US border officials have failed to cryptographically verify the passports of visitors to the US for more than a decade — because the government didn’t have the proper software.
The revelation comes from a letter by Sens. Ron Wyden (D-OR) and Claire McCaskill (D-MO), who wrote to US Customs and Border Protection (CPB) acting commissioner Kevin K. McAleenan to demand answers.
E-passports have an electronic chip containing cryptographic information and machine-readable text, making it easy to verify a passport’s authenticity and integrity. That cryptographic information makes it almost impossible to forge a passport, and it helps to protect against identity theft.
Introduced in 2007, all newly issued passports are now e-passports. Citizens of the 38 countries on the visa waiver list must have an e-passport in order to be admitted to the US.
But according to the senators’ letter, sent Thursday, border staff “lacks the technical capabilities to verify e-passport chips.”
Although border staff have deployed e-passport readers at most ports of entry, “CBP does not have the software necessary to authenticate the information stored on the e-passport chips.”
“Specifically, CBP cannot verify the digital signatures stored on the e-passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged,” the letter stated.
Wyden and McCaskill said in the letter that Customs and Border Protection has “been aware of this security lapse since at least 2010.”
That year, the Government Accountability Office released a report first noting that CBP’s parent federal department, Homeland Security, had “not implemented the capabilities needed to completely validate the digital signatures generated by State before relying on the data.”
The report said that, until Homeland Security implements this technology, border staff “will continue to lack reasonable assurance that data found on e-passport computer chips have not been fraudulently altered or counterfeited.”
Eight years later, “CBP still does not possess the technological capability to authenticate the machine-readable data in e-passports,” the senators said.
Matthew Green, a cryptography teacher at Johns Hopkins University, said in a tweet after the news broke: “If you have a passport from a visa waiver country, the passport officer is looking at a picture and traveler information that is read from your passport’s e-chip.”
He added that the “data isn’t guaranteed to be authentic.”
The letter concluded by asking the agency to implenent a plan to properly authenticate e-passports by the start of next year.
When reached, a spokesperson for Customs and Border Protection did not comment.