US Border Patrol Hasn’t Validated E-Passport Data For Years

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: Richard Forno <rforno () infowarrior org>
> Date: February 23, 2018 at 6:30:28 AM EST
> To: Infowarrior List <infowarrior () attrition org>
> Cc: Dave Farber <dave () farber net>
> Subject: US Border Patrol Hasn’t Validated E-Passport Data For Years
>
> US Border Patrol Hasn’t Validated E-Passport Data For Years
>    • Author: Lily Hay NewmanLily Hay Newman
>    • security
>    • 02.22.18
>    • 07:08 pm
>
> US Customs and Border Patrol hasn't been verifying the cryptographic signatures on e-Passports—because they never 
> installed the right software.
>
> Passports, like any physical ID, can be altered and forged. That's partly why for the last 11 years the United States 
> has put RFID chips in the back panel of its passports, creating so-called e-Passports. The chip stores your passport 
> information—like name, date of birth, passport number, your photo, and even a biometric identifier—for quick, 
> machine-readable border checks. And while e-Passports also store a cryptographic signature to prevent tampering or 
> forgeries, it turns out that despite having over a decade to do so, US Customs and Border Protection hasn't deployed 
> the software needed to actually verify it.
>
> This means that since as far back as 2006, a skilled hacker could alter the data on an e-Passport chip—like the name, 
> photo, or expiration date—without fear that signature verification would alert a border agent to the changes. That 
> could theoretically be enough to slip into countries that allow all-electronic border checks, or even to get past a 
> border patrol agent into the US.
>
> "The idea of these things is that they’re supposed to provide some additional electronic security over a standard 
> passport, which can be forged using traditional techniques," says Matthew Green, a cryptographer at Johns Hopkins 
> University. "The digital signature would provide that guarantee. But if it’s not checked it doesn’t."
>
> A letter to CBP on Thursday from senators Ron Wyden of Oregon and Claire McCaskill of Missouri highlights this 
> crucial shortcoming. More than 100 countries now offer passports that come with a digital chip, and fewer than half 
> of those include the capability to verify the integrity of data using a digital signature. But Wyden and McCaskill 
> stress that while the US demands that countries in the Visa Waiver program put a chip in their passports, it has 
> failed to fully realize its own e-Passport program.
>
> "CBP does not have the software necessary to authenticate the information stored on the e-Passport chips," the two 
> Senators wrote. "Specifically, CBP cannot verify the digital signatures stored on the e-Passport, which means that 
> CBP is unable to determine if the data stored on the smart chips has been tampered with or forged."
>
> < - >
>
> https://www.wired.com/story/us-border-patrol-hasnt-validated-e-passport-data-for-years/



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20180223065140:E6A7A3F0-188F-11E8-89CC-E023F344792F
Powered by Listbox: http://www.listbox.com