The future of MRTD
It is more than questionable, whether the new electronic passport will prove to be of much use to its new owners. A so far closed system, that inspects the passports, now accepts data from a currently not trustworthy 72 kByte memory with a micro controller – regardless of the fact, that there could just as well be any other software but the ICAO layout running on the chip.
Would a customs official let an unknown person connect a usb stick to his or her PC? Most certainly not. But this is exactly what happens with the electronic passport: its data is first read without any verification. Only after passing them through several non-standard compliant self-made parsers can the reader validate the data.
The programmers of the German reference system Golden Reader Tool
(GRT) report, that the implementation of the electronic passport API was a
complex and difficult task. In general this rather increases the
vulnerability to attacks.
Maybe a team of IT security and data protection experts should have
taken a look at the system, before it was launched. The way it is now, the
golden rule KISS – Keep it simple, stupid
– has been sunk in a
sea of lobbyism, featuritis and national interests.
This article does not at all regard the quality of biometric data, that introduces its very own security issues with respect to wrong acceptance- and refusal rates, as well as the impossibility to recover a once compromised feature. The electronic passport's future remains precarious.