US Border Officials Have Never Verified Chipped Passports, Despite Demanding Their Usage
from the total-failures dept
Ron Wyden is at it again. Sending pesky letters to government officials who appear to be completely falling down on the job. The latest is asking Customs and Border Patrol why it’s still not verifying the e-passport chips that have been in all US passports — and in all countries on the visa waiver list — since 2007 (hat tip to Zach Whittaker). The letter points out that the US government pushed hard for these chips… and then never bothered to check to make sure no one has tampered with them.
The U.S. government played a central role in the global adoption of e-Passports. These high-tech passports have smart chips–which store traveler information–and cryptographic signatures, an important security feature that verifies the validity and legitimacy of the passport and its issuing government agency. For more than a decade, the United States has required that countries on the visa-waiver list issue machine-readable e-Passports. Since 2015, the United States has further required that all visitors from countries on the visa-waiver list enter the United States with an e- Passport. Despite these efforts, CBP lacks the technical capabilities to verify e-Passport chips.
To be clear: it’s not that CBP doesn’t use the chips at all. It does download the info from the chips. But it ignores the cryptographic signatures and doesn’t verify that the information hasn’t been tampered with. Incredibly, the letter notes that CBP was informed of this problem all the way back in 2010 by the GAO, but has still not done anything about it.
CBP has deployed e-Passport readers at many ports of entry, which CBP personnel use to download data from the smart chips in e-Passports. However, CBP does not have the software necessary to authenticate the information stored on the e-Passport chips. Specifically, CBP cannot verify the digital signatures stored on the e-Passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged. CBP has been aware of this security lapse since at least 2010, when the Government Accountability Office (GAO) released a report highlighting the gap in technology. Eight years after that publication, CBP still does not possess the technological capability to authenticate the machine-readable data in e-Passports.
As with a number of recent letters that Wyden has been sending that touch on areas around the government falling down when it comes to encryption, I’m assuming that this latest one comes from the work that Chris Soghoian is doing since being hired full time to work for Senator Wyden. Soghoian spent years calling out bad encryption practices of all sorts of organizations in the past, and it’s nice to see that he’s now able to (hopefully) shame the government into doing things better as well.
Filed Under: cbp, e-passports, passports, ron wyden, smart chips, verification
Comments on “US Border Officials Have Never Verified Chipped Passports, Despite Demanding Their Usage”
They are practicing what they preach
This seems entirely reasonable. The government wants back doors built in to encryption products, so it seems logical that they would want to do the same with authentication protocols. Although, in this case they may be confusing the idea of “back door” with “no door.”
Re: They are practicing what they preach
Why doesn’t CBP just ask the FBI to validate the certificates?
Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!
Or are you now wanting this done?
Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!
I have read this post several times, and I can’t determine who you are arguing with, what you are arguing for/against, or what your opponents position is. As such, I am flagging your post as lacking contributory value, and likely designed to Gotcha! posters arguing against their understanding of those factors and claim they are straw manning you, as trolls have enjoyed doing as of late.
Re: Re: Don't ask, you don't want to know
I have read this post several times, and I can’t determine who you are arguing with, what you are arguing for/against, or what your opponents position is.
TD and anyone who works there, anything the fictional TD in their head is against/for, and some hilariously inaccurate strawman position respectively.
Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!
To provide insight to those reading the initial comment and failing to understand my logic (as those in opposition to Techdirt are want to do), the subject seems to express an extreme position of anti-bornder control, and the body’s generic pronoun subject, and vague question suggest the AC is trying to attack previous positions of TechDirt summarized in the title.
Techdirt has never taken the expressed hardline position, and such a position is not addressed in the core of this post, which is to note that CBP can not currently verify passports. If the article makes no comment on if we should be verifying passports, but I feel the tone suggests we should.
Therefore, if the AC was intending to make a point, it is hard to determine the point, given a lack of telepathy to read the AC’s mind, I can’t address any merits of his arguments, nor could others. So I have flagged the post.
Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!
Don’t you have a cloud to yell at?
LMFAO
Sorry, laughing too danm hard to type right now.
you mean i could sneak information into and out of the country using a passport? dang. now you tell me.
"I didn't sign up to this job to do WORK!"
"It is important, absolutely vital that this information be included!"
"Does it matter if it’s accurate?"
"… eh, checking that sounds like a hassle, so not so much."
Re: "I didn't sign up to this job to do WORK!"
It does to any self-respecting terrorist.
If they go through all the hassle of rigging an RFID reader to a car bomb so that the next American passport that wanders past triggers it, they’re not going to want it set off by an RFID code used to inventory bags of Doritos.
Terrorists hate that.
Think of it as less typing.
Everybody knows that knuckle-draggers have trouble flopping their big hands on teeny tiny keyboards. The e-passports save all that effort.
Of course, if the CBP isn’t filled with fat fingered knuckle-draggers we have a different problem. Either they lack the conviction of their stated purpose with e-paasports or they lack the ability to understand that they are failing their primary mission.
“Responsible” chips. 🙂
Why?
These go to eleven.
Incompetence
Requiring people to carry encrypted ID info and doing nothing to authenticate this data is worse than providing no encryption at all.
Depending on how seriously the CBP takes the data on these chips, this means a competent attacker with a few hours’ access to your password can put you on a no-fly list, or worse. At the very least, you will appear to have tampered with super-serious documents.
This could provide a new definition for a popular, stupid idea: Responsible Encryption™—when our incompetent security measures fail, guess who’s responsible?
Re: Incompetence
What do you mean? The point of this article is that they have no way to know that you tampered with the documents. (Unless they notice a discrepancy with the printed version.) If they were doing the proper checks, and your check failed, it would look worse.