Last month, a gunman opened fire on an insurance building in the ancient Thai city of Ayutthaya, piercing the glass windows of the People’s Alliance for Democracy headquarters with 11 millimeter caliber bullets.
A few weeks earlier, bombs made from powerful plastic explosives were detonated near transmission towers in the same city in an unsuccessful effort by terrorists to darken the manufacturing district.
The violent episodes hardly registered in the United States. Few Americans have heard of Ayutthaya, after all, or know of a reason to pay attention to it.
But there is a reason, one directly connected to America’s security. The key electronic components for millions of American e-Passports, the crown jewel of a new U.S. border security system, have been put together inside a little-known factory in Ayutthaya for the past four years.
Thai workers there assemble inlays that embed wireless transmitters and sophisticated computer chips that store biometric and other personal information used by customs officials and border guards to verify the identities of those who enter the United States.
The U.S. Government Printing Office, the agency charged with producing the new e-Passports, has been warned repeatedly since 2006 by its own security officer that the Thai manufacturing site posed a “potential long term risk to the USG (U.S. government’s) interests,” according to inspection reports obtained by the Center for Public Integrity and ABC News.
The sweeping concerns ranged from poor police protection and political instability in Thailand to difficulty in obtaining security background checks for factory workers, according to documents and interviews.
GPO officials told the Center and ABC News they have been shifting the Thai assembly work into the United States for more than a year and hope to have all of it stateside by summer’s end.
But the problems in Thailand are just one of several serious vulnerabilities to the e-Passport production system that were flagged recently by the agency’s internal watchdog, according to a review by the Center and ABC News.
GPO’s inspector general found the agency lacks security plans and procedures for ensuring that blank e-Passports — and their highly sought technologies — remain safe from terrorists, foreign spies, counterfeiters and other bad actors as they wind through an unwieldy manufacturing process that spans the globe and includes 60 different suppliers.
Despite years of concerns about the risks of stolen e-Passports, GPO “did not have a formal, agency-wide policy and related processes that would ensure security for the e-Passport supply chain,” the inspector general concluded in a March 31 investigative audit obtained by the Center.
Officials Promise Corrective Actions
GPO officials say they are trying to address the problems raised by investigators and to date have no evidence that e-Passports components have been stolen or cloned.
“I believe the Government Printing Office along with the Department of State are doing everything necessary to maintain and secure the passport supply chain,” outgoing Public Printer Robert Tapella said during a brief interview last week.
Added GPO’s spokesman Gary Somerset, “There has been no security breach in the electronic passport supply chain.”
While GPO officials insist they are taking corrective actions, the inspector general has not received word that even a single one of his recommendations from the March report have been completed, officials said. And the agency’s lone job for overseeing the foreign supply chain has been vacant for six months, officials acknowledged.
“We are following the proper rules and procedures to fill the job,” Tapella said when asked about the hiring delay.
The discovery that the e-Passport production chain lacked basic protection procedures only magnifies concerns in the security community that e-Passports could be cloned by bad actors who obtained blank components.
Clark Kent Ervin, the former Homeland Security watchdog, said the GPO’s approach to e-Passport security was ”extremely troubling” on several fronts.
“This is just another example of the government’s dragging its feet, year after year, not taking action that they know they should take, in order to make us as safe as we possibly can be,” Ervin said.
Shortly after the Sept. 11, 2001 attacks, U.S. officials began efforts to foil terrorists’ attempts to enter the United States with false travel documents by creating an electronic passport to replace the traditional paper version used for decades. By 2003, officials had decided the new e-Passport would include a small contactless computer chip embedded in the back cover of the passport book with an antenna to wirelessly transmit data to customs and border employees at U.S. ports of entry.
The chip stores the same data visually displayed on the photo page of the passport, and additionally includes a digital photograph that can be employed used for biometric comparison using digital facial recognition technology. The government began distributing limited e-Passports in 2006 and by August 2007 it had scrapped all paper passports in favor of the new electronic versions. More than 55 million e-Passports have been made in the first four years.
Congress was recently warned that large numbers of U.S. ports of entry still aren’t using readers that can verify travelers’ identities with the biometric information stored electronically on the e-Passports.
The government “does not have the capability to fully verify the digital signatures because it has not deployed e-passport readers to all of its ports of entry and it has not implemented the system functionality necessary to perform the verification,” the Government Accountability Office reported in January.
The combination of weak manufacturing security and slow deployment of machine readers leaves the United States with a false sense that the e-Passport is providing additional border security, experts said.
“They certainly are not realizing their full potential. The system could be rather stronger than it is,” said Ari Juels, director of RSA Laboratories and an expert in electronic identity verification. “It will never be foolproof but it certainly can be quite a bit stronger.”
Weak security in the manufacturing supply chain could allow a criminal or terrorist to get blank parts and clone an e-Passport for nefarious reasons, Juels said.
“Getting a hold of an inlay might help someone create an authentic looking copy,” he explained. “The ability to create an authentic looking passport makes it easier to game the system.”
The State Department’s own e-Passport website acknowledges the risks. “It is possible to substitute the chip of an e-Passport with a fake chip storing the data copied from the chip of another e-Passport,” State warns.
Glaring Security Vulnerabilities
Despite the well-known concerns, GPO had only one full-time employee dedicated to the security of the e-Passport supply chain, and the agency’s inspector general concluded he was overwhelmed by “the resource constraints inherent with being a one-person operation.”
The lack of management attention and resources for security left an “informal” and “ad hoc” approach to security with some gaping holes, the report said. For instance, the inspector general found:
- GPO’s security officer has conducted security assessments for only 11 of the 16 most critical suppliers of e-Passport materials.
- The agency lacked a “direct contractual relationship with 6 of the 16 key suppliers” and therefore had “no specific legal rights to review, authorize the subcontracting of, and inspect the operations of companies that provide critical components for the e‐Passport, including two companies considered to be single points of failure in the supply chain.”
- Six of the 10 e‐Passport supplier contracts reviewed did not contain security plans or security‐related requirements.
The inspector general was particularly concerned that the lack of supply chain security left the United States vulnerable to potential interruptions of the e-Passport supply if even one of its key players was disabled by an attack, political unrest or natural disaster.
He also found that GPO gave misleading assurances in the past to Congress that its manufacturing process was fortified..
For instance, after lawmakers were surprised by a Washington Times report in early 2008 that some suppliers and contractors for the e-Passports were located overseas, the GPO declared in an April 9, 2008 letter to the House Energy and Commerce Committee that the agency had “taken all reasonable steps to assure that the production of and the supply chain for e‐Passports is secure.” Specifically, the agency insisted it had conducted top-of-the-line security audits.
The inspector general found those assurances to be false. “We were unable to find any documented evidence of the formal e‐Passport supply chain audit (security assessment) process noted by the Agency,” the inspector general stated flatly in the March report.
Somerset, the spokesman, said GPO and State Department officials were satisfied at the time of the letter with their security auditing and did not intend to mislead lawmakers.
Rep. John Dingell (D-Mich.)Rep. John D. Dingell, D-Mich., the chairman of that House committee back in 2008 when the assurances were given, said in an interview that the subsequent revelations show GPO officials were “not very truthful” and have allowed serious security vulnerabilities to persist.
“This is enough to concern me about the truthfulness and integrity of the leadership at the Government Printing Office,” Dingell said in an interview Monday.
“We have a situation where our e-passports can be subverted, where we cannot assure ourselves of the security of those passports. We cannot assure ourselves that the personal and private information of our citizens that was given to the government in connection with our passports is secure. And we have no way of knowing whether these security devices in the passports are of a character which properly protects our people in their travels, protects the security of the United States, “ he said.
Officials say they have begun assembling as many as 80 percent of the chip/radio antenna inlays at a factory in Minnesota. Demand for U.S. passports has slowed enough during the recession that 100 percent of the inlays can finally be produced stateside — and not in Thailand — as early as July or August, they said.
Otherwise, officials said they agreed with nearly all the findings in the inspector general’s report and are taking corrective actions.
“The IG made recommendations to help GPO further improve security of its electronic passport supply chain,” Somerset said. “GPO management concurred with the recommendations and has either already implemented or planned corrective actions.”
The threat of counterfeiting became all too real recently when British authorities revealed that passports held by some of their citizens were “cloned” by assassins who killed a Hamas leader in the United Arab Emirates. While the cloned passports were not as sophisticated as the U.S. e-Passports, the incident heightened sensitivities about the potential for cloning at a more sophisticated level in the future.
Downplaying The Risks
State Department documents obtained by the American Civil Liberties Union under the Freedom of Information Act show U.S. officials have been aware of the threat that e-Passports could be cloned and their data intercepted by a tactic known as “skimming“ since 2003 when they began preparing for the new technology. But those officials often have downplayed the risks compared to their global counterparts.
“Concerns over chip copying were raised and the probability of such an event discussed,” said a State Department memo from September 2003 that summarized discussions U.S. officials had with their international counterparts in London about creating a worldwide network of electronic passports.
That memo showed that authorities in other countries were far more worried than their U.S. counterparts about such threats as counterfeiting, alteration, imposters, data compromises, data skimming, and compromising the security keys that protected information on the new passports.
U.S. officials also initially opted against adding technology to prevent the e-Passport digital signal from being intercepted or skimmed.
“The U.S. position presented is that the risk is low enough that advanced anti-skimming techniques are not warranted at this time,” State officials wrote in September 2003.
That memo noted there was disagreement with the U.S. security assessment. “Other countries (most notably Germany) maintain that they need to address skimming before moving forward. UK, Canada and The Netherlands also presented concerns about skimming,” it said.
After a second international meeting in fall 2003, U.S. officials began to strengthen their position on data security. By the time e-Passports were officially being made in early 2007, U.S. officials had decided to insert a small piece of foil near the RFID transmitter to limit the distance in which its signal can be intercepted.
A person directly involved in the launch of the program, who spoke only on condition of anonymity, said time pressures and a desire to save money were initial security roadblocks in the development of the e-Passport, but asserted the challenges were overcome.
The Thailand Story
GPO officials said they ultimately outsourced the production of key components for the U.S. e-Passport because no American companies competed during the bidding process.
“Some of the very best components and technologies for the electronic passport do not reside in the United States,” Somerset said.
In the end, a German company, Infineon Technologies AG, was selected to be the main supplier of the embedded computer chip. The German company then selected SMARTRAC N.V. in The Netherlands as its subcontractor to perform some of the work at its plant in Thailand.
After workers there assemble the inlays, the inlays are shipped to Germany. Eventually, the full e-Passport is assembled in the United States at the main GPO headquarters in Washington or at a backup plant in Mississippi, officials said.
Security documents obtained by the Center show U.S. officials had immediate concerns about the SMARTRAC location in Thailand, a frequent site of civil unrest, after the work began in 2006 and 2007.
“Corruption exists at all levels” of Thai police and political leaders, security officials warned in internal documents, and the sprawling manufacturing complex where the factory is located has a weak security perimeter. In addition, “local police response is marginal at best” officials said in the documents.
Security inspectors raised concerns that the United States was relying on a single factory in a historically instable country to do the work. “The situation is further exacerbated by not having a direct contractual relationship with SMARTRAC,” GPO’s security officer wrote in a “risk assessment” of the Thai plant after his team and State Department diplomatic security officials visited the site in 2006 and 2007.
The GPO security office flagged the Thailand location as a “medium to high” risk and urged that GPO “exert as much influence as possible … to have all of their subcontractor inlay production moved to the U.S.”
“Aside from being a single point of failure, much additional risk is at play because this company is located in Thailand where the political environment could lead to a destabilization of the government,” one security report warned.
Over the last several weeks, that prediction has come true as “red shirt” protesters in Thailand have violently clashed with soldiers and police, creating a climate of fear, chaos and instability in Bangkok, as well as in Ayutthaya. Ayutthaya, which lies 50 miles north of Bangkok, has a population of about 60,000.
The security assessments showed SMARTRAC made efforts to address all U.S. concerns and tighten its physical security at the Thai plant over the years, but concerns remained.
“At present, this is a potential long-term risk to the USG interests,” one of the security reports stated, noting that many of the employees who worked at the Ayutthaya plant were not subject to full security clearances.
“Generally, the production personnel are not employees of the company,” the assessment warned. “The Thai culture is such that the interrogative nature of the clearance process would be viewed as personally invasive.”
A later report renewed that and other concerns while praising the company for making “substantial” security upgrades elsewhere. Still, its location remained a major issue.
“The industrial park does not provide any perimeter security or access security and it is therefore incumbent on each company to provide its own private security firm to control access and respond to alarms during off hours. Local police response is marginal to nonexistent for this location,” the risk assessment cautioned.
SMARTRAC said in a statement to the Center that its plant in Thailand passed a German security review that is “one of the strictest independent security certification processes” in the world and that the plant’s employees “undergo a background check to assure that highest security standards.”
The company said it could not divulge the other security measures it took “due to the sensitivity of government projects and the manufacturing of high security products,” but said the recent violence in Thailand did not affect the plant’s operations.
“Production and security standards in the security certified environment were running according to the established standards,” it said.
An ABC News crew that traveled to Thailand found the SMARTRAC factory located in an open industrial park whose entry lacks any security beyond a speed bump.
The e-Passport site is located at the end of a long cul-de sac and consists of two buildings. Each facility has a perimeter fence roughly six feet in height, and guards manually open and close gates for vehicles to enter.
Officials told ABC News that all e-Passport materials were moved in armored vehicles, but the crew saw only small white pickup trucks loading and unloading materials from the facility, which boasts several video cameras on the exterior of the building.
Two or three times a day, shift changes bring double-decker buses inside the gates. The buses load and unload workers, who flash picture ID’s to enter the grounds.
Robert Sheridan, a former investigator in the GPO inspector general’s office and a retired Customs Service agent, said the decision to allow e-Passport work inside Thailand was part of a “continual lapse of tighter security.” The situation could easily have been avoided if U.S. officials simply went to American manufacturers and asked them to make the parts even though they didn’t bid on the original contracts, he said.
The decision to let the work remain in Ayutthaya for four years was strikingly risky, he said, especially given that al-Qaida and other extremist groups have operated inside Thailand amidst its frequent political instability. For instance, the al-Qaida leader Hambali was captured in Ayutthaya in 2003.
“If they can find a way to compromise this new e-Passport, they will,” Sheridan said.
After years of defending its foreign supply chain, the GPO’s Tapella conceded in a speech in February that the agency had learned some valuable lessons, including the need to “reduce the possibility of locating supply chain functions in politically unstable regions.”