What’s really stored on your passport’s microchip? Can your passport be hacked? Are foreign spies tracking your every move through your passport? Read on, traveler.

share this article

According to the Department of State, around 42 percent of all U.S. citizens—roughly 136 million people—hold a valid U.S. passport. If you’re one of them, congratulations! It’s a truly amazing document capable of opening the door to travel and adventure in foreign lands. Despite the safe passage to life-changing excursions (as well as soul-crushing business travel) that your passport provides, how much do you really know about it? By the time you finish reading this, your answer will be “a lot.” To get the skinny on how U.S. passports are made and secured, we spoke with representatives from the U.S. Department of State, the International Civilian Aviation Organization (ICAO), and a hacker who specializes in bypassing the security of radio frequency devices. Brenda Sprague is the U.S. Department of State’s assistant secretary for Passport Services. She oversees a network of 28 agencies and centers that are responsible for the acceptance, adjudication, and issuance of U.S. passports. Michael Holly is the director of International Affairs Staff at the U.S. Department of State and chairs the International Civilian Aviation Organization’s (ICAO) Machine Readable Travel Document Working Group—an agency of the United Nations set up to administrate the working agreements and guidelines surrounding air travel and travel documents for 192 participating countries. And then there’s the man known only as Tinker. He’s a member of the Dallas Hacker’s Association. When he and his pals aren’t busy figuring out new ways to ethically mess with our digital world, he spends his days working as a professional penetration tester: a job that sees him hacking into computers and breaking into buildings by reading and cloning radio frequency identification (RFID) building-access badges. Let’s get started! Who’s responsible for making U.S. passports? There are two entities responsible for creating passport books. The first is the U.S. Government Publishing Office (GPO), which assembles the passport books, using the various components that go into them. Once the books are published, the U.S. Department of State is responsible for personalizing the books to be used by U.S. citizens by adding their personal data to its pages and RFID chip. Where are passports made? Many places. In 2008, the Washington Times ran a series of stories that claimed that the U.S. government was outsourcing the manufacturing of passports to companies in foreign countries. In one instance, one of the contractors, located in Thailand, was said have been infiltrated by Chinese Intelligence. The story led some conspiracy theorists to suggest that the Chinese government is somehow tracking U.S. travelers or stealing their data. According to Michael Holly, there’s a grain of truth to this. “The story regarding Thailand revolved around the electronic inlay that we used back in 2004 and 2005,” says Holly. “Smartrac was the entity that was producing the inlay for us at that time.” In response to the issue, explains Holly, the U.S. Department of State and the GPO have moved to ensure that the majority of the components that go into a passport are manufactured on U.S. soil. In the time since the Washington Times story dropped, almost all of the vendors contracted by the GPO to put the books together have set up shop in the United States. Those that haven’t are in allied nations.

Article continues below advertisement

And before you ask, no, the Chinese government isn’t tracking your every move through the paper in your passport book. “The passport page is and has always been done by the Crane Paper Company,” Sprague adds. “I believe they manufacture it in Massachusetts. There are other components to the passport, all of which are manufactured in the United States, with the exception of some inks and foil and some threads that are made either in the U.K. or Australia. But if you were talking about domestic content on a U.S. passport, I would guess that it’s well over 98 percent.” Courtesy of Shutterstock RFID chips, like this one embedded in the cover of a British passport, are similar to the I.D. chips implanted in pets. What information is stored on a passport’s RFID chip?



Open your passport book up to the data page with your photo on it. See the information there? According to Sprague, this same information is what’s stored on a passport book’s RFID chip. You’ll also find that the chip contains biometric information of the passport’s owner and a Open your passport book up to the data page with your photo on it. See the information there? According to Sprague, this same information is what’s stored on a passport book’s RFID chip. You’ll also find that the chip contains biometric information of the passport’s owner and a cryptographic signature that permits border officials from the Department of Homeland Security to verify that the passport hasn’t been tampered with or altered in any way. That’s it. How is the information stored on a passport’s RFID chip secured? We just discussed the cryptographic signature stored in your passport’s RFID chip, so let’s start there. The ability to read this signature and unlock the information on the chip is complex and, for obvious reasons, well guarded by the Department of State. But it’s not dissimilar to the security used to keep the contents of your bank account safe. “Basic access control is similar to what you get with an ATM machine,” explains Holly. “You put in your card, then you put in your PIN number, and only then will you start to get money. Basic access control requires the passport to be open and the machine readable zone to be read. From that machine readable zone, a PIN number is derived and only then does the chip release the information to the reader. That information is encrypted. We also use random user identification (RUID) in order to prevent tracking. When a chip is queried by the reader, the first thing that is provided is the chip’s serial number. In our case, each and every time the chip is queried, a different identification number is provided.” Are U.S. Customs & Border Patrol agents the only ones who can read this information? Nope. The U.S. Department of State’s public key infrastructure is shared with 52 other nations so that they can verify, when a passport is used at their borders, that the information on the chip has not been altered in any way. Can hackers read the information broadcast by a passport’s RFID chip? According to Holly and Sprague, in order for a passport’s RFID chip to be read, it needs to be within six inches of an RF reader. Thanks to a special piece of security tape buried in the cover of your passport, the data on the chip cannot be read when the passport book is closed. This makes it almost impossible for anyone to hack your passport’s RFID chip as you wander around an airport or travel destination. In theory. According to our hacker pal, Tinker, RFIDs are fairly easy to read.

Article continues below advertisement