Is the RFID chip in e-passports read-only or is it read-write?

I am a firm proponent of that belief that the black-hats will always win. Hackers have eventually broken every known encryption and data protection protocol. The hope is that with anything that matters the white-hats can update and move ahead of the black-hats, but with a system as slow and expensive as international treaties and immigration control, it is unlikely that white-hats will always be ahead. Even the digitally signed portion of your data is more likely to be broken into eventually than not.

Passports last 10 years in the U.S. Imagine what computing and encryption looked like 10 years ago, how about 20 years ago when the standards lag starts taking effect? Given the other answers on this page, it’s all read-write, or will be soon.

Just to answer the “tinfoil hat” aspect, a standard doesn’t prevent a country from making passports and readers which implement features in addition to the standard.

So, a country could easily issue passports which e.g. record entries and exits or store recent photos taken by the border control of that country in your passport. Passports could also store information about border control in other countries, even if foreign border control equipment isn’t actively writing to it (thanks @jcaron). This information could be read out when you return to your country, and be used to estimate how many countries you have visited during your trip. If those countries have accessed information which requires active authentication, it may also be possible to know which ones you have visited.

Passports conforming to the ICAO doc 9303 specification use a smart card conforming to ISO 7816, which is very broadly speaking not just a storage device, but rather a miniature computer.

It is possible to restrict read or write access to parts of its storage to only properly authenticated entities.

Looking at the relevant part of the specification (parts 10 and 11 at the referenced ICAO site), there only seem to be commands relating to reading basic data, cryptographically authenticating the travel document or authenticating the reader to the document in order to access sensitive information like fingerprints.

Without any command to actually modify data on a smartcard, it wouldn’t be possible to do so.

It is of course possible that the issuing country implements additional commands, for example for the purpose of correcting information after issuance. However, such commands, if they even exist, would very likely require authentication of the reader before any write or delete access to the storage would be granted.

Regarding your specific question about the issuing authority adding biometric data after issuance, this does seem to be allowed under the specification:

Only the issuing State or organization shall have write access to
these Data Groups. Therefore, there are no interchange requirements
and the methods to achieve write protection are not part of this
specification.

As there is nothing in the specification regarding write access to the general writable area, it seems to be up to the issuing country to specify access privileges (for reading or writing) to these memory areas.

Theoretically, countries could agree on commands for accessing these optional storage areas outside of the ICAO specifications, of course, but I consider that quite unlikely:

If the intent is to exchange travel data, why not just exchange it out-of-band, for example through server-side systems communicating passport numbers? This seems much simpler and more effective.

TL;DR: It’s complicated, but for practical purposes, currently e-passports are read-only.

Long version: The specification for e-passports contains two types of data.

1. Dedicated Files (DF) are writable and is meant for storing visas and various authorizations in the future. However, this is
   currently not used, and most e-passports out there don’t even
   include this capability.

2. What is in active use is the Logical Data Structure (LDS), which stores biometrics etc and is
   by design read-only. Anybody with access to the key stored in the
   passport’s machine-readable section (the swipable bit at the bottom)
   can read data from here, and the data is electronically signed, so
   anybody reading it can confirm that the contents have not been
   tampered with.

In practice, e-passports are implemented using EEPROM memory, which expands to the somewhat paradoxical Electrically Erasable Programmable Read-Only Memory. For practical purposes, these are read-only, a casual reader can’t go in there and change or add anything.

The catch is that the EEPROMs are also by definition erasable, so the contents can be erased and rewritten from scratch. However, since EEPROMs can typically be locked/”frozen” to prevent any further changes, any attacker would need to work around this. What’s more, since the LDS contents are digitally signed, if a malicious country or agent were to gain access and erase & rewrite them, they would also need to provide a new valid signature, which they can’t do without the original issuer’s private key. They could reprogram your Sylvanian passport’s chip to return data signed by Borduria instead, but I presume this would be caught pretty easily, since it would now be out of sync with what the machine-readable stripe says. And this is also why the originating country is also unlikely to change any data on the chip, even if they technically can, because it would now risk having the information physically printed on the passport from being out of sync with the digital copy in it.

Some more reading on the topic: https://www.researchgate.net/publication/221406395/download (free PDF download)

Edit for clarity: I’m not claiming any of this makes e-passports secure or tamperproof. However, if the question is “are countries I visit recording things in my e-passport when I pass through immigration”, the answer is pretty unequivocally “no”.