U.S CBP electronic passport system has a flaw for 10 years
According to ZDNet reports, in the past ten years, U.S. border inspectors have been unable to effectively and effectively verify passport information of immigrants because the government does not have suitable software. In a letter to Kevin K. McAleenan, acting director of the U.S. Customs and Border Agency (CBP), senators Ron Wyden and Claire McCaskill requested their responses on the matter. The ePassport’s chip contains machine-readable text and encrypted information that makes it easy to verify the authenticity and integrity of passports.
Since its introduction in 2007, all newly issued passports are e-Passports. Citizens of 38 countries on the visa-free list must also have electronic passports before they can be allowed to enter the United States.
Encrypting information makes it almost impossible for a passport to be forged and helps prevent identity theft. However, the senator pointed out in this letter on Thursday that border guards “lacked the technical capability to verify the e-passport chip”:
Even though they have deployed ePassport readers at most of the ports of entry, CBP still does not have the software necessary to verify the information stored on the ePassport chip.
In particular, CBP can not verify the digital signature stored on the ePassport, which means CBP can not determine whether the data stored on the smart chip has been tampered with or faked.
Shockingly, as early as 2010, the customs and border control departments were already aware of this loophole.
That year, the government accountability office first named in a report (PDF) a critique of CBP’s (Department of Homeland Security) accusation that it “has not implemented all the features necessary to validate digital signatures before trusting data.”
In other words, before the Homeland Security Department blocks out any omissions, border guards have to rely on systems that lack reasonable assurance that they are being tricked by computer data that may have been forged on e-passport chips.
Well, eight years have passed, CBP has gone unpunished? Unfortunately, the agency still does not have the technical capability to validate machine readable data on e-Passports!
After a news fryer, Matthew Green, a lecturer in cryptography at Johns Hopkins, wrote in a tweet:
So let’s be clear what this means. If you have a passport from a Visa Waiver country, the passport officer is looking at a picture and traveler information that is read from your passport’s e-chip. But that data isn’t guaranteed to be authentic.
— Matthew Green (@matthew_d_green) February 22, 2018
Matthew Green continued commenting:
It is ironic that despite the fact that such an electronic passport was forcibly introduced to the world after the 9/11 terrorist attacks in the United States, we have not been able to use it properly.
Senators hope that the departments concerned can put forward a plan for proper authentication of e-passports by the beginning of next year. However, as of press time, CBP’s spokesman did not respond to media comments.