US Border Patrol Hasn’t Validated E-Passport Data For Years
        • Author: Lily Hay NewmanLily Hay Newman
        • security
        • 02.22.18
        • 07:08 pm

US Customs and Border Patrol hasn't been verifying the cryptographic signatures 
on e-Passports—because they never installed the right software.

Passports, like any physical ID, can be altered and forged. That's partly why 
for the last 11 years the United States has put RFID chips in the back panel of 
its passports, creating so-called e-Passports. The chip stores your passport 
information—like name, date of birth, passport number, your photo, and even a 
biometric identifier—for quick, machine-readable border checks. And while 
e-Passports also store a cryptographic signature to prevent tampering or 
forgeries, it turns out that despite having over a decade to do so, US Customs 
and Border Protection hasn't deployed the software needed to actually verify it.

This means that since as far back as 2006, a skilled hacker could alter the 
data on an e-Passport chip—like the name, photo, or expiration date—without 
fear that signature verification would alert a border agent to the changes. 
That could theoretically be enough to slip into countries that allow 
all-electronic border checks, or even to get past a border patrol agent into 
the US.

"The idea of these things is that they’re supposed to provide some additional 
electronic security over a standard passport, which can be forged using 
traditional techniques," says Matthew Green, a cryptographer at Johns Hopkins 
University. "The digital signature would provide that guarantee. But if it’s 
not checked it doesn’t."

A letter to CBP on Thursday from senators Ron Wyden of Oregon and Claire 
McCaskill of Missouri highlights this crucial shortcoming. More than 100 
countries now offer passports that come with a digital chip, and fewer than 
half of those include the capability to verify the integrity of data using a 
digital signature. But Wyden and McCaskill stress that while the US demands 
that countries in the Visa Waiver program put a chip in their passports, it has 
failed to fully realize its own e-Passport program.

"CBP does not have the software necessary to authenticate the information 
stored on the e-Passport chips," the two Senators wrote. "Specifically, CBP 
cannot verify the digital signatures stored on the e-Passport, which means that 
CBP is unable to determine if the data stored on the smart chips has been 
tampered with or forged."

< - >
Infowarrior mailing list

Reply via email to