U.S. Customs Cannot Validate e-Passports

For at least 8 years the government has known that the border entry system has a hole large enough to drive a terrorist through, to abuse a phrase, and has not done anything about it.

While the government was twisting the arms of other countries to put chips in their passports – and about a hundred of them do that today – we have not deployed the software needed to validate the security of an e-Passport.  About 50 of those countries have checksums in the e-Passport that would detect digital manipulation and we would never know.

First, it is important to understand that this is not an attack that an amateur could do.  But terrorists, in many cases, have nation-state backing, so that is something they absolutely could do,

At the risk of pointing out the obvious, while the government is intent on spending $20 billion on a border wall, the terrorists can just come in by driving through a border station with a hacked U.S. passport.   Why try to walk for miles through the desert after climbing a really hard to climb wall when you can be waved through a border station by a nice man in a uniform, while in your air conditioned car?

This issue goes back to 2006;  the Government Accountability Office issued a report in 2010.  Still, nothing has been done about it.

Johns Hopkins Cryptographer Matthew Green suggested that the Customs and Border Protection officer is likely to assume the data on the chip is valid and not even look at the pages in the passport.  Of course the terrorist could modify both of these and hackers have already cloned the chips to test their ability to hack passports.

The issue boils down to this.  e-Passports have a chip in them that carries a digital copy of the information printed on the paper passport.  The digital information is cryptographically signed to detect if someone changed the data on that chip.   In the case of the U.S., a terrorist could change the digital information and not be detected.  To maximize the chances of not getting caught, they would also want to change the printed information on the paper passport too, but people have been doing that for decades, at least.  The digital passport is supposed to make forging a passport harder – but not if people don’t check the validity of the digital data.

Information for this post came from Wired.


Leave a Reply

Your email address will not be published.