[Isolus]

I don't know anything about this particular case, but about these systems in general. They can work without any operator or network connection. They verify that you have a valid passport and that the taken image (face) matches the one stored in your passport. But for modern passports they use Extended Access Control which requires up to date terminal certificates to access the data (you have to update them in the range of days) und you can give these systems revocation lists and lists of unwanted persons. If any of this is not updated, they stop working.

[Nextgrid]

> But for modern passports they use Extended Access Control which requires up to date terminal certificates to access the data (you have to update them in the range of days

Passports don't know the current time and thus can't tell whether the presented certificate is within its validity range (as in a malicious attacker could feed an expired certificate as well as a fake "current time" value to make it appear valid), so why are those certificates short-lived?

[Isolus]

Whenever you present a certificate to the passport, its current time is updated by the "valid from" value if it's newer then the current time.

It's not perfect but if you started you trip in another country with such a system and where a more recent certificate was used, your passport will deny access.