US border agents haven’t verified e-passport data for over 10 years

E-passports – high-tech passports with chips to store traveler information and cryptographic hashes to verify that the passports haven’t been forged or otherwise tampered with – have been required for more than 10 years to get into the US if you’re coming from one of the 38 countries on the visa-waiver list.

Of course, there are readers at many ports of entry so that US Customs and Border Protection (CBP) can read the e-passports. That makes sense: after all, the US is the country that pushed for e-passport global adoption following the terrorist attacks of 9/11.

Too bad CBP agents don’t actually have the software necessary to discern whether the information on those high-tech passwords is or is not a machine-readable load of hooey.

Two senators last week revealed that the CBP has been aware of its inability to authenticate the data stored on the e-passport chips since at least 2010, when the Government Accountability Office (GAO) released a report about how to better use e-passport security features, including the cryptographic signature that’s designed to make it near-impossible to forge a travel document or steal someone’s identity.

The news about the security failing came to light on Thursday when the two senators, Ron Wyden (D-OR) and Claire McCaskill (D-MO), sent a letter demanding that the CPB “immediately” start using the anti-forgery and anti-tamper feature in e-passports. The letter was addressed to CBP acting commissioner Kevin K. McAleenan.

Despite border agents using e-passport readers at “most” ports of entry, the senators said…

CBP does not have the software necessary to authenticate the information stored on the e-passport chips.

Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged.

As it is now, reading the e-passports amounts to security theater, given that there’s no verification of the data.

Matthew Green, who teaches cryptography at John Hopkins University, said in a tweet thread on Thursday that the news means that if you’ve got a passport from a visa waiver country, whoever inspects that passport will be looking at a picture and traveler information that’s read from your passport’s e-chip…

…and that data could well have been faked, given that the e-chip’s digital signature isn’t verified:

Eight years after that GAO report, “it is past time for CBP to utilize the digital security features it required be built into e-Passports,” the senators wrote.

They gave the CBP until 1 January 2019 to a) work with subject matter experts at the General Services Administration to figure out how much it will cost to set up the technology that can validate the digital signatures in e-passports and to b) make it happen.

Until they get the technology up and running, the senators said, border staff “will continue to lack reasonable assurance that data found on e-passport computer chips have not been fraudulently altered or counterfeited.”