Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com)

Posted by BeauHD on from the update-required dept.

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."

7 of 141 comments (clear)

  1. Bet they were able to get it budgeted though by grasshoppa · · Score: 5, Insightful

    How much do you want to bet that they were able to get a "solution" budgeted every year?

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:Bet they were able to get it budgeted though by Hal_Porter · · Score: 5, Insightful

      Isn't that a bit of a security risk?

      E.g. this app requires you enter a bunch of data. And then it scans your passport

      https://play.google.com/store/...

      At which point it knows everything about you. What's to stop is sending the data off to someone who sells it on the internet to identity thieves?

      If it was some pure open source thing I might trust it. However even though this library is open source

      http://jmrtd.org/ ... The ReadID app is not. So you don't know what they do with the data they collect.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  2. We all know it's security theatre by Anonymous Coward · · Score: 5, Insightful

    This episode of security theatre is brought to you by CBP (Customs and Border Patrol) part of the larger circus called the DHS (Department of Homeland Security) which is now the largest federal law enforcement agency. We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane. Someone should start a Dilbert-like DHS comic strip and make T-Shirts we people can wear when going through security.

    1. Re:We all know it's security theatre by Somebody+Is+Using+My · · Score: 3, Insightful

      Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.

      How do we know they never missed on record? Is it because they told us they never missed? It seems like this might be similar to the difference between open-source and closed-source code; the former might seem less secure because there are lots of bug reports and patches, but that doesn't really tells us anything about the state of the latter. Similarly, it might very well be that the private security was just as much theater as the government's attempts, but a lack of transparency made it easier for them to hide their failings.

      Honestly, I don't know either way. I am just hesitant to believe that the private industry's record was really any better. I'd be curious if there was any information on the topic.

  3. Re: Shhhh! Don't talk about this security lapse by guruevi · · Score: 1, Insightful

    Forgers have known about this just as long. And even if you get it to work eventually, the encryption on the chips themselves have been proven easy to crack for many years.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  4. Re:Also easily replicated by 93+Escort+Wagon · · Score: 4, Insightful

    Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.

    The point isn’t to make passports truly secure in the eyes of a technically literate person - the point is to make them “secure” within the level of understanding posessed by the average politician.

    You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.

    --
    #DeleteChrome
  5. So? by PopeRatzo · · Score: 2, Insightful

    US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software

    And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.

    Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?

    --
    You are welcome on my lawn.