US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com)

← Back to Stories (view on slashdot.org)

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com)

Posted by BeauHD on Thursday February 22, 2018 @03:30PM from the update-required dept.

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."

25 of 141 comments (clear)

Min score:

Reason:

Sort:

Bet they were able to get it budgeted though by grasshoppa · 2018-02-22 15:40 · Score: 5, Insightful

How much do you want to bet that they were able to get a "solution" budgeted every year?

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
1. Re:Bet they were able to get it budgeted though by jrumney · 2018-02-22 16:36 · Score: 2
  
  Meanwhile, I have a free app on my phone that is able to verify the signatures on any ICAO compliant NFC passport or identity card.
2. Re:Bet they were able to get it budgeted though by Hal_Porter · 2018-02-22 17:08 · Score: 5, Insightful
  
  Isn't that a bit of a security risk?
  E.g. this app requires you enter a bunch of data. And then it scans your passport
  https://play.google.com/store/...
  At which point it knows everything about you. What's to stop is sending the data off to someone who sells it on the internet to identity thieves?
  If it was some pure open source thing I might trust it. However even though this library is open source
  http://jmrtd.org/ ... The ReadID app is not. So you don't know what they do with the data they collect.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
3. Re: Bet they were able to get it budgeted though by Type44Q · 2018-02-23 02:22 · Score: 2
  
  So pretty much the same way that a large truck would be stopped by a sheet of newspaper blowing in the wind?
4. Re:Bet they were able to get it budgeted though by AuMatar · 2018-02-23 08:03 · Score: 2
  
  The reputation of a random company nobody has ever heard of before? Yeah, not downloading that shit.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
We all know it's security theatre by Anonymous Coward · 2018-02-22 15:44 · Score: 5, Insightful

This episode of security theatre is brought to you by CBP (Customs and Border Patrol) part of the larger circus called the DHS (Department of Homeland Security) which is now the largest federal law enforcement agency. We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane. Someone should start a Dilbert-like DHS comic strip and make T-Shirts we people can wear when going through security.
1. Re:We all know it's security theatre by AvitarX · 2018-02-22 16:51 · Score: 2
  
  But but, let's replace the private companies that didn't let anything in appropriate through.
  Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
2. Re:We all know it's security theatre by jrumney · 2018-02-22 16:56 · Score: 5, Interesting
  
  That's not a security hole, it is published in the ISO standard that the passports are based on. The data that you get access to by using the key derived from info from the details page is the same info that is on the details page. If you can see the details page to get the key, you can see all that info anyway (except in my case they printed the photo on my passport in black and white, but have the color version on the chip). To verify that information is not forged, it is signed by a certificate of the government that produces it, and it is this that the US system is apparently failing to verify, and this is not something you can forge simply by knowing how to derive the symmetric encryption key that hides your data from people scanning your closed passport as you walk past in the airport.
3. Re:We all know it's security theatre by _Sharp'r_ · 2018-02-22 20:41 · Score: 5, Informative
  
  I recall (living in the DC area at the time of 9/11 and working next to Dulles, so it wasn't exactly a distant concern at the time) that Bush and the Republicans in Congress wanted enhanced private security, but the Democrats would only join them in voting for it if it used government workers, so to get it at all (which I wouldn't have voted for, but that's another discussion) they caved to the Democrats on the issue.
  So while Bush was the President at the time, it's not like he was a dictator. To say it was Bush's idea to use government employees for security isn't accurate. At most, he went along with the Democrats on it.
  
  --
  The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
4. Re:We all know it's security theatre by PolygamousRanchKid+ · 2018-02-22 21:54 · Score: 2
  
  We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane.
  
  The entire DHS airport security checks could be replaced with cocktail wieners.
  Just have a tray of them at every airport gate. Passengers wishing to fly would be required to eat a cocktail wiener before boarding the plane. Islamic terrorist would refuse to eat the cocktail wiener, and could thus be filtered out easily and efficiently.
  But no, the DHS folks are only interested in building an empire for themselves by wasting mountains of taxpayer money.
  
  --
  Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
5. Re:We all know it's security theatre by Anonymous Coward · 2018-02-23 01:24 · Score: 4, Interesting
  
  And?
  Of course you can clone them, cryptographically signed data is still nothing more than data.
  Signatures only serve to prove the plain-text data is bit-for-bit identical when verified using the public key, compared to when it was signed with the private key.
  Nothing more.
  If you have a forged passport with unsigned data, you can clone that and end up with another forged passport with unsigned data.
  If you have a valid passport with signed data, you can clone that and end up with another valid passport with signed data.
  All the signature does is prove if the governments private key signed the data and that the data hasn't been modified.
  Cloning doesn't modify the data so of course cloning won't break the signature.
  You still need a legit passport with signed data to clone in the first place.
  The signature prevents you from putting your own newly made data on the thing and being able to claim it is valid.
6. Re:We all know it's security theatre by Somebody+Is+Using+My · 2018-02-23 02:10 · Score: 3, Insightful
  
  Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.
  How do we know they never missed on record? Is it because they told us they never missed? It seems like this might be similar to the difference between open-source and closed-source code; the former might seem less secure because there are lots of bug reports and patches, but that doesn't really tells us anything about the state of the latter. Similarly, it might very well be that the private security was just as much theater as the government's attempts, but a lack of transparency made it easier for them to hide their failings.
  Honestly, I don't know either way. I am just hesitant to believe that the private industry's record was really any better. I'd be curious if there was any information on the topic.
7. Re:We all know it's security theatre by Darinbob · 2018-02-23 07:22 · Score: 2
  
  There aren't "passwords" here. This is a signed data. There is a public and a private key, the private key must be kept secret but the public key is intended to be shared and available. By using the public key anyone can verify that the data was properly signed by the holder of the secret private key. Ie, encrypt using the private key, but decrypt using the public key.
  The data itself need not necessarily be encrypted, because it merely shows what is visible on the passport. But the signing process uses cryptography as a means of tamper protection (change one byte and the signature fails to validate), and that authentication must be done because otherwise it is a very simple matter to rewrite or replace that chip.
  The general public should be able to do the same thing, ie, verify that the data on your passport is correct and properly signed.
The passport checkers may as well have stayed home by kriston · 2018-02-22 16:17 · Score: 2

All of those passport checkers may as well have stayed home for the past ten years.

--
Kriston
Also easily replicated by Antique+Geekmeister · 2018-02-22 16:19 · Score: 5, Informative

There was an interesting e-passport replication technology reported at the "Black Hat" security conference in 2006 So far as I know, this replication approach has never been disabled
https://www.theregister.co.uk/...
RFID chips are, by their nature, kept very inexpensive and easy to read. Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.
1. Re:Also easily replicated by 93+Escort+Wagon · 2018-02-22 16:56 · Score: 4, Insightful
  
  Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.
  The point isn’t to make passports truly secure in the eyes of a technically literate person - the point is to make them “secure” within the level of understanding posessed by the average politician.
  You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.
  
  --
  #DeleteChrome
2. Re:Also easily replicated by jrumney · 2018-02-22 17:11 · Score: 5, Informative
  
  Sure, its easily replicated, but the data has your photo, among other things which are easily verified by the border agent against the person standing in front of them. So replicating it isn't all that useful if you are trying to produce a passport that someone not authorized to have that passport can use. You need to modify the data on it, which breaks the digital signature. Only if border security is not properly verifying the signatures does this become useful for nefarious purposes.
3. Re:Also easily replicated by SirSlud · 2018-02-22 18:54 · Score: 2
  
  Replicating a passport is far less of an issue than writing a new one whole cloth.
  
  --
  "Old man yells at systemd"
4. Re:Also easily replicated by cliffjumper222 · 2018-02-22 19:16 · Score: 2
  
  Cloning is possible. However, in this case, the digital signature is not even being checked of the data. So, right now, you can create complete forgeries without the private key (or certificate) required. If they actually started to check signatures, which let's face it, software should be able to do easily today (I wonder why it's never been implemented), then you would have to match the details on the written passport exactly and you'd have to be a clone of another passport holder. That is a far higher bar to get over.
Re: Shhhh! Don't talk about this security lapse by jrumney · 2018-02-22 17:01 · Score: 2

The encryption is published in an ISO standard, so "cracking" it is the domain of snakeoil salesmen. The issue here is not the encryption, it is the digital signatures, and I can assure you that other countries are not as incompetent as the US's Homeland Security in this respect.
Comment removed by account_deleted · 2018-02-22 17:17 · Score: 2

Comment removed based on user account deletion
Comment removed by account_deleted · 2018-02-22 17:24 · Score: 2

Comment removed based on user account deletion
So? by PopeRatzo · 2018-02-22 17:37 · Score: 2, Insightful

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software

And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.
Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?

--
You are welcome on my lawn.
1. Re:So? by Anonymous Coward · 2018-02-23 04:13 · Score: 2, Informative
  
  And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.
  Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?
  It isn't zero... "Six Iranians, six Sudanese, two Somalis, two Iraqis, and one Yemeni have been convicted of attempting or executing terrorist attacks on U.S. soil during that time period"
  According to this article arguing against the travel ban: https://www.theatlantic.com/international/archive/2017/01/trump-immigration-ban-terrorism/514361/
  Also, this issue isn't just about terrorism, but also more likely criminals coming to the US. The numbers of criminals coming to the US is well above 0.
2. Re:So? by blindseer · 2018-02-23 06:54 · Score: 2
  
  And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.
  Why should they have to sneak in when they can walk in the front door?
  The people that planted a bomb at the Boston Marathon were immigrants. They had their "papers in order", and it was their immigration registration records that allowed the police to identify them so quickly.
  The Boston Marathon bombing was a terrorist act on American soil by foreign actors. That is just one of many examples. There have been many acts of terrorism on Americans by immigrants. Some more successful than others. Some using firearms, some with knives, some using vehicles as weapons, some using improvised explosives.
  Now, not all immigrants are terrorists. I should not have to say that as it should be obvious but if we had some better controls on who enters the nation then we'd see less of this. Also, not all terrorists are immigrants. This should also not require being pointed out. What seems clear though is that immigrants are more likely to commit terrorist acts and other crimes than native born Americans.
  Those that did sneak through the borders to get into the USA have broken the law by the very fact of sneaking past the border. Once here they seem to have little respect for other laws. They will drive without a license, insurance, or registering their vehicle. They will work under falsified papers. They will drive while drunk. They will steal, rape, and murder. Assuming it is true that people sneaking across the border have not done anything that may be considered an act of terrorism we do know that they are not saints, they have broken the law by the act of entering the nation without permission, and have a high probability of further breaking the law.
  If we have more to worry about from native born terrorists than foreign born then it is only because In the USA there are far more people native born than those not. Immigrants have a much higher tendency to break the law than native born Americans, whether they came in the front door or not. Knowing that therefore it may be wise to reduce the number of immigrants and demand that the immigrants we do allow in must be of very high moral character.
  
  --
  I am armed because I am free. I am free because I am armed.