This week, Senators Ron Wyden (D-OR) and Claire McCaskill (D-MO) called for the US Customs and Border Protection (CPB) to improve US border security by actually processing digital signatures in e-passport chips in order to verify if the information on the chip is counterfeit or valid.
The US Department of State began issuing e-passports in 2005 in order to enhance passport security and increase identification of forged passports; two years later, it asked foreigners participating in its Visa Waiver Program to implement smart chips with anti-forgery features in their passports as well.
Every US e-passport includes a smart chip that holds identification and a digital signature, among other information. Of course, chips can be tampered with and altered, just as paper can — that's why the e-passport chip data is cryptographically signed so that if the information is changed, the alterations can be quickly detected.
Or, they could be if the Department of Homeland Security actually had the software to do that and put it to use.
— Ron Wyden (@RonWyden) February 22, 2018
In 2010, the Government Accountability Office revealed that the Department of Homeland Security (DHS) was unable to validate digital signatures because it did not have the appropriate verification software; eight years later, DHS still lacks this capability to process the digital signatures in passport chips. This means that although American border cops can wirelessly read a traveler's personal data from the chip, they are still unable to check whether the data has been tampered with or forged.
"I had assumed that they would verify this," said Martijn Grooten, a security researcher for Virus Bulletin, a magazine that explores anti-malware technologies. "It may cause some grumbles among countries in the Visa Waiver program: The US has demanded they offer e-Passports, and then only implemented the system partially themselves. It is a bit embarrassing."
"We write to ask that CPB immediately act to utilize the anti-forgery and anti-tamper features in e-passports, which have gone unused by CBP since their implementation in 2007," the senators' letter to CBP Acting Commissioner Kevin McAleenan said.
"It is past time for CBP to utilize the digital security features it required be built into e-passports," they added.
In their letter, the senators asked the CPB to work with experts at the General Services Administration to determine the cost of developing the ability to validate digital signatures in e-passports. They also requested that the CPB develop and execute a plan to properly authenticate e-passports by January 1, 2019.
"I had assumed that they would verify this," Martijn Grooten, a security researcher for the information and testing platform Virus Bulletin, told Wired. "It may cause some grumbles among countries in the Visa Waiver program: The US has demanded they offer e-Passports, and then only implemented the system partially themselves. It is a bit embarrassing."