ePassport digital signatures still can’t be verified by CBP
Since 2010 when a Government Accountability Office (GAO) audit discovered the security lapse, Customs and Border Protection (CBP) “still does not possess the technological capability to authenticate the machine-readable data in ePassports,” stated Democratic Sens. Claire McCaskill (MO) and Ron Wyden (OR) in a recent letter to Acting CBP Commissioner Kevin McAleenan, informing him CBP needs to “immediately act to utilize the anti-forgery and anti-tamper features in ePassports, which have gone unused by CBP since their implementation in 2007.”
“Without the software [to] verify the [cryptographic] digital signatures stored on the ePassport,” CBP can’t “determine if the data stored on the smart chips has been tampered with or forged,” McCaskill and Wyden said.
CBP officers can download and read the information on the RFID chips in US passports, but they can’t authenticate it. It’s a security gap which disallows CBP to know whether the data placed on the chip by the Department of State hasn’t been “altered or forged,” GAO stated in its January 2010 audit report, Better Usage of Electronic Passport Security Features Could Improve Fraud Detection.
When the State Department began issuing ePassports with embedded computer chips that store information identical to that printed in the passport, it also developed a comprehensive set of controls to govern the operation and management of a system to generate and write a security feature called a digital signature on the chip of each ePassport it issues. When verified, digital signatures provide reasonable assurance that the data placed on the chip by the State Department have not been altered or forged.
“However,” GAO pointed out, the Department of Homeland Security (DHS) does not have the capability to fully verify the digital signatures because it has not deployed ePassport readers to all of its ports of entry, and it has not implemented the system functionality necessary to perform the verification. Because the value of security features depends not only on their solid design, but also on an inspection process that uses them, the additional security against forgery and counterfeiting that could be provided by the inclusion of computer chips on ePassports issued by the United States and foreign countries, including those participating in the visa waiver program, is not fully realized.”
“The US government played a central role in the global adoption of ePassports. These high-tech passports have smart chips – which store traveler information – and cryptographic signatures, an important security feature that verifies the validity and legitimacy of the passport and its issuing government agency,” and, “for more than a decade, the United States has required that countries on the visa-waiver list issue machine-readable ePassports,” McCaskill and Wyden said, noting that, “Since 2015, the United States has further required that all visitors from countries on the visa-waiver list enter the United States with an ePassport.”
But, “Despite these efforts,” the two senators told McAleenan, “CBP lacks the technical capabilities to verify ePassport chips.
They emphasized that “CBP has been aware of this security lapse since at least 2010” when the GAO audit report “highlight[ed] the gap in technology. “Eight years after that publication, CBP still does not possess the technological capability to authenticate the machine-readable data in ePassports.”
At the time of its audit report, GAO recommended “DHS implement the systems needed to fully verify ePassport digital signatures at US ports of entry, and in coordination with State, implement an approach to obtain the necessary data to validate the digital signatures on US and other nations’ e-Passports.”
DHS agreed with the government watchdog’s recommendations.
Now nearly a decade later, McCaskill and Wyden stated, “It is past time for CBP to utilize the digital security features it required be built into ePassports,” and told McAleenan CBP must “Work with the relevant subject matter experts at the General Services Administration to determine the true cost of developing or acquiring the technical capacity to validate the digital signatures in e-Passports,” and to, “Develop and implement a plan to properly authenticate ePassports by January 1, 2019.”
GAO had noted that “protections designed into the US ePassport computer chip limit the risks of malicious code being resident on the chip, a necessary precondition for a malicious code attack to occur from the chip against computer systems that read them.”
But while steps were taken “to decrease the likelihood that malicious code could be introduced onto the chip … these steps do not provide complete assurance that the chips are free from malicious code,” GAO disclosed, noting, “the limited communications between the ePassport chip and agency computers significantly lowers the risk that malicious code—if resident on an ePassport chip—could pose to agency computers. Finally, given that no protection can be considered foolproof, DHS … needs to address deficiencies noted in our previous work on its computer systems to mitigate the impact of any malicious code that may be read from ePassport computer chips and infect those systems.”
In response, CBP has stated “while [it] does not verify the country certificate of an ePassport at this time, CBP does verify the data contained within the chip and in the machine-readable zone (MRZ) … the data on the chip and the MRZ is compared, and any inconsistencies are immediately flagged for the CBP officer.” CBP also said it verifies that chips haven’t been modified or tampered with.