score:8
The RFID chip in a biometric passport can be convinced to communicate all the data stored therein if the right keys are provided to it. Note it’s not a matter of downloading encrypted data from the chip and then having a go at it with decryption tools of some kind; the communication with the chip is bi-directional and authentication has to be provided first.
The core data such as name and the photograph are secured by Basic Access Control, where the key can be derived from machine readable data visible on the passport itself. In essence, after viewing the passport, it’s possible to download the same data you’ve just seen, plus the digital signature of the issuing authority confirming it’s genuine.
There’s also Extended Access Control, where the idea is that more sensitive data such as fingerprints is protected by keys that the issuing authority only provides to parties such as other countries’ immigration departments.
Thus any random person who knows the document number, the owner’s birth date and the passport’s expiry date (that’s what comprises the BAC key) can use this to read basic data and download the photo (there are multiple Android apps that do just this), while it’s not possible to take a powerful scanner to an airport and load lots of passports of passers-by. Downloading the fingerprints and other such data requires special keys which are, in theory, distributed by some secure channels among proper authorities. I’ve heard, without proof, that this process involves many hurdles and my country (Ukraine) simply hasn’t shared such keys with any other countries.
Upvote:1
The data on your passport chip is encrypted, but the encryption key is the machine-readable data on the personal data page (see e.g. this slide deck from ICAO). So it is useless if someone just reads the chip alone, but if they also can see the personal data page, then they can also decrypt the contents of the chip. There are Android apps which can read the passport chip, and require you to scan the data page with the camera, then read the chip with the phone's NFC reader. It will be very obvious if someone is doing this to your passport.