For over a decade, most passports have contained an NFC chip that holds a set of electronically readable data about the document and its holder. This has resulted in a much quicker passage through some borders as automatic barriers can replace human officials, but at the same time, it adds an opaque layer to the process. Just what data is on your passport, and can you read it for yourself? [Terence Eden] wanted to find out.
The write-up explains what’s on the passport and how to access it. Surprisingly, it’s a straightforward process, unlike, for example, the NFC on a bank card. Security against drive-by scanning is provided by the key being printed on the passport, requiring the passport to be physically opened.
He notes that it’s not impossible to brute force this key, though doing so reveals little that’s not printed on the document. The write-up reveals a piece of general-purpose technical knowledge we should all know. However, there’s a question we’re left with that it doesn’t answer. If we can read the data on a passport chip, could a passport forger thus create a counterfeit one? If any readers are in the know, we’d be interested to hear more in the comments. If you are into NFC hacking, maybe you need a handy multitool.
Header: [Tony Webster], CC BY-SA 4.0.
One would guess that the unique key on the passport has to be signed by a private key owned by the country issuing the passport and EITHER each country shares the corresponding public key with every other country, OR there is a next level key held by some common issuing authority (the UN? etc) which signs country keys (so they can also be on the passport) and publishes a public key for validating those. I’m guessing it’s probably the former.
This means that a forger can’t just create a key for a passport because they can’t create a correctly signed key to put on the passport
No sane entity will trust the UN with secure information.
I’m not (merely) being sarcastic, it’s just not within the scope that they could keep a secret like that.
True, and also they are simply not trustworthy in general. Creating some kind of international authority has always been incredibly fraught, yet people still act like it’s a thing that we can do trivially and handwave it.. We can’t do it at all.
the organization that put saudi arabia in charge of a womens rights council not trustworthy? say it aint so.
Public keys are not secret. As the name suggests they are safe to be shared with the public.
The UN does hold the chain of trust too, via the International Civil Aviation Organisation
There are 3 protection mechanisms for passport NFC chips. 1) symmetric key printed on the photo page. 2) the passport has a blocking cover so NFC can only be read when the passport is open. 3) there are a very limited number of attempts (like 4 or 5) allowed before the chip will brick itself and you won’t be getting any data off it.
3) Maybe a larger number than 4 or 5, else that’s a candidate for DoS attack preventing users from using the chip expeditiously, going forward
I’m not sure that’s quite accurate. While there is a password printed on the photo page, that’s not the same as the private key the data are signed with. My passport reads just fine with the cover closed. And, as I say in the post, I was able to send multiple wrong attempts without the passport bricking.
Obviously, different countries may have different protection levels. But what you’ve said isn’t right for UK passports at least.
ICAO has an article on this that is more accurate – Basics of ePassport Cryptography
There is no key or password printed on the photo page.
Most importantly, it is asymmetric encryption, not symmetric, with the Public Key (for reading data) available from ICAO. See the link below for details, including a convenient picture explaining this further.
https://www.icao.int/Security/FAL/PKD/BVRT/Pages/Basics.aspx
Following the links got me to a commenter who has received documents ‘protected’ by the Polish equivalent of a social security number. Which is pretty terrible because the Polish one is 11 digits with a check digit. Whereas the one in the US is only 9, and I think the first 5 are based on when and where you were born.
Needless to say if I can manually crack a 3 digit attache lock in under 5 minutes a computer can probably trivially brute force some SS#. I’m always leery of those stupid ‘pick your month and get a nickname’ posts on social media. Seems like you could ask AI to aggregate that stuff and give you people’s actual SS#
And that’s why they changed the assignment/encoding to be more random, in 2011. The “area numbers” no longer indicate the area you were born, because the whole number is random (well, as random as can be while skipping assigned ones and a few special things like not starting with 666 and not having all zeros in any one group).
Actuallly Wrong on both accounts, of the 666 and no 0’s.
For 1)Mine Starts with 666 and I was born in 1980 and 1980 didnt start with the area code as I was born in Calif, and under an 818 area code, and NOT even close to that obviously was i given an 818 prior to 2011.
2) 000s that start with that are out of country births, meaning, parents of the US who are on vacation and give birth over seas in another country, have birth parents who are US citizens, but born in anohter country denote start 000’s with out of country births. I only know this because of my Wife, US citizen, but birth outside the US this was also in the 80s. And from what I have been told via our friends and neighbors, starting 000’s still denote out of country births as a few have given birth outside of the US and their childs SS starts with 000.
so please make sure you do have a little bit more information or fact check, before you make broad statements like that.
And or clarify what you mean, just dont make broad statements with almost fake information.
SSN digits never had anything to do with telephone “area code”, but my SSN, my wife’s, and our first three children all start with the same two digits because my parents filed for mine when I was a small child (but not at birth), she obtained hers after obtaining permanent residency, and we filed for those children’s at birth before the change.
Our youngest was born after the system change, hence has completely different digits.
Telephone area codes are not the same as social security area codes.
You are 100% correct.
Did you buy your social security card from a guy downtown? Because neither of your points makes sense. Of course a SSN area code isn’t going to be the same thing as a telephone area code.
I was birth to US parents while there were working in Africa in the early 90s and my SS number does not start with 000
You sure ICE isnt looking for you? Because 666 isnt used in american SSNs. And from 1936 until june 2011 ALL california issued SSNs began with 545–573.
As for children born outside the US, 000 was NOT used.
Area number 586 is divided
among American Samoa, Guam, the Philippines, and
Americans employed abroad by American employers
and, from 1975 to 1979, it was also used for Indochinese
refugees. Area number 580 is assigned to persons apply-
ing in Puerto Rico and the Virgin Islands.
If you were born in any other foreign country to american citizens your social security number would have been assigned according to your parents US address, or barring that, the location of whichever office processed the social security number application.
so please make sure you do have a little bit more information or fact check, before you make broad statements like that.
And or clarify what you mean, just dont make broad statements with almost fake information.
https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.ssa.gov/policy/docs/ssb/v45n11/v45n11p29.pdf&ved=2ahUKEwi0nMOp_pqOAxXMwckDHYUyI3AQFnoECBsQAQ&usg=AOvVaw3NEAZzB_kHzDWRb4yueVVx
So I took a quick gander over the part of the specification that he linked and it seems to have sensible security and then there is a whole other document on the public key infrastructure. The data is definitely signed by issuing states.
However, I’ve not confirmed that the actual image data is signed and that signature is checked. However, I think it would be quite the oversight if they did not because it means data from a stolen passport could be written to a new passport with new image data.
(OP here) The data are signed but, as you allude, it doesn’t need to be validated.
For example, some countries don’t check https://arstechnica.com/tech-policy/2018/02/border-agents-have-no-idea-if-data-held-on-e-passports-is-authentic/
As I think to recall from looking into it long ago there are 2 types of images, a low resolution one that is easy to read and a secure high-resolution one not accessible to normal people.
In fact the data that ‘we’ can read is deliberately limited compared to what the authorities can access I think.
Might be hard to forge.
https://youtu.be/bnKyw5-_E6o
Oh and, dont try and say even before that it was based upon region and area code or prefix. This is also not true, as my Mother was born in Alamogordo NM(1956), and even back then their area and prefixes were never 564 that is WA state(for area code)… so no region area code,etc based was never the 3 digits, nor were any of the other numbers were meant anything even regional or state.
So random was already there, back in 1956,
So the statement ” The “area numbers” no longer indicate the area you were born,” isnt right.
maybe rephrase your statement and try not to make it fact when it is not.
Maybe read up on what is meant by the area portion of the SSN before you make such statements. It has nothing to do with a telephone area code. And your 564 example is an overlay code that wasn’t even proposed until 1999.
The area portion was first assigned based on the office issuing the card, then was based on the zip code of the mailing address used by the applicant.
But since 2011 the area portion is not tied to any geographic location.
The first three digits were called area numbers. They had nothing to do with telephone area codes. In July 2011 they stopped the area number thing and switched to a random number. Your mom’s SSN started with 564, which is listed below as a NM area number… Might want to rephrase your statement and try not to make up facts yourself.
001-003 New Hampshire
004-007 Maine
008-009 Vermont
010-034 Massachusetts
035-039 Rhode Island
040-049 Connecticut
050-134 New York
135-158 New Jersey
159-211 Pennsylvania
212-220 Maryland
221-222 Delaware
223-231 Virginia
691-699
232-236 West Virginia
232 North Carolina
237-246
681-690
247-251 South Carolina
654-658
252-260 Georgia
667-675
261-267 Florida
589-595
766-772
268-302 Ohio
303-317 Indiana
318-361 Illinois
362-386 Michigan
387-399 Wisconsin
400-407 Kentucky
408-415 Tennessee
756-763
416-424 Alabama
425-428 Mississippi
587-588
752-755*
429-432 Arkansas
676-679
433-439 Louisiana
659-665
440-448 Oklahoma
449-467 Texas
627-645
468-477 Minnesota
478-485 Iowa
486-500 Missouri
501-502 North Dakota
503-504 South Dakota
505-508 Nebraska
509-515 Kansas
516-517 Montana
518-519 Idaho
520 Wyoming
521-524 Colorado
650-653
525-585 New Mexico
648-649
526-527 Arizona
600-601
764-765
528-529 Utah
646-647
530 Nevada
680
531-539 Washington
540-544 Oregon
545-573 California
602-626
574 Alaska
575-576 Hawaii
750-751
577-579 District of Columbia
580 Virgin Islands
580-584 Puerto Rico
596-599
586 Guam
American Samoa
586 Philippine Islands
700-728 Railroad Board**
729-733 Enumeration at Entry
I did medical records transfers in the USN 1978-81… I serviced and signed off on apx 500 medical records a day for over a year… at that time, the SSAN was also your so-called “Serial Number”. We definitely could and did use standard federal reference docs to look up the locations that SSANs were issued… the reference to 56x being California is correct, but that wasnt written in stone, just the general rule… MANY conditional exceptions can applied at place and date of issue. Once we had computers everywhere (not just universities and DOD), aot of tbings changed with the numbering system…
I suspect this reply was intended as a follow up for your earlier rant at just6979, rather than a comment to the author?
You might find https://www.ssa.gov/policy/docs/ssb/v45n11/v45n11p29.pdf interesting. It explains the situation as of the early eighties. Honestly I’m not sure if it backs up what you’re saying, but it does discuss how number allocation has changed over time, what the number is based on (area was SSA office, not birth state or telephony area code, though they were related) etc.
@CM: Aside from all the other comments about why SSN “areas” != Area Codes, there is the small matter of history. The SSN numbering system was presumably created before Nov 1936 when the first ones were issued and telephone Area Codes didn’t exist until 1947. Simple facts that are easily checked.
https://www.ssa.gov/history/ssn/firstcard.html
“Social Security numbers were grouped by the first three digits of the number (called the area number) and assigned geographically starting in the northeast and moving across the country to the northwest.”
https://en.wikipedia.org/wiki/Original_North_American_area_codes
New Mexico SSN were 648–649
Washington State were 531–539
564 falls into the California Block of numbers 545–573
You seem to be confused about the difference between TELEPHONE area codes and Social Security Area Numbers.
If you were born between 1936 and 1973 the three digit area number indicates where your social security number was issued, GENERALLY where you lived and were born but sometimes, due to delayed application, or lack of local office it would be a different number.
After 1973 Social Security cards were ALL issued from the Baltimore office and were geographically coded according to the mailing ZIP code on the application, so if you were born in Colorado while your parents were on vacation but they filled the application out with their California Zip code your place of birth and your three digit code would not match, But for MOST people their code would match their place of birth.
After june 2011, the first three digits reflect NEITHER the place of birth, nor the place of application but rather are assigned randomly
Here is a link to the FORMER Social Security Area numbers.
https://en.wikipedia.org/wiki/Social_Security_number#List_of_Social_Security_area_numbers
Funny, my passport didn’t come with a chip in it.
Might be because I got it in 1986. :D
There is PKI to sign them. Each country has each others public key to verify. Not each country trusts each other country, so the lists are not exhaustive.
Sometimes technologically less advanced countries go to the passport printing service of a better equipped country and use their resources.
I know this because I once worked for a company where one single guy was responsible to develop computer software that could read, write and verify actual real passports for some small african country (of which the name would not be disclosed to him). The client was the national mint of the EU country we lived, which was also reponsible for passport printing.
That african country simply did not have the resources to create a printing service for passports that would meet the high standards of the ICAO. So they would get printed Passports (with the citizen data and picture) but would write the chip themselves.
Yes the ICAO (International Civil Aviation Organization) sets the standards for Machine Readable Travel Documents (MRTDs) aka Passports. Not the governments themselves.
If you got it in 1986 then that means its no longer valid.
SSN area digits were set from Northeast to west, like postal zip codes. Telephone area codes were set by how long it took an operator to dial the number for you-when you needed an operator for long distance. High density cities NYC and LA have 212 and 213, with 5 and 6 total ‘clicks’ as the dial rotated. Rural areas, with fewer calls had higher combinations, like 909 for a total of 28 clicks. With touchtone this became obsolete.
So can people still make forged passports now we have chips in them ??
Not if they use Doritos.
If you’d like to read a passport/eMTRD with a Flipper Zero, there is an app that uses BAC (no PACE support): https://lab.flipper.net/apps/passy .
Forget forging a passport.
How about re-writing someone’s passport data to say something else?
“Potato Chip Thief, Arrest on sight” perhaps?