That microchipped e-passport you've got? US border cops still can't verify the data in it
Despite demanding world+dog gets one, Uncle Sam lacks tools to check crypto-signatures
Two Democratic US senators have formally asked Uncle Sam's Customs and Border Protection (CBP) agency to get its act together on electronic passports.
In 2005, America began issuing passports with implanted machine-readable RFID chips that contain the traveler's personal information. This data is cryptographically signed so that if the information is later altered, these changes can be detected and stern questions asked. Also, counterfeit passports should be obvious because they won't have a valid digital signature.
Two years later, the US government ordered countries in its visa waiver program to also embed this chip technology in their own passports.
Just one little problem, though: the CBP couldn't, and still can't, actually process the digital signatures in the passport chips, and thus verify if the information hasn't been tampered with or completely made up.
To be clear: America's border cops can wirelessly read a traveler's personal data from the implanted chip. The officials just don't have the tools to check if the records are, you know, legit, and therefore check whether a person queuing to enter the Land of the Free is who they say they are, when using this embedded tech.
And this has been the case for at least the past decade.
"CBP does not have the software necessary to authenticate the information stored on the e-passport chips," Senators Ron Wyden (D-OR) and Claire McCaskill (D-MO) wrote in a letter sent to CBP's top brass today.
"Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged."
Back in 2010, the US Government Accountability Office noted that CBP still hadn't bought the software to verify the e-passport chips contained the correct information, and nothing has changed since. When the usually grim-faced CBP officer scans your passport today, there's no way to verify the integrity of the chip's data.
“It is past time for CBP to utilize the digital security features it required be built into e-Passports,” Wyden and McCaskill thundered.
The senators asked the CBP to work with the government's General Services Administration to build a budget for introducing the software needed to make the e-passport system work as intended – and they want to see a concrete plan for its introduction by January 1 next year.
CBP had no comment at time of publication. ®
Sponsored: Becoming a Pragmatic Security Leader