back to article That microchipped e-passport you've got? US border cops still can't verify the data in it

Two Democratic US senators have formally asked Uncle Sam's Customs and Border Protection (CBP) agency to get its act together on electronic passports. In 2005, America began issuing passports with implanted machine-readable RFID chips that contain the traveler's personal information. This data is cryptographically signed so …

  1. Yet Another Anonymous coward Silver badge

    Solution

    Just print a little green padlock on the front of the passport - then they know everything is safe

    1. redpawn

      Re: Solution

      Or just have the passport holder raise their right hand.

      To get a new one, I turned in the old one and raised my right hand and swore that the information was correct, which made the information correct.

      1. Anonymous Coward
        Anonymous Coward

        Re: Solution

        You joke, but getting people to socially adopt confirmation works for 99% of the time. Doing a ritual sometimes bakes in the obedience to authority. I am not saying I agree, but it seems factual. It's the 1% that were lying that there is usually a problem, or reason they lied.

        Of cause those statistics are made up, but illustrative. Look at most school, jobs or social groups. People do things not because it is right, works, or even sane half the time. They do it because everyone else is.

        1. veti Silver badge

          Re: Solution

          Umm... 99% of people are travelling on perfectly valid credentials to begin with. It's the remaining 1% that you need to worry about. If your test can't distinguish them, with reasonable levels of reliability, then it's not contributing anything of value.

          1. GrumpyOldBloke

            Re: Solution

            I don't think it was ever about contributing anything of value. When you are the worlds largest supporter of terrorism then that 1% is an important part of being able to move your assets around. It's the journalists and whistle blowers that need to be stopped.

          2. Anonymous Coward
            Anonymous Coward

            Re: Solution

            It's the remaining 1%

            You just emphasized what is wrong with CBP. Its procedures are aimed at 1%-5% which is in the rabid paranoya zone especially regarding people from other developed country.

            The root cause is American exceptionalism. USA thinks that the whole world has nothing better to do than to go and pollute the precious American purity of the nation. The root cause is that the whole nation has the idea that they are the pinnacle of creation drilled into them from the cradle to the grave. They cannot grok the idea that most of us got work to do and joining the ranks of the people eating hormone beef and chlorinated chicken without any medical coverage is the last thing on our minds.

            The real number of travelers with "issues" between developed countries is significantly less that 0.1%. Acknowledging this, however means that USA has to acknowledge that their border circus is mostly pointless - something they will never do.

            1. Anonymous Coward
              Anonymous Coward

              Re: Solution

              "Acknowledging this, however means that USA has to acknowledge that their border circus is mostly pointless - something they will never do."

              This is a good one. I've seen similar circus several times in border control, in former Soviet Union.

              Most other countries don't bother as they know most of the circus is pointless and just wasted money: Security theatre as most of the so-called 'security' nowadays.

              Basically a money laundering system for management: Steal from taxpayers, give to my buddies here, working in 'security'. And I get a nice slice, of course.

              1. Anonymous Coward
                Anonymous Coward

                Re: Solution

                Basically a money laundering system for management: Steal from taxpayers, give to my buddies here, working in 'security'.

                Slightly more complicated I am afraid. Americans observing this circus every time they travel can get a reinforcement of their sense of exceptionalism. The ability to steal more money from them (in the form of taxes) is only one small facet.

                When someone is brainwashed into exceptionalism crashing out into the real world is a very hard experience with unpredictable results. So their sense of exceptionalism should be cherished and supported at every step. Just in case. To make sure that the period when the Americans questioned their ruling class on THINGS THAT MATTERED, like the 60-es and early 70-es never ever happens again. It is bad for business.

          3. Anonymous Coward
            Anonymous Coward

            Re: My suggestion

            Was the test is not there to find the 1%. It is there to make sure the 99% keep obeying, possibly in other areas of life.

          4. Anonymous Coward
            Anonymous Coward

            Re: Solution

            "If your test can't distinguish them, with reasonable levels of reliability, then it's not contributing anything of value."

            This is absolutely true. I can see the idea behind the chips but it's already obsolete: Programming a chip so it has same data as the passport isn't hard. Making forgery a bit harder, but no means impossible so criminals just steal blank passports and chip them with whatever they want.

            Whole idea of "security chips" is based on assumption that only authorities have capability to create or use said chips. Which might have been true 20 years ago but hasn't been true for a long time now.

            1. Grooke

              Re: Solution

              You need to read up on digital signatures. Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature.

              The only thing you can do is make an exact copy, which is no more useful than just stealing the physical passport.

              1. Anonymous Coward
                Anonymous Coward

                Re: You can find the key.

                SHA-1 Hash Collision says hello to "it's impossible to fake". However currently it is probably easier to buy an entire jet airline, than calculate a fake key for a passport.

              2. John Brown (no body) Silver badge

                Re: Solution

                "You need to read up on digital signatures. Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature."

                Yeahbut, the point of the story is that 13 years after introducing the system and "ordering" other countries to spend lots of money also introducing RFID passports, they still can't verify the keys. Currently it's not better than a simple printed passport and now the encryption system is 13 years old. That's a long time time in terms of crypto development and cracking. I wonder how good the encryption was then and how good it is now?

              3. CrazyOldCatMan Silver badge

                Re: Solution

                Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature...

                .. which none of the Border cops will pick up becuase they don't have the capability. I suspect that you could use a self-signed cert and get away with it - right up until you try to go into an advanced country that actually has the proper technology..

                (A number of years ago I worked for a company that tried to see passport readers that could read the biometrics. None of them had any network access (to the best of my admittedly hazy knowledge) and so wouldn't have been able to check certificates unless against a good-known set. Which would have been out of date very rapidly and therefore been worse than useless.)

        2. Anonymous Coward
          Anonymous Coward

          Re: Solution

          @ " It's the 1% that were lying that there is usually a problem"

          Ah another "if you have done nothing wrong then you have nothing to fear", how about those people who only want to share their personal information directly with the people they can see?

          Not to mention the US agents scaning people when they enter other countries. I can understand the US requiring chipped passports for people entering the US but since they don't bother to verify them and the chip is not turned off elsewhere then non-sheep wonder why.

    2. John Smith 19 Gold badge
      Unhappy

      So basically it's just a bluff, and has been for the last 13 years at least

      Because no one know how long this will take to roll out

      1. Eddy Ito

        Re: So basically it's just a bluff, and has been for the last 13 years at least

        I don't know that it was a bluff but it does show the level of competence. When you have a situation where everyone is screaming that gov't must do something then what you get is gov't usually does something. Is it the right thing, a practical thing, or effective thing to do? Probably not but it tempers the vocal minority and when a plane isn't hijacked in the next year everyone goes back to sitting on their hands.

        Oh, the reason no one knows how long it takes is because once the heat is off they go right back to hand sitting or playing minesweeper or surfing pr0n or whatever it is minions do when the boss taxpayer isn't looking.

        1. handleoclast

          Re: So basically it's just a bluff, and has been for the last 13 years at least

          Yep. Security through obscurity. Gets the terraists thinking "They have very good passport ID chips so we can't use fake passports any more."

          Now the vulnerability has been exposed CBP have a very short period of time to fix it before it starts getting exploited.

          Plus ça change, plus c'est foutu. (Blame Google translate, not me).

  2. Mike 16

    But the other function works?

    You know, the "Who in this crowd is from the USA?" one, to aid in targeting them.

    Or should I say "Who in this crowd is from the USA _and_ dumb enough not to RF shield their passport and credit cards?"

    And the digital signatures? I assume the private keys will be from Verisign.

  3. BA

    Even worse.

    They haven't distributed the charts showing where the ar*e and elbow are on a human body.

    1. BebopWeBop

      Re: Even worse.

      Ahh that explains the TSA’s intrusive feel ups searches - trying to work out which is the arse.

      1. Anonymous Coward
        Anonymous Coward

        Re: Even worse.

        I'd rather have a finger on the elbow any day.

  4. Mark 85
    Facepalm

    Here we are 13 years later and they still can read and verify the chips? On top of that they haven't even looked for or ordered the software? Yet, these guys claim to be defending the country's borders from the evil (fill in enemy of the day). Not surprising, just unexpected that this sort of crap is happening.

  5. John 98

    If its anything like the UK it will take them ten years and cost several billion dollars

    1. Anonymous Coward
      Anonymous Coward

      If its anything like the UK it will take them ten years and cost several billion dollars

      It would cost millions of pounds, the people allocated to the project would sit on their hands for the first month or so before anyone bothers to develop a plan and several millions later they would decide to scrap the plan because by now everyone has their tax payer funded yacht and it's becoming too obvious it was never meant to produce results.

      To ensure the NAO gives it a clean bill of health regardless, you "retire" one of your senior people when the project is just underway, and he or she than "happens" to take up a top job at the NAO. Once there, you brief the people in the project before you run the audit, and, of course, you choose the most inexperienced people to perform the audit.

      It's really easy if you have the right friends. Surely you don't think certain people have to establish their own private bank just because they are so good at saving, do you?

      1. hammarbtyp

        f its anything like the UK it will take them ten years and cost several billion dollars

        I'm willing to help. I can get them a copy of OpenSSL for a snip at £1 million, no questions asked

    2. iRadiate

      Another sign of American exceptionalism. It wouldn't cost dollars. It would cost pounds.

      1. Jeffrey Nonken

        Could be exceptionalism. Could also be a minor slip due to habit. I know ex-pat Brits who still call deep-fried potato slices "crisps", and I don't assume they're doing it through some sense of entitlement or snobbery.

  6. Terry 6 Silver badge

    I don't think it's just America

    Creating Information ( read "IT") based projects on the "cheapest and least we can get away with while appearing to be doing something" basis seems endemic. On that background this just seems another example. - though I suspect it's spread to other fields, as in aircraft carriers without aircraft.

    Essentially it's about giving the appearance without the substance. Like one of the Hollywood stage sets.

    So, for example, get an expensive powerful new Data management system that is expected to run on an old, ageing network and no staff training will be provided.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't think it's just America

      Terry 6,

      You were very close to the truth .....

      It is called 'Security Theatre' !!!

      You make a very obvious 'Song & Dance' about some aspect of Security to 'Demonstrate' the huge effort being made for your security & safety, only it is more to hide the fact that the system does not work or is incomplete etc.

      It has been spoilt by the fact that the lack of s/w to check the validity of the Signatures has now been made known to 'Everyone' !!! :) ;)

      Looks like they will have to spend the money to complete the system and make sure it does 'work' or create another piece of 'Security Theatre' to convince the public that there is some 'other' system/process protecting them !!!

      Guess which one is *more* likely !!! :)

      N.B:

      The Gullibility Quotient of the *majority* is already known ..... from events that culminated on November 8, 2016. :) :)

  7. Anonymous Coward
    Anonymous Coward

    American border cops, can they even read?

    Or am I confusing them with TSA personnel?

  8. DNTP

    Just a TSA anecdote

    The last time I went through a US airport I decided to re-enact the Ninja's Flute, a story where a pair of ninja infiltrate a guarded palace by arguing about whose flute is of higher quality to distract the guards inspecting them. This is because I am a ninja, even though I mostly use my powers for good. As I handed the TSA agent my legitimate, electronically authoritative American passport, I pulled a water bottle out of my bag, made to hand it to her, and asked her if she thought it was barely small enough to bring on board. Completely distracted by this important security issue requiring discriminating judgement, she closed my passport without even looking at the picture or comparing my name to my boarding pass, handed it back, and took my water bottle for inspection.

    So basically... the fact that no one is bothering with working electronic passport authentication is really, really not the important issue here.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just a TSA anecdote

      Clearly, the dihydrogen monoxide you had was an extreme dangerous good. Compare to the passport, they had to dispose the hazardous chemical immediately as its tasteless and odorless properties can be easily inhaled, potentially causing suffocation and deaths.

      Those agents are very good at putting their priorities in order to protect the children. Did you know that dihydrogen monoxide is the leading cause of unintentional injury-related death among children ages 14 and under? From 2006 to 2010, there are at least 400 fatalities caused by dihydrogen monoxide.

      You should be glad that they didn't force you to inject those substances into your body on the spot after you took it out. Just imagine what it would do to your body afterward!

      /s

      1. A K Stiles
        Coat

        Re: Just a TSA anecdote

        But what if it had been Hydrogen Hydroxide, or worse - Hydric Acid! - Have you seen how high the pH of that stuff is!

    2. paulf
      Facepalm

      Re: Just a TSA anecdote

      @DNTP "...she closed my passport without even looking at the picture or comparing my name to my boarding pass,..."

      I recall having a Miami Twice* moment when I was checking in at an airport in the Land of the Free. The agent "checked" my fine brown British passport, "Dieu et mon Droit" proudly emblazoned in gold letters across the bottom of the majestic royal coat of arms.

      And then proceeded to ask me if I was Australian.

      Icon is how I would have responded if I didn't have an aversion to intimate inspections.

      *One of the running jokes through this Only Fools and Horses special is everyone thinks these two chancers from South London are from Australia.

      1. Alister

        Re: Just a TSA anecdote

        , "Dieu et mon Droit" proudly emblazoned in gold letters across the bottom of the majestic royal coat of arms.

        You should have claimed to be French, that would have fooled them...

        1. paulf
          Go

          Re: Just a TSA anecdote

          "You should have claimed to be French, that would have fooled them..."

          That would probably have worked. I wonder how many Americans think all Frenchmen speak with a perfect English Shakespearian accent thanks to Star Trek TNG...?

          1. Jeffrey Nonken

            Re: Just a TSA anecdote

            All of us. We're to stupid to know the difference and none of us have ever discussed the issue.

  9. Steve Knox
    Paris Hilton

    Software?

    " the software to verify the e-passport chips "

    Like a db of trusted certs?

    Seriously, what extra software is needed to verify cryptographically signed data that you can already decrypt and read?

    1. Anonymous Coward
      Joke

      Re: Software?

      Well, obviously a framework of some sorts will need to be made in which a suite of applications can be created that creates an interoperable, secure system which forms the basis of national security.

    2. Dan 55 Silver badge

      Re: Software?

      I bet everyone came unstuck when they decided they wanted to do it online in realtime.

    3. An nonymous Cowerd

      Re: Software?

      a front-line desk Ethernet connection to check the server in Singapore!

    4. CrazyOldCatMan Silver badge

      Re: Software?

      what extra software is needed to verify cryptographically signed data that you can already decrypt and read

      The ability to access a CRL and parse the presented cert against it? Agreed, it's not the science that puts metal in orbit but it does need a teensy bit of writing.

  10. Anonymous Coward
    Anonymous Coward

    ' taking the "optical" in optical networking a little too far'

    Mmmh, if you put these 2 stories together then a bigger picture emerges...

    Not dealing with the smartest kid on the block... American Xceptionalism:

    .

    https://www.theregister.co.uk/2018/02/22/us_customs_optical_networking/

    https://www.theregister.co.uk/2018/02/22/us_borders_e_passports/

  11. The Oncoming Scorn Silver badge
    Big Brother

    Shiney - Lets Be Bad Guys

    Nice new machines at the new YYC terminal building, to read\scan your passports & fingerprints when travelling into the US, the first time I went through seemed to be a lot quicker than the second 7 months later, but then I was traveling with family members.

    Coming back into Canada, the spanky new machines doesn't seem to have simplified\accelerated the whole customs experience of coming home.

    1. John Sager

      Re: Shiney - Lets Be Bad Guys

      Last time I went into the US, last summer at Oakland, they had these ESTA checking machines, which had a long line of people trying to use, and they aren't especially easy if you've never seen one before. Then, of course, we had to join an even longer line to see the regular Immigration guy, with the usual photo and fingerprint dance. Since the desk guy has to scan the passport, why don't they do the ESTA check there?

  12. JeffyPoooh
    Pint

    Border crossings, with or without Network access

    If one is crossing a border in (for example) the hinterlands of Mongolia, where they utterly fail to have Network access, then the friendly border agents working in the shed are forced to reply on your "Papers Please" hard copy documents.

    Everywhere else in the world, where there's electricity and an Ethernet cable, a simple bar code or memorized string should be enough to bring up your file. The agents can review the information on their screen, ask you to remove your hat, look in your left ear for the mole, and generally carry on from there.

    If the multi-factor "What You Have" factor is needed, then - based on the electronic information - they can ask to see (for example) your car keys to confirm it's Honda or whatever. If not car keys, then the head from the GI Joe doll that you always carry and have registered as the "Have" factor.

    The whole concept of a hard copy Passport is obsolete given that it's mostly used to bring up your online file anyway.

    1. G.Y.

      memorize? Re: Border crossings, with or without Network access

      all you have to memorize is your 1st name &home 'phone number

  13. perlcat

    The only news here would be that some people think that this collection of dim bulbs should be given more authority and control over our lives.

  14. Anonymous Coward
    Anonymous Coward

    Who cares if it works?

    Do you seriously suggest all the extremely expensive chipping, body-scannig and snooping is implemented in order to increase "security"? Financial security, maybe.

  15. DrM
    WTF?

    Does not compute

    Well, the government says the only thing on the chip is the passport number. They say nothing is stored but an index number for your data.

    So are they lying, or is this fake news?

    1. Anonymous Coward
      Anonymous Coward

      Re: Does not compute

      They are lying. Chip has ID data (name etc.), fingerprints and photograph. Otherwise it would be useless, wouldn't it?

      1. chrismeggs

        Re: Does not confuse

        Of course it's useless- the possession of a document is and always has been only one of the three authentication requirements. Even so, this relies on the border officer comparing the photograph with the person in front of him. This is an action that is not proved as having been done. How do we identify an individual? Name or appearance? How about an intrinsic biometrics? In which case, we don't need a piece of paper issued by an authority based on a series of easily forged breeder documents.

    2. elkster88

      Re: Does not compute

      "...the government says the only thing on the chip is the passport number. "

      That's news to me, but I'm not saying you're wrong.

      "So are they lying, or is this fake news?"

      Install the "READID NFC Passport Reader" app from Google Play and find out for yourself. I did this just yesterday after reading about it in a comment here on El Reg.

      Among other things, there's your date of birth, the issuing location, date of issuance, date of expiration, and so on.

      Along with the crypto certs that the USA CBP agents can't verify.

  16. hammarbtyp

    I'm shocked...

    I'm shocked that a country which still hasn't got around to chip and pin and still relies on a illegible scrawl on a piece of paper to confirm purchases cannot deal with electronically verification of a passport

  17. Mystic Megabyte
    FAIL

    chipity chip chip!

    I did some research into chipping animals. IIRC there are five different proprietary systems in the USA. No veterinary practice is going to buy five competing scanners so when Fido gets lost he may not be coming home. In the EU there is one open standard.

    The CBP will, no doubt, have to use red, yellow, blue, green and fuchsia coloured scanners to cope with every nationality. /s

    1. A K Stiles
      Joke

      Re: chipity chip chip!

      And those filthy reds aren't getting in! No way!

      Unless it's republican red of course...

    2. CrazyOldCatMan Silver badge

      Re: chipity chip chip!

      so when Fido gets lost he may not be coming home. In the EU there is one open standard

      I'll have you know that far more important species of pets (see posting name - now up to 7 cats) are also chipped.

      And we may now be buying chip-enabled feeders to prevent VastlyOverweightCat from eating all the food intended for TimidLittleCat.

      Although getting the two still semi-feral cats to stay still while they are near the feeder is going to be an interesting challenge. One that'll require armour since I really don't want more punctures in my left arm..

  18. Marco van de Voort

    The worst is they require it 8+ years now

    The worst thing is that when I went to NY in 2010, my, then fairly recent, passport had no biometrics, and I had to get a new one with biometrics. (which they couldn't read then, OR now)

  19. IsJustabloke
    Meh

    US Border Controls...

    They seem to have no idea what they're doing full stop.

    I had to fly to New Zealand last month, my transfers were via San Francisco... because like most of us these days I have a valid ESTA, I was told to use the automated machines... the machine read my passport, asked me a load of questions, took my finger prints and issued me a "transfer voucher" instead of a normal landing card. It wasn't obvious where I should go next so I asked a handy agent who directed me to a queue... I asked him if he was sure because I'd just used the machine and he replied "The only way out is past one of those guys" so even though I had used a machine a still had to queue up and go through the whole rigmarole again.

    They're clueless.

    TBH everything about their border controls is low rent and 3rd world.

    1. Anonymous Coward
      Anonymous Coward

      Re: US Border Controls...

      "TBH everything about their border controls is low rent and 3rd world."

      Similar show I've seen only in one place: Former Soviet Union border. Except those were competent people, very professional.

      If you had all papers (literally) in your hand and those were OK even there I had to queue only once. No automation of course at that time.

      Automation is meant to replace the humans in the process, but obviously US border control hasn't quite grasped the idea yet.

      Or are protecting their precisious jobs by doing the job twice.

      1. John Brown (no body) Silver badge

        Re: US Border Controls...

        "Or are protecting their precisious jobs by doing the job twice."

        Are they Unionesed by any chance?

  20. aliceklaar?
    Holmes

    RFIdiots

    Quote from Virus Bulletin's Martijn Grooten today -

    "Researchers note that even without signature validation ensuring data integrity, it would still take technical skill to manipulate the information on an e-Passport's RFID chip "

    Yeah Right. Using Linux is like so difficult dude it needs actual technical skills :p

    Back in 2007 Adam Laurie was doing research into RFID cards and did the whole Shmoocon / DEFCON / Blackhat tours with RFidiots & hacking an ePassport. He even told the Daily Mail.

    However, the U.K. Home Office defended the passports, asserting the hack doesn't make them less secure.

    "The key point ... is that the information on the chip cannot by changed, rendering the procedure described by Adam Laurie pretty pointless," wrote Peter Wilson, senior press officer.

    Further, a cloned chip would have to be inserted into a forged passport, and new security measures in the passports make that "virtually impossible," the Home Office said, quoting a report released by the National Audit Office.

    So here's a link to the pretty pointless procedure of changing your photo "Hackers expose security flaws with 'Elvis Presley' (e)passport" from CNN

    https://www.youtube.com/watch?v=vR15PWU18JA

  21. Joe Harrison

    I have the answer

    Any Android phone with NFC can read everything you want to know from passports (or national ID cards, on which some people travel instead of passports.)

    For example this app will read the .jpg copy of the photo plus the entire certificate chain from my UK passport:

    https://play.google.com/store/apps/details?id=nl.innovalor.nfciddocshowcase

    Problem solved.

    1. jimbo36

      Re: I have the answer

      That wasn't the problem though, they can already read all the data - they just can't verify that it is correct :)

  22. ecofeco Silver badge

    Kafka would be proud!

    No doubt Kafka and Orwell are slapping each other's backs over pints regarding current affairs.

  23. jimbo36

    eGates

    This is why you can't use ePassport Gates in the US unless you've previously been through immigration control at least once, using the same passport.

    They verify the data the first time (although verify basically means checking you match the passport and it looks legit) and then the eGates will accept you on the next visit.

  24. jmy9595

    The "grim faced" comment is unnecessary. One, border control, an aspect of law enforcement, is a serious job, it's not handing people a mai tai when they board the plane for Hawaii. Two, bear in mind that the officers are dealing with both entitled arrogant US citizens and clueless visitors who just repeat questions back or cannot answer basic questions without being asked 3x--all this while being criminally understaffed. It takes its toll. Plus, everyone arriving thinks they're a comedian and the first one to say the witty thing they have to say.

  25. Agamemnon

    So ... some things:

    1. To verify the public key on the RFID in the passport, you'd need a copy of the public key.

    2. That would have to be stored *somewhere* and the public key would have to be scanned and sent to <location> over <network>.

    3. Compare and pair the keys.

    4. Presumably the TSA Agent would get a red light, or a green light (KISS principle) for the Cryptographic Validity of the RFID's data on their hand-held or base scanner thingy.

    Simplified, sure. But that's mostly the correct way to do it.

    The other way, is to put the public key in each scanner so it ust checks right there in the boxen.

    I'll be here having a pint taking bets on how this solution gets pushed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon