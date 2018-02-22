Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
Security Software Privacy United States

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software (zdnet.com) 40

Posted by BeauHD from the update-required dept.
An anonymous reader quotes a report from ZDNet: U.S. border officials have failed to cryptographically verify the passports of visitors to the U.S. for more than a decade -- because the government didn't have the proper software. The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to U.S. Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers. E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport's authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft. Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the U.S. But according to the senators' letter, sent Thursday, border staff "lacks the technical capabilities to verify e-passport chips." Although border staff have deployed e-passport readers at most ports of entry, "CBP does not have the software necessary to authenticate the information stored on the e-passport chips." "Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged," the letter stated. Wyden and McCaskill said in the letter that Customs and Border Protection has "been aware of this security lapse since at least 2010."

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software More | Reply

US Border Officials Haven't Properly Verified Visitor Passports For More Than a Decade Due To Improper Software

Comments Filter:

  • How much do you want to bet that they were able to get a "solution" budgeted every year?

    • Re: (Score:2)

      by jrumney ( 197329 )
      Meanwhile, I have a free app on my phone that is able to verify the signatures on any ICAO compliant NFC passport or identity card.

      • Isn't that a bit of a security risk?

        E.g. this app requires you enter a bunch of data. And then it scans your passport

        https://play.google.com/store/... [google.com]

        At which point it knows everything about you. What's to stop is sending the data off to someone who sells it on the internet to identity thieves?

        If it was some pure open source thing I might trust it. However even though this library is open source

        http://jmrtd.org/ [jmrtd.org] ... The ReadID app is not. So you don't know what they do with the data they collect.

  • We all know it's security theatre (Score:3, Funny)

    by Anonymous Coward on Thursday February 22, 2018 @10:44PM (#56173849)

    This episode of security theatre is brought to you by CBP (Customs and Border Patrol) part of the larger circus called the DHS (Department of Homeland Security) which is now the largest federal law enforcement agency. We can't figure out if your passport is legit but take off your shoes and don't even think of taking those nail-clippers or toothpaste on that airplane. Someone should start a Dilbert-like DHS comic strip and make T-Shirts we people can wear when going through security.

    • Re: (Score:1)

      by AvitarX ( 172628 )

      But but, let's replace the private companies that didn't let anything in appropriate through.

      Bush oversaw the largest socialization of private industry in the history of the US, and yet nobody calls him a socialist.

  • So what happened when a request was made to a chip What did the GUI say for a many years?
    No error, allow the passport?
    The same cryptic error code for every valid passport?
    No error code for every illegal "migrant" trying a "passport"?

    • You could try reading the article?

      It does the obvious thing you would expect from a system using digital signatures that is set to not verify the signature.

  • but all I feel is sadly unsurprised. After a while some people just cant live up to your expectations or their own.

  • All of those passport checkers may as well have stayed home for the past ten years.

    • Re: (Score:2)

      by AHuxley ( 892839 )
      What did the computers say?
      All passports looked at got a correct pass every year?
      Nobody thought to have a failed passport test at random times to see if every computer GUI was working?
      Every passport failed and the GUI was always ignored. Waiting for an update to finally get the functionality?
      An error code did show but it always had to be scrolled past with many other messages?

  • Also easily replicated (Score:5, Informative)

    by Antique Geekmeister ( 740220 ) on Thursday February 22, 2018 @11:19PM (#56174051)

    There was an interesting e-passport replication technology reported at the "Black Hat" security conference in 2006 So far as I know, this replication approach has never been disabled

    https://www.theregister.co.uk/... [theregister.co.uk]

      RFID chips are, by their nature, kept very inexpensive and easy to read. Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.

    • Unless the USA and other nations are prepared to invest in more powerful and secure standards for what is supposed to be a very easily scanned and robust technology, I'm afraid that I don't see how they can be made more secure.

      The point isn’t to make passports truly secure in the eyes of a technically literate person - the point is to make them “secure” within the level of understanding posessed by the average politician.

      You know - the men and women who believe we can have “secure” smartphones which are completely and readily accessible to law enforcement personnel but no one else.

    • Re: (Score:2)

      by jrumney ( 197329 )
      Sure, its easily replicated, but the data has your photo, among other things which are easily verified by the border agent against the person standing in front of them. So replicating it isn't all that useful if you are trying to produce a passport that someone not authorized to have that passport can use. You need to modify the data on it, which breaks the digital signature. Only if border security is not properly verifying the signatures does this become useful for nefarious purposes.

Slashdot Top Deals

Genius is one percent inspiration and ninety-nine percent perspiration. -- Thomas Alva Edison

Close