US Border Officials Have Never Verified Chipped Passports, Despite Demanding Their Usage

from the total-failures dept

Ron Wyden is at it again. Sending pesky letters to government officials who appear to be completely falling down on the job. The latest is asking Customs and Border Patrol why it's still not verifying the e-passport chips that have been in all US passports -- and in all countries on the visa waiver list -- since 2007 (hat tip to Zach Whittaker). The letter points out that the US government pushed hard for these chips... and then never bothered to check to make sure no one has tampered with them.

The U.S. government played a central role in the global adoption of e-Passports. These high-tech passports have smart chips--which store traveler information--and cryptographic signatures, an important security feature that verifies the validity and legitimacy of the passport and its issuing government agency. For more than a decade, the United States has required that countries on the visa-waiver list issue machine-readable e-Passports. Since 2015, the United States has further required that all visitors from countries on the visa-waiver list enter the United States with an e- Passport. Despite these efforts, CBP lacks the technical capabilities to verify e-Passport chips.

To be clear: it's not that CBP doesn't use the chips at all. It does download the info from the chips. But it ignores the cryptographic signatures and doesn't verify that the information hasn't been tampered with. Incredibly, the letter notes that CBP was informed of this problem all the way back in 2010 by the GAO, but has still not done anything about it.

CBP has deployed e-Passport readers at many ports of entry, which CBP personnel use to download data from the smart chips in e-Passports. However, CBP does not have the software necessary to authenticate the information stored on the e-Passport chips. Specifically, CBP cannot verify the digital signatures stored on the e-Passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged. CBP has been aware of this security lapse since at least 2010, when the Government Accountability Office (GAO) released a report highlighting the gap in technology. Eight years after that publication, CBP still does not possess the technological capability to authenticate the machine-readable data in e-Passports.

As with a number of recent letters that Wyden has been sending that touch on areas around the government falling down when it comes to encryption, I'm assuming that this latest one comes from the work that Chris Soghoian is doing since being hired full time to work for Senator Wyden. Soghoian spent years calling out bad encryption practices of all sorts of organizations in the past, and it's nice to see that he's now able to (hopefully) shame the government into doing things better as well.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cbp, e-passports, passports, ron wyden, smart chips, verification


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    hij (profile), 23 Feb 2018 @ 11:50am

    They are practicing what they preach

    This seems entirely reasonable. The government wants back doors built in to encryption products, so it seems logical that they would want to do the same with authentication protocols. Although, in this case they may be confusing the idea of "back door" with "no door."

    link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 23 Feb 2018 @ 12:04pm

    Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!

    Or are you now wanting this done?

    link to this | view in thread ]

  3. icon
    James Burkhardt (profile), 23 Feb 2018 @ 12:26pm

    Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!

    I have read this post several times, and I can't determine who you are arguing with, what you are arguing for/against, or what your opponents position is. As such, I am flagging your post as lacking contributory value, and likely designed to Gotcha! posters arguing against their understanding of those factors and claim they are straw manning you, as trolls have enjoyed doing as of late.

    link to this | view in thread ]

  4. icon
    discordian_eris (profile), 23 Feb 2018 @ 12:41pm

    LMFAO

    Sorry, laughing too danm hard to type right now.

    link to this | view in thread ]

  5. icon
    James Burkhardt (profile), 23 Feb 2018 @ 12:44pm

    Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!

    To provide insight to those reading the initial comment and failing to understand my logic (as those in opposition to Techdirt are want to do), the subject seems to express an extreme position of anti-bornder control, and the body's generic pronoun subject, and vague question suggest the AC is trying to attack previous positions of TechDirt summarized in the title.

    Techdirt has never taken the expressed hardline position, and such a position is not addressed in the core of this post, which is to note that CBP can not currently verify passports. If the article makes no comment on if we should be verifying passports, but I feel the tone suggests we should.

    Therefore, if the AC was intending to make a point, it is hard to determine the point, given a lack of telepathy to read the AC's mind, I can't address any merits of his arguments, nor could others. So I have flagged the post.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 23 Feb 2018 @ 1:02pm

    you mean i could sneak information into and out of the country using a passport? dang. now you tell me.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 23 Feb 2018 @ 1:25pm

    Re: They are practicing what they preach

    Why doesn't CBP just ask the FBI to validate the certificates?

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 23 Feb 2018 @ 1:25pm

    Re: Great! US has no right to limit immigration, verify passports -- heck, people don't even need one! Everyone should just be handed a goodies bag and first welfare check!

    Don't you have a cloud to yell at?

    link to this | view in thread ]

  9. icon
    That One Guy (profile), 23 Feb 2018 @ 1:30pm

    "I didn't sign up to this job to do WORK!"

    "It is important, absolutely vital that this information be included!"

    "Does it matter if it's accurate?"

    "... eh, checking that sounds like a hassle, so not so much."

    link to this | view in thread ]

  10. icon
    That One Guy (profile), 23 Feb 2018 @ 1:32pm

    Don't ask, you don't want to know

    I have read this post several times, and I can't determine who you are arguing with, what you are arguing for/against, or what your opponents position is.

    TD and anyone who works there, anything the fictional TD in their head is against/for, and some hilariously inaccurate strawman position respectively.

    link to this | view in thread ]

  11. icon
    David (profile), 23 Feb 2018 @ 2:47pm

    Think of it as less typing.

    Everybody knows that knuckle-draggers have trouble flopping their big hands on teeny tiny keyboards. The e-passports save all that effort.

    Of course, if the CBP isn't filled with fat fingered knuckle-draggers we have a different problem. Either they lack the conviction of their stated purpose with e-paasports or they lack the ability to understand that they are failing their primary mission.

    link to this | view in thread ]

  12. icon
    Roger Strong (profile), 23 Feb 2018 @ 2:49pm

    Re: "I didn't sign up to this job to do WORK!"

    "Does it matter if it's accurate?"

    It does to any self-respecting terrorist.

    If they go through all the hassle of rigging an RFID reader to a car bomb so that the next American passport that wanders past triggers it, they're not going to want it set off by an RFID code used to inventory bags of Doritos.

    Terrorists hate that.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 23 Feb 2018 @ 5:22pm

    "Responsible" chips. :)

    link to this | view in thread ]

  14. identicon
    Pixelation, 23 Feb 2018 @ 5:49pm

    Why?

    These go to eleven.

    link to this | view in thread ]

  15. icon
    takitus (profile), 23 Feb 2018 @ 9:57pm

    Incompetence

    Requiring people to carry encrypted ID info and doing nothing to authenticate this data is worse than providing no encryption at all.

    Depending on how seriously the CBP takes the data on these chips, this means a competent attacker with a few hours’ access to your password can put you on a no-fly list, or worse. At the very least, you will appear to have tampered with super-serious documents.

    This could provide a new definition for a popular, stupid idea: Responsible Encryption™—when our incompetent security measures fail, guess who’s responsible?

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 24 Feb 2018 @ 11:18am

    Re: Incompetence

    Depending on how seriously the CBP takes the data on these chips, this means a competent attacker with a few hours’ access to your password can put you on a no-fly list, or worse. At the very least, you will appear to have tampered with super-serious documents.

    What do you mean? The point of this article is that they have no way to know that you tampered with the documents. (Unless they notice a discrepancy with the printed version.) If they were doing the proper checks, and your check failed, it would look worse.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.