Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Software Privacy United States

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com) 141

An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."
This discussion has been archived. No new comments can be posted.

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software

Comments Filter:
  • by grasshoppa ( 657393 ) on Thursday February 22, 2018 @11:40PM (#56173829) Homepage

    How much do you want to bet that they were able to get a "solution" budgeted every year?

  • by Anonymous Coward on Thursday February 22, 2018 @11:44PM (#56173849)

    This episode of security theatre is brought to you by CBP (Customs and Border Patrol) part of the larger circus called the DHS (Department of Homeland Security) which is now the largest federal law enforcement agency. We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane. Someone should start a Dilbert-like DHS comic strip and make T-Shirts we people can wear when going through security.

    • by AvitarX ( 172628 )

      But but, let's replace the private companies that didn't let anything in appropriate through.

      Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.

      • Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.

        Must ... resist ... oh damn, here I go.

        First of all, which Bush?

        Second, exactly what "private" (in your view) industry did he "socialize?"

        Third, are you seriously claiming that Bush (41 or 43) is a socialist?? Dude, your tinfoil hat is on too tight.

        • by AvitarX ( 172628 )

          Bush, 43, did actually, in reality socialize airport security

          Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.

          150k or so private jobs became government jobs. The largest socialization in US history. And it happened fast.

          • I recall (living in the DC area at the time of 9/11 and working next to Dulles, so it wasn't exactly a distant concern at the time) that Bush and the Republicans in Congress wanted enhanced private security, but the Democrats would only join them in voting for it if it used government workers, so to get it at all (which I wouldn't have voted for, but that's another discussion) they caved to the Democrats on the issue.

            So while Bush was the President at the time, it's not like he was a dictator. To say it was Bush's idea to use government employees for security isn't accurate. At most, he went along with the Democrats on it.

          • by Somebody Is Using My ( 985418 ) on Friday February 23, 2018 @10:10AM (#56175443) Homepage

            Before Bush, it was private security meeting standards (that were never missed on record), within his terms it became government that failed to meet standards.

            How do we know they never missed on record? Is it because they told us they never missed? It seems like this might be similar to the difference between open-source and closed-source code; the former might seem less secure because there are lots of bug reports and patches, but that doesn't really tells us anything about the state of the latter. Similarly, it might very well be that the private security was just as much theater as the government's attempts, but a lack of transparency made it easier for them to hide their failings.

            Honestly, I don't know either way. I am just hesitant to believe that the private industry's record was really any better. I'd be curious if there was any information on the topic.

            • by nobuddy ( 952985 )

              FAA was the oversight for airport screening before TSA took it over. They tested and reviewed all airport screening.

        • First of all, which Bush?

          It doesn't matter. Both of them substantially expanded the number of government jobs [economist.com] during their administrations.

          Second, exactly what "private" (in your view) industry did he "socialize?"

          All airport security was private contractors prior to 9/11. Then it became a part of DHS. More generally public sector payroll [businessinsider.com] expanded greatly during their administration - more than most recent presidents except perhaps Clinton. Based on their actions it's not entirely irrational to say they are closeted socialists.

          Third, are you seriously claiming that Bush (41 or 43) is a socialist?

          Oh they try to pretend they aren't but it's actually pretty easy to argue t

    • by Anonymous Coward

      This groping brought to you by the makers of Rapescan. I mean Rapiscan.

    • We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane.

      The entire DHS airport security checks could be replaced with cocktail wieners.

      Just have a tray of them at every airport gate. Passengers wishing to fly would be required to eat a cocktail wiener before boarding the plane. Islamic terrorist would refuse to eat the cocktail wiener, and could thus be filtered out easily and efficiently.

      But no, the DHS folks are only interested in building an empire for themselves by wasting mountains of taxpayer money.

      • Re: (Score:1, Funny)

        by Anonymous Coward

        Also an effective countermeasure against the scourge of international vegan terrorism. Brilliant!

      • "Islamic terrorist would refuse to eat the cocktail wiener,"

        There is much about Islamic terrorists you do not know or understand. But I know you were engaging in theatre, so I'm not really concerned you are that stupid or naive. At least not about that...

        • Then just have everyone doodle a picture of Mohammed. If you refuse, you don't get on the plane. In fact, we put you on the next plane back to Shitholestan. We don't need those kind of people in our nice country.
      • The new line from the remake of Airplane: "We need somebody who can not only fly this plane, but who didn’t have the cocktail wieners!"

  • So what happened when a request was made to a chip What did the GUI say for a many years?
    No error, allow the passport?
    The same cryptic error code for every valid passport?
    No error code for every illegal "migrant" trying a "passport"?
    • You could try reading the article?

      It does the obvious thing you would expect from a system using digital signatures that is set to not verify the signature.

  • but all I feel is sadly unsurprised. After a while some people just cant live up to your expectations or their own.

  • All of those passport checkers may as well have stayed home for the past ten years.

    • by AHuxley ( 892839 )
      What did the computers say?
      All passports looked at got a correct pass every year?
      Nobody thought to have a failed passport test at random times to see if every computer GUI was working?
      Every passport failed and the GUI was always ignored. Waiting for an update to finally get the functionality?
      An error code did show but it always had to be scrolled past with many other messages?
  • by Antique Geekmeister ( 740220 ) on Friday February 23, 2018 @12:19AM (#56174051)

    There was an interesting e-passport replication technology reported at the "Black Hat" security conference in 2006 So far as I know, this replication approach has never been disabled

    https://www.theregister.co.uk/... [theregister.co.uk]

      RFID chips are, by their nature, kept very inexpensive and easy to read. Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.

    • by 93 Escort Wagon ( 326346 ) on Friday February 23, 2018 @12:56AM (#56174149)

      Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.

      The point isn’t to make passports truly secure in the eyes of a technically literate person - the point is to make them “secure” within the level of understanding posessed by the average politician.

      You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.

      • by Anonymous Coward

        You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.

        Or believe that a "background check" will prevent anyone who ever might do something evil from getting a gun.

    • by jrumney ( 197329 ) on Friday February 23, 2018 @01:11AM (#56174187)
      Sure, its easily replicated, but the data has your photo, among other things which are easily verified by the border agent against the person standing in front of them. So replicating it isn't all that useful if you are trying to produce a passport that someone not authorized to have that passport can use. You need to modify the data on it, which breaks the digital signature. Only if border security is not properly verifying the signatures does this become useful for nefarious purposes.
      • by DarkOx ( 621550 )

        That's the point. If the digital signature is not checked its possible to create altered data. You create a password with your picture, so it look like you standing in front of the agent with the information belonging to some other person who would be admitted at the border.

        Obviously its still a challenge, you need to create convincing physical forger or alter an existing document; which does have physical tamper controls in place. You will also need to be able to program the thing correctly save for ne

    • by SirSlud ( 67381 )

      Replicating a passport is far less of an issue than writing a new one whole cloth.

      • I agree. But if they're not verifying the recorded data, as seems to be the case, than replicating even one such RFID chip en masse helps enable wholesale forgery.

    • Cloning is possible. However, in this case, the digital signature is not even being checked of the data. So, right now, you can create complete forgeries without the private key (or certificate) required. If they actually started to check signatures, which let's face it, software should be able to do easily today (I wonder why it's never been implemented), then you would have to match the details on the written passport exactly and you'd have to be a clone of another passport holder. That is a far higher ba

      • Cloning is not an issue if the signed data includes physical descriptors and photographs. Ultimately, all government ID systems rely on a human matching the person in front of them to the person on the paperwork.

        Preventing forgery is the major concern. And they have zero chance of stopping it if they cannot verify a fucking digital signature. Pathetic.

        Hell, ADOBE has integrated support for digital signatures and document validation---and it actually works. Unless there was a proposal to fix this that couldn

    • by Anonymous Coward

      bloccckkkkkchhhhaaaiiiinnnn

  • So? (Score:3, Insightful)

    by PopeRatzo ( 965947 ) on Friday February 23, 2018 @01:37AM (#56174257) Journal

    US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software

    And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.

    Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.

      Maybe that "foreign terrorist" threat isn't nearly as bad as we were told? Maybe we have more to worry about from other Americans than we do foreign terrorists?

      It isn't zero... "Six Iranians, six Sudanese, two Somalis, two Iraqis, and one Yemeni have been convicted of attempting or executing terrorist attacks on U.S. soil during that time period"

      According to this article arguing against the travel ban: https://www.theatlantic.com/international/archive/2017/01/trump-immigration-ban-terrorism/514361/ [theatlantic.com]

      Also, this issue isn't just about terrorism, but also more likely criminals coming to the US. The numbers of criminals coming to the US is well above 0.

    • by DarkOx ( 621550 )

      Or maybe the other controls are relatively effective. The two most obvious

      1) a robust intelligence gathering effort that feeds
      a number of various "lists"
      2) Physical controls on passport documents. Look at them there are number glossy, hologramed bits. The guy at the corner is going to be hard pressed to make a convincing forgery. You might fool the inattentive clerk at your local motel or gas station attendant ringing up some beer but you won't fool a TSA agent. Without access to a lot of resources most

    • And in that time, the number of terrorist attacks by foreigners sneaking into the country is...zero.

      Why should they have to sneak in when they can walk in the front door?

      The people that planted a bomb at the Boston Marathon were immigrants. They had their "papers in order", and it was their immigration registration records that allowed the police to identify them so quickly.

      The Boston Marathon bombing was a terrorist act on American soil by foreign actors. That is just one of many examples. There have been many acts of terrorism on Americans by immigrants. Some more successful than others. Some using

      • Now, not all immigrants are terrorists.

        And not all gun owners are school shooters. Stow that bullshit.

      • Those that did sneak through the borders to get into the USA have broken the law by the very fact of sneaking past the border. Once here they seem to have little respect for other laws. They will drive without a license, insurance, or registering their vehicle. They will work under falsified papers. They will drive while drunk. They will steal, rape, and murder.

        Right. In record numbers. Fox News should be a controlled substance.

        ...they have broken the law by the act of entering the nation without permission, and have a high probability of further breaking the law.

        No they don't. They have a much lower probability of breaking any further laws that aren't labor laws. Breaking laws attracts the attention of law enforcement. Illegal immigrants go out of their way to avoid the attention of law enforcement. Haven't you seen... basically any procedural cop show in the past 20 years? Every single one of them has multiple episodes of local LEOs having to disclaim their interest in the immigration stat

        • You gave a website as a reference where I found no breakdown based on immigration status.

          I've heard the claim that illegal immigrants break the law less often than domestic born people and they get to this through some very interesting statistical analysis. They will take the crime rate of immigrants and then they will make adjustments for age, gender, race, education, income, and employment status. What we find is that illegal immigrants are predominately in the age range of 16 to 40 (or something like t

  • "Cryptographic information" sounds like information about encryption. Do they mean "encrypted information"?

    • No, they don't.

      The data isn't meaningfully encrypted. Anyone with physical access to the passport has the key to read it AND the data itself (name, date of birth, country, photo, etc.).
      The data is cryptographically signed by the country issuing the passport.
      That signature is the "cryptographic information" in question.
      The readers are failing to verify the signature.

  • It's because congress, and even state legislatures don't have the vision to see that software and training might be necessary. And a bloated enterprise like Homeland Security and TSA - well they can just barely do security theater. So while a legislative body might pass a feel good that the electronic encryption on a passport is secure - they completely forgot about funding to develop the software to read it.
  • by Anonymous Coward

    that these Dems who wrote this letter care. After all, the Dems rely on a stream of illegals coming across the border anyways.

    • How is that? Illegals can't vote. Didn't they explain how U.S. elections work when you went to school in Moscow?
  • Nobody wanted a secure border ... nobody who mattered, anyway. No wonder stuff like this got to slide.

    Until, mysteriously, now. Must be those darn xenophobe rubes who took over ...

  • The wording on the language in the Request For Proposals is nearing completion.

    Relax peoplre, gubberment is on it!

  • Cue Trump blaming Obama for the problem in 3... 2... 1...
  • Is not government awesome? Consider:

    Just recall the above (incomplete) list next time someone suggests, yet another industry/market would be better served by the caring and omniscient government employees, than by the greedy KKKorporations.

"Show me a good loser, and I'll show you a loser." -- Vince Lombardi, football coach

Working...