US Border Officials Have Never Verified Chipped Passports, Despite Demanding Their Usage
from the total-failures dept
Ron Wyden is at it again. Sending pesky letters to government officials who appear to be completely falling down on the job. The latest is asking Customs and Border Patrol why it's still not verifying the e-passport chips that have been in all US passports -- and in all countries on the visa waiver list -- since 2007 (hat tip to Zach Whittaker). The letter points out that the US government pushed hard for these chips... and then never bothered to check to make sure no one has tampered with them.
The U.S. government played a central role in the global adoption of e-Passports. These high-tech passports have smart chips--which store traveler information--and cryptographic signatures, an important security feature that verifies the validity and legitimacy of the passport and its issuing government agency. For more than a decade, the United States has required that countries on the visa-waiver list issue machine-readable e-Passports. Since 2015, the United States has further required that all visitors from countries on the visa-waiver list enter the United States with an e- Passport. Despite these efforts, CBP lacks the technical capabilities to verify e-Passport chips.
To be clear: it's not that CBP doesn't use the chips at all. It does download the info from the chips. But it ignores the cryptographic signatures and doesn't verify that the information hasn't been tampered with. Incredibly, the letter notes that CBP was informed of this problem all the way back in 2010 by the GAO, but has still not done anything about it.
CBP has deployed e-Passport readers at many ports of entry, which CBP personnel use to download data from the smart chips in e-Passports. However, CBP does not have the software necessary to authenticate the information stored on the e-Passport chips. Specifically, CBP cannot verify the digital signatures stored on the e-Passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged. CBP has been aware of this security lapse since at least 2010, when the Government Accountability Office (GAO) released a report highlighting the gap in technology. Eight years after that publication, CBP still does not possess the technological capability to authenticate the machine-readable data in e-Passports.
As with a number of recent letters that Wyden has been sending that touch on areas around the government falling down when it comes to encryption, I'm assuming that this latest one comes from the work that Chris Soghoian is doing since being hired full time to work for Senator Wyden. Soghoian spent years calling out bad encryption practices of all sorts of organizations in the past, and it's nice to see that he's now able to (hopefully) shame the government into doing things better as well.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cbp, e-passports, passports, ron wyden, smart chips, verification
Reader Comments
Subscribe: RSS
View by: Time | Thread
They are practicing what they preach
[ link to this | view in chronology ]
Re: They are practicing what they preach
[ link to this | view in chronology ]
Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!
[ link to this | view in chronology ]
Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!
[ link to this | view in chronology ]
Don't ask, you don't want to know
I have read this post several times, and I can't determine who you are arguing with, what you are arguing for/against, or what your opponents position is.
TD and anyone who works there, anything the fictional TD in their head is against/for, and some hilariously inaccurate strawman position respectively.
[ link to this | view in chronology ]
Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!
Techdirt has never taken the expressed hardline position, and such a position is not addressed in the core of this post, which is to note that CBP can not currently verify passports. If the article makes no comment on if we should be verifying passports, but I feel the tone suggests we should.
Therefore, if the AC was intending to make a point, it is hard to determine the point, given a lack of telepathy to read the AC's mind, I can't address any merits of his arguments, nor could others. So I have flagged the post.
[ link to this | view in chronology ]
Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!
[ link to this | view in chronology ]
LMFAO
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"I didn't sign up to this job to do WORK!"
"It is important, absolutely vital that this information be included!"
"Does it matter if it's accurate?"
"... eh, checking that sounds like a hassle, so not so much."
[ link to this | view in chronology ]
Re: "I didn't sign up to this job to do WORK!"
It does to any self-respecting terrorist.
If they go through all the hassle of rigging an RFID reader to a car bomb so that the next American passport that wanders past triggers it, they're not going to want it set off by an RFID code used to inventory bags of Doritos.
Terrorists hate that.
[ link to this | view in chronology ]
Think of it as less typing.
Of course, if the CBP isn't filled with fat fingered knuckle-draggers we have a different problem. Either they lack the conviction of their stated purpose with e-paasports or they lack the ability to understand that they are failing their primary mission.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why?
[ link to this | view in chronology ]
Incompetence
Requiring people to carry encrypted ID info and doing nothing to authenticate this data is worse than providing no encryption at all.
Depending on how seriously the CBP takes the data on these chips, this means a competent attacker with a few hours’ access to your password can put you on a no-fly list, or worse. At the very least, you will appear to have tampered with super-serious documents.
This could provide a new definition for a popular, stupid idea: Responsible Encryption™—when our incompetent security measures fail, guess who’s responsible?
[ link to this | view in chronology ]
Re: Incompetence
What do you mean? The point of this article is that they have no way to know that you tampered with the documents. (Unless they notice a discrepancy with the printed version.) If they were doing the proper checks, and your check failed, it would look worse.
[ link to this | view in chronology ]