US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com) 141
An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."
Bet they were able to get it budgeted though (Score:5, Insightful)
How much do you want to bet that they were able to get a "solution" budgeted every year?
Re: (Score:3)
Re:Bet they were able to get it budgeted though (Score:5, Insightful)
Isn't that a bit of a security risk?
E.g. this app requires you enter a bunch of data. And then it scans your passport
https://play.google.com/store/... [google.com]
At which point it knows everything about you. What's to stop is sending the data off to someone who sells it on the internet to identity thieves?
If it was some pure open source thing I might trust it. However even though this library is open source
http://jmrtd.org/ [jmrtd.org] ... The ReadID app is not. So you don't know what they do with the data they collect.
Re: (Score:2)
What's to stop is sending the data off to someone who sells it on the internet to identity thieves?
The same thing that's stopping Microsoft from harvesting e-mail passwords via its Outlook Ios/Android app...: Reputation
Re: Bet they were able to get it budgeted though (Score:3)
Re: (Score:1)
Well, Microsoft's reputation can't get much worse.
Re: (Score:1)
I think you underestimate the reputation of Microsoft to the eyes of the general public.
Re: (Score:3)
The reputation of a random company nobody has ever heard of before? Yeah, not downloading that shit.
Re: (Score:1)
Yea too bad they couldn't just fucking use Linux.
We all know it's security theatre (Score:5, Insightful)
This episode of security theatre is brought to you by CBP (Customs and Border Patrol) part of the larger circus called the DHS (Department of Homeland Security) which is now the largest federal law enforcement agency. We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane. Someone should start a Dilbert-like DHS comic strip and make T-Shirts we people can wear when going through security.
Re:We all know it's security theatre (Score:5, Interesting)
Re:We all know it's security theatre (Score:4, Interesting)
And?
Of course you can clone them, cryptographically signed data is still nothing more than data.
Signatures only serve to prove the plain-text data is bit-for-bit identical when verified using the public key, compared to when it was signed with the private key.
Nothing more.
If you have a forged passport with unsigned data, you can clone that and end up with another forged passport with unsigned data.
If you have a valid passport with signed data, you can clone that and end up with another valid passport with signed data.
All the signature does is prove if the governments private key signed the data and that the data hasn't been modified.
Cloning doesn't modify the data so of course cloning won't break the signature.
You still need a legit passport with signed data to clone in the first place.
The signature prevents you from putting your own newly made data on the thing and being able to claim it is valid.
Re: (Score:2)
Let's say you have an army of clones intent on overthrowing the Empire, you could give them all duplicated passports that verifies their names and the photo matches their faces. Oh no! But as soon as one of them slips up all of those passports can be revoked at once.
Assuming of course a competent Empire. In real life, as we see here, governments are full of bumbling oafs.
Re: (Score:2)
The digital signing is to prove that the printed data (and photo?) has not been modified. You can clone the chip that says "Anne Onny Mouse" from your passport and put it onto thousands of passports. However those chips will say "this passport is for Anne Onny Mouse", and the border official will then note the name does not match "Robert J Hacker" which is printed on the passport.
Of course, if you're forging passports, you can easily clone the chip but it's not useful unless the printed data also has the sa
Re: (Score:3)
There aren't "passwords" here. This is a signed data. There is a public and a private key, the private key must be kept secret but the public key is intended to be shared and available. By using the public key anyone can verify that the data was properly signed by the holder of the secret private key. Ie, encrypt using the private key, but decrypt using the public key.
The data itself need not necessarily be encrypted, because it merely shows what is visible on the passport. But the signing process uses
Re: (Score:2)
But but, let's replace the private companies that didn't let anything in appropriate through.
Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.
Re: (Score:2)
Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.
Must ... resist ... oh damn, here I go.
First of all, which Bush?
Second, exactly what "private" (in your view) industry did he "socialize?"
Third, are you seriously claiming that Bush (41 or 43) is a socialist?? Dude, your tinfoil hat is on too tight.
Re: (Score:1)
Bush, 43, did actually, in reality socialize airport security
Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.
150k or so private jobs became government jobs. The largest socialization in US history. And it happened fast.
Re:We all know it's security theatre (Score:5, Informative)
I recall (living in the DC area at the time of 9/11 and working next to Dulles, so it wasn't exactly a distant concern at the time) that Bush and the Republicans in Congress wanted enhanced private security, but the Democrats would only join them in voting for it if it used government workers, so to get it at all (which I wouldn't have voted for, but that's another discussion) they caved to the Democrats on the issue.
So while Bush was the President at the time, it's not like he was a dictator. To say it was Bush's idea to use government employees for security isn't accurate. At most, he went along with the Democrats on it.
Re: (Score:2)
Private contractors for prisons in California are a major failure. But they're entrenched and they have much more powerful unions than the government unions. Private contractors in the Iraq war were also a failure. All paid for out of taxpayer dollars, given to "for profit" companies, and we did not save money or get a better outcomes as a result.
Even the most die hard anti-government tea party follower still agrees that government has a vital role in national security, and there are loud cries about beefi
Re:We all know it's security theatre (Score:4, Insightful)
Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.
How do we know they never missed on record? Is it because they told us they never missed? It seems like this might be similar to the difference between open-source and closed-source code; the former might seem less secure because there are lots of bug reports and patches, but that doesn't really tells us anything about the state of the latter. Similarly, it might very well be that the private security was just as much theater as the government's attempts, but a lack of transparency made it easier for them to hide their failings.
Honestly, I don't know either way. I am just hesitant to believe that the private industry's record was really any better. I'd be curious if there was any information on the topic.
Re: (Score:2)
FAA was the oversight for airport screening before TSA took it over. They tested and reviewed all airport screening.
Bush as a socialist? Maybe... (Score:2)
First of all, which Bush?
It doesn't matter. Both of them substantially expanded the number of government jobs [economist.com] during their administrations.
Second, exactly what "private" (in your view) industry did he "socialize?"
All airport security was private contractors prior to 9/11. Then it became a part of DHS. More generally public sector payroll [businessinsider.com] expanded greatly during their administration - more than most recent presidents except perhaps Clinton. Based on their actions it's not entirely irrational to say they are closeted socialists.
Third, are you seriously claiming that Bush (41 or 43) is a socialist?
Oh they try to pretend they aren't but it's actually pretty easy to argue t
Re: (Score:1)
This groping brought to you by the makers of Rapescan. I mean Rapiscan.
Re: (Score:3)
We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane.
The entire DHS airport security checks could be replaced with cocktail wieners.
Just have a tray of them at every airport gate. Passengers wishing to fly would be required to eat a cocktail wiener before boarding the plane. Islamic terrorist would refuse to eat the cocktail wiener, and could thus be filtered out easily and efficiently.
But no, the DHS folks are only interested in building an empire for themselves by wasting mountains of taxpayer money.
Re: (Score:1, Funny)
Also an effective countermeasure against the scourge of international vegan terrorism. Brilliant!
Re: (Score:2)
"Islamic terrorist would refuse to eat the cocktail wiener,"
There is much about Islamic terrorists you do not know or understand. But I know you were engaging in theatre, so I'm not really concerned you are that stupid or naive. At least not about that...
Re: (Score:2)
Re: (Score:2)
The new line from the remake of Airplane: "We need somebody who can not only fly this plane, but who didn’t have the cocktail wieners!"
Re: (Score:2)
I bought an RFI shielded passport wallet for $9. Its a full function wallet, with a shielded passport pocket built in. Also shielded slots for RFI ID cards.
If you can't afford $9, perhaps you should not be traveling abroad.
Re: Shhhh! Don't talk about this security lapse (Score:2, Insightful)
Forgers have known about this just as long. And even if you get it to work eventually, the encryption on the chips themselves have been proven easy to crack for many years.
Re: (Score:3)
Re: (Score:2)
Bullshit.
However you can't just "crack" the signature on the card if the reader actually does verify the signature. This is because there is no private key for PA on the card, thus classic key extraction attacks are useless. You can still clone the card and use somebody's else identity, but the encryption as such is fine (as long RSA-1024 is fine, which it barely is).
A decade of the software saying? (Score:1)
No error, allow the passport?
The same cryptic error code for every valid passport?
No error code for every illegal "migrant" trying a "passport"?
Re: (Score:2)
You could try reading the article?
It does the obvious thing you would expect from a system using digital signatures that is set to not verify the signature.
I should be shocked and alarmed (Score:1)
but all I feel is sadly unsurprised. After a while some people just cant live up to your expectations or their own.
Re: (Score:1)
I am afraid it sound like you have been thinking critically ago. Further that kind of proactive can do disruptive thinking clearly shows a lack of team sprit. We should have a meeting about this
Re: (Score:2)
The issue is that cryptographic signatures aren't verified for passports with chips.
This only applies to passports from 38 countries. People coming in from Mexico aren't using passports with chips.
For the 38 countries it does apply to, border and customs agents still verify a person's identity using the passport, the photo, and and person in front of them.
This fuck up makes the chip useless as anyone can put any data on there.
You would still have to be able to make a convincing fake of a physical passport
The passport checkers may as well have stayed home (Score:3)
All of those passport checkers may as well have stayed home for the past ten years.
Re: (Score:2)
All passports looked at got a correct pass every year?
Nobody thought to have a failed passport test at random times to see if every computer GUI was working?
Every passport failed and the GUI was always ignored. Waiting for an update to finally get the functionality?
An error code did show but it always had to be scrolled past with many other messages?
Also easily replicated (Score:5, Informative)
There was an interesting e-passport replication technology reported at the "Black Hat" security conference in 2006 So far as I know, this replication approach has never been disabled
https://www.theregister.co.uk/... [theregister.co.uk]
RFID chips are, by their nature, kept very inexpensive and easy to read. Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.
Re:Also easily replicated (Score:5, Insightful)
Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.
The point isn’t to make passports truly secure in the eyes of a technically literate person - the point is to make them “secure” within the level of understanding posessed by the average politician.
You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.
Re: (Score:1)
You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.
Or believe that a "background check" will prevent anyone who ever might do something evil from getting a gun.
Re:Also easily replicated (Score:5, Informative)
Re: (Score:2)
That's the point. If the digital signature is not checked its possible to create altered data. You create a password with your picture, so it look like you standing in front of the agent with the information belonging to some other person who would be admitted at the border.
Obviously its still a challenge, you need to create convincing physical forger or alter an existing document; which does have physical tamper controls in place. You will also need to be able to program the thing correctly save for ne
Re: (Score:3)
Replicating a passport is far less of an issue than writing a new one whole cloth.
Re: (Score:2)
I agree. But if they're not verifying the recorded data, as seems to be the case, than replicating even one such RFID chip en masse helps enable wholesale forgery.
Re: (Score:3)
Cloning is possible. However, in this case, the digital signature is not even being checked of the data. So, right now, you can create complete forgeries without the private key (or certificate) required. If they actually started to check signatures, which let's face it, software should be able to do easily today (I wonder why it's never been implemented), then you would have to match the details on the written passport exactly and you'd have to be a clone of another passport holder. That is a far higher ba
Re: (Score:2)
Cloning is not an issue if the signed data includes physical descriptors and photographs. Ultimately, all government ID systems rely on a human matching the person in front of them to the person on the paperwork.
Preventing forgery is the major concern. And they have zero chance of stopping it if they cannot verify a fucking digital signature. Pathetic.
Hell, ADOBE has integrated support for digital signatures and document validation---and it actually works. Unless there was a proposal to fix this that couldn
Re: (Score:1)
bloccckkkkkchhhhaaaiiiinnnn
So? (Score:3, Insightful)
And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.
Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?
Re: (Score:2, Informative)
And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.
Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?
It isn't zero... "Six Iranians, six Sudanese, two Somalis, two Iraqis, and one Yemeni have been convicted of attempting or executing terrorist attacks on U.S. soil during that time period"
According to this article arguing against the travel ban: https://www.theatlantic.com/international/archive/2017/01/trump-immigration-ban-terrorism/514361/ [theatlantic.com]
Also, this issue isn't just about terrorism, but also more likely criminals coming to the US. The numbers of criminals coming to the US is well above 0.
Re: (Score:2)
Or maybe the other controls are relatively effective. The two most obvious
1) a robust intelligence gathering effort that feeds
a number of various "lists"
2) Physical controls on passport documents. Look at them there are number glossy, hologramed bits. The guy at the corner is going to be hard pressed to make a convincing forgery. You might fool the inattentive clerk at your local motel or gas station attendant ringing up some beer but you won't fool a TSA agent. Without access to a lot of resources most
Re: (Score:3)
And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.
Why should they have to sneak in when they can walk in the front door?
The people that planted a bomb at the Boston Marathon were immigrants. They had their "papers in order", and it was their immigration registration records that allowed the police to identify them so quickly.
The Boston Marathon bombing was a terrorist act on American soil by foreign actors. That is just one of many examples. There have been many acts of terrorism on Americans by immigrants. Some more successful than others. Some using
Re: (Score:2)
And not all gun owners are school shooters. Stow that bullshit.
Re: (Score:2)
Those that did sneak through the borders to get into the USA have broken the law by the very fact of sneaking past the border. Once here they seem to have little respect for other laws. They will drive without a license, insurance, or registering their vehicle. They will work under falsified papers. They will drive while drunk. They will steal, rape, and murder.
Right. In record numbers. Fox News should be a controlled substance.
...they have broken the law by the act of entering the nation without permission, and have a high probability of further breaking the law.
No they don't. They have a much lower probability of breaking any further laws that aren't labor laws. Breaking laws attracts the attention of law enforcement. Illegal immigrants go out of their way to avoid the attention of law enforcement. Haven't you seen... basically any procedural cop show in the past 20 years? Every single one of them has multiple episodes of local LEOs having to disclaim their interest in the immigration stat
Re: (Score:2)
You gave a website as a reference where I found no breakdown based on immigration status.
I've heard the claim that illegal immigrants break the law less often than domestic born people and they get to this through some very interesting statistical analysis. They will take the crime rate of immigrants and then they will make adjustments for age, gender, race, education, income, and employment status. What we find is that illegal immigrants are predominately in the age range of 16 to 40 (or something like t
Re: (Score:1)
cryptographic information (Score:2)
"Cryptographic information" sounds like information about encryption. Do they mean "encrypted information"?
Re: (Score:2)
No, they don't.
The data isn't meaningfully encrypted. Anyone with physical access to the passport has the key to read it AND the data itself (name, date of birth, country, photo, etc.).
The data is cryptographically signed by the country issuing the passport.
That signature is the "cryptographic information" in question.
The readers are failing to verify the signature.
I can tell you why this is so (Score:2)
I find it funny... (Score:1)
that these Dems who wrote this letter care. After all, the Dems rely on a stream of illegals coming across the border anyways.
Re: (Score:2)
nobody *wanted* a secure border (Score:2)
Nobody wanted a secure border ... nobody who mattered, anyway. No wonder stuff like this got to slide.
Until, mysteriously, now. Must be those darn xenophobe rubes who took over ...
Be glad only 7 environmental studies are needed (Score:2)
The wording on the language in the Request For Proposals is nearing completion.
Relax peoplre, gubberment is on it!
What's next (Score:2)
Government is best (Score:1)
Is not government awesome? Consider:
Just recall the above (incomplete) list next time someone suggests, yet another industry/market would be better served by the caring and omniscient government employees, than by the greedy KKKorporations.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Voter ID (Score:1)
And yet the Democrats keep blocking every attempt to verify a voter's real identity. Heck, these people could just show a (fake) passport everywhere they vote.
Re: (Score:2)
It happened during Bush's presidency.
Re: (Score:2, Funny)
I know, right? After that, the government will probably want to take over the military, with enough nuclear weapons to destroy humanity. What could possibly go wrong, amirite? And border security. Thank goodness we live in a free country where the government isn't in charge of something as important as border security or national defense.
We need to act n
Re: We should put thes same people in charge of ou (Score:1)
Re: (Score:2)
The prosecution rests.