Sophos Cloud Optix
E-passports – high-tech passports with chips to store traveler information and cryptographic hashes to verify that the passports haven’t been forged or otherwise tampered with – have been required for more than 10 years to get into the US if you’re coming from one of the 38 countries on the visa-waiver list.
Of course, there are readers at many ports of entry so that US Customs and Border Protection (CBP) can read the e-passports. That makes sense: after all, the US is the country that pushed for e-passport global adoption following the terrorist attacks of 9/11.
Too bad CBP agents don’t actually have the software necessary to discern whether the information on those high-tech passwords is or is not a machine-readable load of hooey.
Two senators last week revealed that the CBP has been aware of its inability to authenticate the data stored on the e-passport chips since at least 2010, when the Government Accountability Office (GAO) released a report about how to better use e-passport security features, including the cryptographic signature that’s designed to make it near-impossible to forge a travel document or steal someone’s identity.
The news about the security failing came to light on Thursday when the two senators, Ron Wyden (D-OR) and Claire McCaskill (D-MO), sent a letter demanding that the CPB “immediately” start using the anti-forgery and anti-tamper feature in e-passports. The letter was addressed to CBP acting commissioner Kevin K. McAleenan.
Despite border agents using e-passport readers at “most” ports of entry, the senators said…
CBP does not have the software necessary to authenticate the information stored on the e-passport chips.
Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged.
As it is now, reading the e-passports amounts to security theater, given that there’s no verification of the data.
Matthew Green, who teaches cryptography at John Hopkins University, said in a tweet thread on Thursday that the news means that if you’ve got a passport from a visa waiver country, whoever inspects that passport will be looking at a picture and traveler information that’s read from your passport’s e-chip…
…and that data could well have been faked, given that the e-chip’s digital signature isn’t verified:
In other words, the data and a digital signature is loaded from the chip and displayed, but since the signature isn’t verified (🙄) anyone could have forged it.
— Matthew Green (@matthew_d_green) February 22, 2018
Eight years after that GAO report, “it is past time for CBP to utilize the digital security features it required be built into e-Passports,” the senators wrote.
They gave the CBP until 1 January 2019 to a) work with subject matter experts at the General Services Administration to figure out how much it will cost to set up the technology that can validate the digital signatures in e-passports and to b) make it happen.
Until they get the technology up and running, the senators said, border staff “will continue to lack reasonable assurance that data found on e-passport computer chips have not been fraudulently altered or counterfeited.”
Out of interest, are there any countries that can read this data? What about the EU, UK, Oz, NZ, China, Russia, Middle Eastern countries etc?
Excellent question. There’s a gazillion countries that have e-passports, but I can’t find that answer in particular, so I reached out to a vendor in that space and to Jeroen van Beek, the “ethical hacker” who picked the passports apart years ago. I’ll add another comment as I learn more.
Thank you!
It’ll be interesting to learn what you find out.
Reading of passports is easy. You just need a ISO 14443 reader (costs ~$50) and most of the stuff can be read if you can read the physical machine-readable zone text (MRZ) on the passport page with photo. That MRZ is used to derive a key to decrypt the data.
Only thing I’ve found encrypted are the fingerprints. Your name, photo, … everything on the passport page with photo is accessible if you are in physical possession of passport. Plus there is bunch of other data, like certificates, etc.
Why doesn’t this surprise me?
What doesn’t surprise me is that the politicians that allowed this information to reach the general public are both Democrats.
Well, when two Senators decide to join forces and write to the public sector, there are only really three party political combinations – 2D, 2R and one of each.
So you are right – it is not surprising at all.
The use of false us passports is not a major concern, as they can spotted very easily without the use of e-readers. An ever-growing problem is the forgery of visas, and the use of stolen authentic visas, and resident cards by imposters.. All of which the software is available to scan and agents are trained to spot. So really this is not really a story.
OK, here we go: The question of which e-passport-using countries are reading the chips is near impossible to answer, it turns out. Here’s what I found:
Neville Pattinson, VP of Government Programs for Gemalto, a vendor in this space, says that countries that have deployed its eGates technology can properly read the passports (they do biometric verification at the gate, with fingerprint scans or live facial recognition). These countries include Norway, Switzerland, France, UK, Gabon, Namibia, and more.
Jeroen van Beek was also kind enough to give feedback: he demonstrated, in 2008, that not all passport inspection systems check the cryptographic signature of a passport chip. For his demonstration Van Beek altered chip information and signed it using his own document-signing key of a non-existing country. In 2008, he tampered with a passport to change the name to Elvis Aaron Presley, complete with a photo of the King, and successfully used it to sign in at an airport.
He tells me that most of those 2008/2009 findings still seem to be valid. More recently, with a recent freedom of information act, the Dutch government declined to give details about procedures and fake chips that had been successfully detected, given that it’s a “matter of state security.” Make of that what you will: van Beek suggested it’s a way to avoid revealing what’s not in place.
Others told me that pretty much every other country that’s using e-passports can read them. But without details, as van Beek notes, security researchers have a tough time vetting how well the border agents in these countries are actually doing at detecting fraud/tampering.
According to your story, US agents can READ them as well. There’s a difference between being able to read a passport and being able to verify that what your scanner is reading is true.
You are correct to suggest that doctored passports are likely to be detected anyway, which is why I think this story is a little bit of a storm in a teacup, but there *is* something unappealing about building in a cryptographic safeguard as an extra hurdle for a passport fraudsters to get over…
…and then not bothering to verify the tamper protection anyway.