security – Is it safe to show a biometric passport to a third party?

The RFID chip in a biometric passport can be convinced to communicate all the data stored therein if the right keys are provided to it. Note it’s not a matter of downloading encrypted data from the chip and then having a go at it with decryption tools of some kind; the communication with the chip is bi-directional and authentication has to be provided first.

The core data such as name and the photograph are secured by Basic Access Control, where the key can be derived from machine readable data visible on the passport itself. In essence, after viewing the passport, it’s possible to download the same data you’ve just seen, plus the digital signature of the issuing authority confirming it’s genuine.

There’s also Extended Access Control, where the idea is that more sensitive data such as fingerprints is protected by keys that the issuing authority only provides to parties such as other countries’ immigration departments.

Thus any random person who knows the document number, the owner’s birth date and the passport’s expiry date (that’s what comprises the BAC key) can use this to read basic data and download the photo (there are multiple Android apps that do just this), while it’s not possible to take a powerful scanner to an airport and load lots of passports of passers-by. Downloading the fingerprints and other such data requires special keys which are, in theory, distributed by some secure channels among proper authorities. I’ve heard, without proof, that this process involves many hurdles and my country (Ukraine) simply hasn’t shared such keys with any other countries.