Outsourcing the E-Passport
About 18 months ago at the Blackhat Hackers Convention in Las Vegas, German hacker Lukas Grunwald cloned the e-chip (an RFID) that was embedded in the new Electronic Passport. At the time the State Department assured us all that while the chip could be copied, the security embedded in the chip itself could not be. Setting aside the derisive comments Grunwald made at the time, we now learn that the Government Printing Office (GPO) production of these e-passports has been outsourced to companies overseas (at least some components), including companies in Thailand (an unstable country with a history of corruption and increasing Islamic terrorism, especially in the south of the country) and China. Additionally, according to a March 26th report in the Washington Times, there have been allegations made that the production facility in Thailand is owned by a Dutch company that reportedly charged China with pilfering its patented e-passport chip technology.
The Netherlands-based company that assembles the U.S. e-passport covers in Thailand, Smartrac Technology Ltd., warned in its latest annual report that, in a worst-case scenario, social unrest in Thailand could lead to a halt in production. Smartrac divulged in an October 2007 court filing in The Hague that China had stolen its patented technology for e-passport chips, raising additional questions about the security of America's e-passports.
Again, putting aside the question of whether the GPO profits by off-shoring even a part of the production of the passport, the GPO immediately countered the allegations made in the Washington Times article. The article, the GPO's inspector general made a strong denial, saying that the article had misstated the facts. Further, a GPO spokesman stated that "The passports are not manufactured overseas," but that "a component with the chip and inlay [of the antenna] comes from various places overseas, but manufacturing is done in Washington and soon-to-be Mississippi."
In response to the Times article, GPO released on March 26 a document about work processes it used to produce passports. According to the document, and reiterated by GPO spokesman Gary Somerset, the agency manufactures passports at its facilities in Washington. The agency will soon produce passports at a second secure facility it is constructing in Mississippi. Production of the electronic chip, which is embedded in the cover and contains the same information printed on the passport, was outsourced to two overseas companies, Amsterdam-based Gemalto and Infineon, based in Neubiberg, Germany. No American company meets the standards developed by the International Civil Aviation Organization and required by the State Department for border crossing procedures that involve the computer chip, according to GPO.
Its pretty certain that there will be Congressional inquiry into this, especially given Chairman Bennie Thompson’s stated concerns.
Congress has yet to ask the Government Accountability Office to investigate the issue. Unless a specific vulnerability is detected, Jess Ford, GAO director of international affairs and trade, doesn't expect that to change. "My understanding is that lots of chips used not only for passports but other forms of identification are manufactured overseas," he said. "Besides, I'm not sure if someone even got hold of the chip, how they would use them. There's a lot of security that happens here in the United States."
The situation bears watching and further scrutiny. The security of passports, especially the new electronic passports with embedded RFID technology is still new and evolving. The second and third installments of the Washington Times series on this matter are provided here. Especially considering the increased requirements for using passports as a proof of identity and citizenship, including leaving and returning to the United States from vacation locations previously accessible without passports, off-shoring any part of the U.S. passport is questionable at best.