and, dont try and say even before that it was based upon region and area code or prefix. This is also not true, as my Mother was born in Alamogordo NM(1956), and even back then their area and prefixes were never 564 that is WA state(for area code)… so no region area code,etc based was never the 3 digits, nor were any of the other numbers were meant anything even regional or state.
So random was already there, back in 1956,
So the statement ” The “area numbers” no longer indicate the area you were born,” isnt right.
maybe rephrase your statement and try not to make it fact when it is not.
Maybe read up on what is meant by the area portion of the SSN before you make such statements. It has nothing to do with a telephone area code. And your 564 example is an overlay code that wasn’t even proposed until 1999.
The area portion was first assigned based on the office issuing the card, then was based on the zip code of the mailing address used by the applicant.
But since 2011 the area portion is not tied to any geographic location.
The first three digits were called area numbers. They had nothing to do with telephone area codes. In July 2011 they stopped the area number thing and switched to a random number. Your mom’s SSN started with 564, which is listed below as a NM area number… Might want to rephrase your statement and try not to make up facts yourself.
001-003 New Hampshire
004-007 Maine
008-009 Vermont
010-034 Massachusetts
035-039 Rhode Island
040-049 Connecticut
050-134 New York
135-158 New Jersey
159-211 Pennsylvania
212-220 Maryland
221-222 Delaware
223-231 Virginia
691-699
232-236 West Virginia
232 North Carolina
237-246
681-690
247-251 South Carolina
654-658
252-260 Georgia
667-675
261-267 Florida
589-595
766-772
268-302 Ohio
303-317 Indiana
318-361 Illinois
362-386 Michigan
387-399 Wisconsin
400-407 Kentucky
408-415 Tennessee
756-763
416-424 Alabama
425-428 Mississippi
587-588
752-755*
429-432 Arkansas
676-679
433-439 Louisiana
659-665
440-448 Oklahoma
449-467 Texas
627-645
468-477 Minnesota
478-485 Iowa
486-500 Missouri
501-502 North Dakota
503-504 South Dakota
505-508 Nebraska
509-515 Kansas
516-517 Montana
518-519 Idaho
520 Wyoming
521-524 Colorado
650-653
525-585 New Mexico
648-649
526-527 Arizona
600-601
764-765
528-529 Utah
646-647
530 Nevada
680
531-539 Washington
540-544 Oregon
545-573 California
602-626
574 Alaska
575-576 Hawaii
750-751
577-579 District of Columbia
580 Virgin Islands
580-584 Puerto Rico
596-599
586 Guam
American Samoa
586 Philippine Islands
700-728 Railroad Board**
729-733 Enumeration at Entry
I suspect this reply was intended as a follow up for your earlier rant at just6979, rather than a comment to the author?
You might find https://www.ssa.gov/policy/docs/ssb/v45n11/v45n11p29.pdf interesting. It explains the situation as of the early eighties. Honestly I’m not sure if it backs up what you’re saying, but it does discuss how number allocation has changed over time, what the number is based on (area was SSA office, not birth state or telephony area code, though they were related) etc.
Funny, my passport didn’t come with a chip in it.
Might be because I got it in 1986. :D
There is PKI to sign them. Each country has each others public key to verify. Not each country trusts each other country, so the lists are not exhaustive.
Sometimes technologically less advanced countries go to the passport printing service of a better equipped country and use their resources.
I know this because I once worked for a company where one single guy was responsible to develop computer software that could read, write and verify actual real passports for some small african country (of which the name would not be disclosed to him). The client was the national mint of the EU country we lived, which was also reponsible for passport printing.
That african country simply did not have the resources to create a printing service for passports that would meet the high standards of the ICAO. So they would get printed Passports (with the citizen data and picture) but would write the chip themselves.
Yes the ICAO (International Civil Aviation Organization) sets the standards for Machine Readable Travel Documents (MRTDs) aka Passports. Not the governments themselves.
If you got it in 1986 then that means its no longer valid.
SSN area digits were set from Northeast to west, like postal zip codes. Telephone area codes were set by how long it took an operator to dial the number for you-when you needed an operator for long distance. High density cities NYC and LA have 212 and 213, with 5 and 6 total ‘clicks’ as the dial rotated. Rural areas, with fewer calls had higher combinations, like 909 for a total of 28 clicks. With touchtone this became obsolete.