US Border Patrol Hasn’t Validated E-Passport Data For Years

Passports, like any physical ID, can be altered and forged. That's partly why for the last 11 years the United States has put RFID chips in the back panel of its passports, creating so-called e-Passports. The chip stores your passport information—like name, date of birth, passport number, your photo, and even a biometric identifier—for quick, machine-readable border checks. And while e-Passports also store a cryptographic signature to prevent tampering or forgeries, it turns out that despite having over a decade to do so, US Customs and Border Protection hasn't deployed the software needed to actually verify it.

This means that since as far back as 2006, a skilled hacker could alter the data on an e-Passport chip—like the name, photo, or expiration date—without fear that signature verification would alert a border agent to the changes. That could theoretically be enough to slip into countries that allow all-electronic border checks, or even to get past a border patrol agent into the US.

"The idea of these things is that they’re supposed to provide some additional electronic security over a standard passport, which can be forged using traditional techniques," says Matthew Green, a cryptographer at Johns Hopkins University. "The digital signature would provide that guarantee. But if it’s not checked it doesn’t."

A letter to CBP on Thursday from senators Ron Wyden of Oregon and Claire McCaskill of Missouri highlights this crucial shortcoming. More than 100 countries now offer passports that come with a digital chip, and fewer than half of those include the capability to verify the integrity of data using a digital signature. But Wyden and McCaskill stress that while the US demands that countries in the Visa Waiver program put a chip in their passports, it has failed to fully realize its own e-Passport program.

"CBP does not have the software necessary to authenticate the information stored on the e-Passport chips," the two Senators wrote. "Specifically, CBP cannot verify the digital signatures stored on the e-Passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged."

Comments

Privacy Policy

US Border Patrol Hasn’t Validated E-Passport Data For Years is dedicated to protecting consumer privacy on the Internet. Our practices are consistent with privacy guidelines established by eTrust.com.

US Border Patrol Hasn’t Validated E-Passport Data For Years does not require any personal information to obtain access to our website.

US Border Patrol Hasn’t Validated E-Passport Data For Years does require limited personal information including name and mailing address from individuals wishing to join as members. Additional information such as e-mail address and phone number may also be requested in order that we may contact members in a timely manner on issues related to our mission.

You will only receive e-mail from us if you request to be added to our e-mail list. You may revise or remove your e-mail address from our files at any time.

US Border Patrol Hasn’t Validated E-Passport Data For Years uses "cookie" technology to obtain non-personal information from our online visitors, such as browser/computer type, number of visitors, and site usage. We do not use cookies to extract personal information.

Our website contains links to other sites, but US Border Patrol Hasn’t Validated E-Passport Data For Years does not necessarily advocate, support or condone the privacy practices or content of these websites.

US Border Patrol Hasn’t Validated E-Passport Data For Years makes all information received from our online visitors as secure as possible against unauthorized access and use. All information is protected by state-of-the-art security technology.

US Border Patrol Hasn’t Validated E-Passport Data For Years respects the individual privacy rights and concerns of visitors to our website. We support meaningful self-regulation of the Internet to ensure that responsible organizations maintain the right to use all communications media to interact with the public.