Article 3GM5G US Border Officials Have Never Verified Chipped Passports, Despite Demanding Their Usage

US Border Officials Have Never Verified Chipped Passports, Despite Demanding Their Usage

by
Mike Masnick
from Techdirt on (#3GM5G)
Story Image

Ron Wyden is at it again. Sending pesky letters to government officials who appear to be completely falling down on the job. The latest is asking Customs and Border Patrol why it's still not verifying the e-passport chips that have been in all US passports -- and in all countries on the visa waiver list -- since 2007 (hat tip to Zach Whittaker). The letter points out that the US government pushed hard for these chips... and then never bothered to check to make sure no one has tampered with them.

The U.S. government played a central role in the global adoption of e-Passports. These high-techpassports have smart chips--which store traveler information--and cryptographic signatures, animportant security feature that verifies the validity and legitimacy of the passport and its issuinggovernment agency. For more than a decade, the United States has required that countries on thevisa-waiver list issue machine-readable e-Passports. Since 2015, the United States has furtherrequired that all visitors from countries on the visa-waiver list enter the United States with an e-Passport. Despite these efforts, CBP lacks the technical capabilities to verify e-Passport chips.

To be clear: it's not that CBP doesn't use the chips at all. It does download the info from the chips. But it ignores the cryptographic signatures and doesn't verify that the information hasn't been tampered with. Incredibly, the letter notes that CBP was informed of this problem all the way back in 2010 by the GAO, but has still not done anything about it.

CBP has deployed e-Passport readers at many ports of entry, which CBP personnel use todownload data from the smart chips in e-Passports. However, CBP does not have the softwarenecessary to authenticate the information stored on the e-Passport chips. Specifically, CBPcannot verify the digital signatures stored on the e-Passport, which means that CBP is unable todetermine if the data stored on the smart chips has been tampered with or forged. CBP has beenaware of this security lapse since at least 2010, when the Government Accountability Office(GAO) released a report highlighting the gap in technology. Eight years after that publication,CBP still does not possess the technological capability to authenticate the machine-readable datain e-Passports.

As with a number of recent letters that Wyden has been sending that touch on areas around the government falling down when it comes to encryption, I'm assuming that this latest one comes from the work that Chris Soghoian is doing since being hired full time to work for Senator Wyden. Soghoian spent years calling out bad encryption practices of all sorts of organizations in the past, and it's nice to see that he's now able to (hopefully) shame the government into doing things better as well.



Permalink | Comments | Email This Story
External Content
Source RSS or Atom Feed
Feed Location https://www.techdirt.com/techdirt_rss.xml
Feed Title Techdirt
Feed Link https://www.techdirt.com/
Reply 0 comments