Exactly this. I had a look at ISO/IEC 15408 which defines the EALs and I wasn’t very impressed. Here are my observations:

1. The standard is full of acronyms and jargon. For example: the standard says that an Evaluation Assurance Level (EAL) is assigned to a Target of Evaluation (TOE) based on the Security Target (ST). The TOE implements TOE Security Functions (TSF) to meet the security requirements specified in the ST. Got that? Excessive use of such things is generally a sign that it’s intended to dissemble.

2. The EAL is meaningless without the Security Target (ST). The ST is basically a specification that lists the security properties of the TOE (the secure element to be assured in this case). From the standard:
 “A ST is a document that describes a specific TOE, the conformance claims applicable to the evaluation of the TOE, the security problem to be addressed, the security objectives for the TOE and its operational environment, the security requirements applicable to solving the stated security problem, and additional material necessary to describe the TOE sufficiently for evaluation. STs are generally based upon PPs or PP-Configurations that describe a security problem and security requirements for a TOE type that is relevant to the specific TOE.”

3. The assurance requirements are very vague, non-specific and of a functional nature. AFAICT there a no prescriptive methods identified to check for specific vulnerabilities.[/li][/list]


Given the above I am confident that that if a SE manufacturer claims an EAL level, but does not publish their Security Target (ST) specification in the public domain, then such claims are meaningless.