Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com)

Posted by BeauHD on from the update-required dept.

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."

1 of 141 comments (clear)

  1. Re:We all know it's security theatre by jrumney · · Score: 5, Interesting

    That's not a security hole, it is published in the ISO standard that the passports are based on. The data that you get access to by using the key derived from info from the details page is the same info that is on the details page. If you can see the details page to get the key, you can see all that info anyway (except in my case they printed the photo on my passport in black and white, but have the color version on the chip). To verify that information is not forged, it is signed by a certificate of the government that produces it, and it is this that the US system is apparently failing to verify, and this is not something you can forge simply by knowing how to derive the symmetric encryption key that hides your data from people scanning your closed passport as you walk past in the airport.