back to article That microchipped e-passport you've got? US border cops still can't verify the data in it

Two Democratic US senators have formally asked Uncle Sam's Customs and Border Protection (CBP) agency to get its act together on electronic passports. In 2005, America began issuing passports with implanted machine-readable RFID chips that contain the traveler's personal information. This data is cryptographically signed so …

Silver badge

Solution

Just print a little green padlock on the front of the passport - then they know everything is safe

69
0
Silver badge

Re: Solution

Or just have the passport holder raise their right hand.

To get a new one, I turned in the old one and raised my right hand and swore that the information was correct, which made the information correct.

37
0
Anonymous Coward

Re: Solution

You joke, but getting people to socially adopt confirmation works for 99% of the time. Doing a ritual sometimes bakes in the obedience to authority. I am not saying I agree, but it seems factual. It's the 1% that were lying that there is usually a problem, or reason they lied.

Of cause those statistics are made up, but illustrative. Look at most school, jobs or social groups. People do things not because it is right, works, or even sane half the time. They do it because everyone else is.

8
9
Silver badge

Re: Solution

Umm... 99% of people are travelling on perfectly valid credentials to begin with. It's the remaining 1% that you need to worry about. If your test can't distinguish them, with reasonable levels of reliability, then it's not contributing anything of value.

38
0

Re: Solution

I don't think it was ever about contributing anything of value. When you are the worlds largest supporter of terrorism then that 1% is an important part of being able to move your assets around. It's the journalists and whistle blowers that need to be stopped.

34
1
Gold badge
Unhappy

So basically it's just a bluff, and has been for the last 13 years at least

Because no one know how long this will take to roll out

12
0
Anonymous Coward

Re: Solution

It's the remaining 1%

You just emphasized what is wrong with CBP. Its procedures are aimed at 1%-5% which is in the rabid paranoya zone especially regarding people from other developed country.

The root cause is American exceptionalism. USA thinks that the whole world has nothing better to do than to go and pollute the precious American purity of the nation. The root cause is that the whole nation has the idea that they are the pinnacle of creation drilled into them from the cradle to the grave. They cannot grok the idea that most of us got work to do and joining the ranks of the people eating hormone beef and chlorinated chicken without any medical coverage is the last thing on our minds.

The real number of travelers with "issues" between developed countries is significantly less that 0.1%. Acknowledging this, however means that USA has to acknowledge that their border circus is mostly pointless - something they will never do.

31
1
Anonymous Coward

Re: My suggestion

Was the test is not there to find the 1%. It is there to make sure the 99% keep obeying, possibly in other areas of life.

8
0
Anonymous Coward

Re: Solution

"If your test can't distinguish them, with reasonable levels of reliability, then it's not contributing anything of value."

This is absolutely true. I can see the idea behind the chips but it's already obsolete: Programming a chip so it has same data as the passport isn't hard. Making forgery a bit harder, but no means impossible so criminals just steal blank passports and chip them with whatever they want.

Whole idea of "security chips" is based on assumption that only authorities have capability to create or use said chips. Which might have been true 20 years ago but hasn't been true for a long time now.

6
4
Anonymous Coward

Re: Solution

"Acknowledging this, however means that USA has to acknowledge that their border circus is mostly pointless - something they will never do."

This is a good one. I've seen similar circus several times in border control, in former Soviet Union.

Most other countries don't bother as they know most of the circus is pointless and just wasted money: Security theatre as most of the so-called 'security' nowadays.

Basically a money laundering system for management: Steal from taxpayers, give to my buddies here, working in 'security'. And I get a nice slice, of course.

10
0

Re: Solution

You need to read up on digital signatures. Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature.

The only thing you can do is make an exact copy, which is no more useful than just stealing the physical passport.

1
2
Anonymous Coward

Re: You can find the key.

SHA-1 Hash Collision says hello to "it's impossible to fake". However currently it is probably easier to buy an entire jet airline, than calculate a fake key for a passport.

3
0
Anonymous Coward

Re: Solution

Basically a money laundering system for management: Steal from taxpayers, give to my buddies here, working in 'security'.

Slightly more complicated I am afraid. Americans observing this circus every time they travel can get a reinforcement of their sense of exceptionalism. The ability to steal more money from them (in the form of taxes) is only one small facet.

When someone is brainwashed into exceptionalism crashing out into the real world is a very hard experience with unpredictable results. So their sense of exceptionalism should be cherished and supported at every step. Just in case. To make sure that the period when the Americans questioned their ruling class on THINGS THAT MATTERED, like the 60-es and early 70-es never ever happens again. It is bad for business.

4
0
Silver badge

Re: So basically it's just a bluff, and has been for the last 13 years at least

I don't know that it was a bluff but it does show the level of competence. When you have a situation where everyone is screaming that gov't must do something then what you get is gov't usually does something. Is it the right thing, a practical thing, or effective thing to do? Probably not but it tempers the vocal minority and when a plane isn't hijacked in the next year everyone goes back to sitting on their hands.

Oh, the reason no one knows how long it takes is because once the heat is off they go right back to hand sitting or playing minesweeper or surfing pr0n or whatever it is minions do when the boss taxpayer isn't looking.

1
0
Silver badge

Re: Solution

"You need to read up on digital signatures. Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature."

Yeahbut, the point of the story is that 13 years after introducing the system and "ordering" other countries to spend lots of money also introducing RFID passports, they still can't verify the keys. Currently it's not better than a simple printed passport and now the encryption system is 13 years old. That's a long time time in terms of crypto development and cracking. I wonder how good the encryption was then and how good it is now?

4
0
Silver badge

Re: So basically it's just a bluff, and has been for the last 13 years at least

Yep. Security through obscurity. Gets the terraists thinking "They have very good passport ID chips so we can't use fake passports any more."

Now the vulnerability has been exposed CBP have a very short period of time to fix it before it starts getting exploited.

Plus ça change, plus c'est foutu. (Blame Google translate, not me).

0
0
Anonymous Coward

Re: Solution

@ " It's the 1% that were lying that there is usually a problem"

Ah another "if you have done nothing wrong then you have nothing to fear", how about those people who only want to share their personal information directly with the people they can see?

Not to mention the US agents scaning people when they enter other countries. I can understand the US requiring chipped passports for people entering the US but since they don't bother to verify them and the chip is not turned off elsewhere then non-sheep wonder why.

1
0
Silver badge

Re: Solution

Yes you can copy the data, but you cannot alter it and maintain a valid signature without the private key. You also can't create a new one from scratch, it won't have a proper signature...

.. which none of the Border cops will pick up becuase they don't have the capability. I suspect that you could use a self-signed cert and get away with it - right up until you try to go into an advanced country that actually has the proper technology..

(A number of years ago I worked for a company that tried to see passport readers that could read the biometrics. None of them had any network access (to the best of my admittedly hazy knowledge) and so wouldn't have been able to check certificates unless against a good-known set. Which would have been out of date very rapidly and therefore been worse than useless.)

0
0
Bronze badge

But the other function works?

You know, the "Who in this crowd is from the USA?" one, to aid in targeting them.

Or should I say "Who in this crowd is from the USA _and_ dumb enough not to RF shield their passport and credit cards?"

And the digital signatures? I assume the private keys will be from Verisign.

7
2
BA

Even worse.

They haven't distributed the charts showing where the ar*e and elbow are on a human body.

17
1
Silver badge

Re: Even worse.

Ahh that explains the TSA’s intrusive feel ups searches - trying to work out which is the arse.

13
0
Anonymous Coward

Re: Even worse.

I'd rather have a finger on the elbow any day.

9
0
Silver badge
Facepalm

Here we are 13 years later and they still can read and verify the chips? On top of that they haven't even looked for or ordered the software? Yet, these guys claim to be defending the country's borders from the evil (fill in enemy of the day). Not surprising, just unexpected that this sort of crap is happening.

25
0

If its anything like the UK it will take them ten years and cost several billion dollars

8
0
Anonymous Coward

If its anything like the UK it will take them ten years and cost several billion dollars

It would cost millions of pounds, the people allocated to the project would sit on their hands for the first month or so before anyone bothers to develop a plan and several millions later they would decide to scrap the plan because by now everyone has their tax payer funded yacht and it's becoming too obvious it was never meant to produce results.

To ensure the NAO gives it a clean bill of health regardless, you "retire" one of your senior people when the project is just underway, and he or she than "happens" to take up a top job at the NAO. Once there, you brief the people in the project before you run the audit, and, of course, you choose the most inexperienced people to perform the audit.

It's really easy if you have the right friends. Surely you don't think certain people have to establish their own private bank just because they are so good at saving, do you?

14
0
Silver badge

f its anything like the UK it will take them ten years and cost several billion dollars

I'm willing to help. I can get them a copy of OpenSSL for a snip at £1 million, no questions asked

8
0

Another sign of American exceptionalism. It wouldn't cost dollars. It would cost pounds.

0
0
Silver badge

Could be exceptionalism. Could also be a minor slip due to habit. I know ex-pat Brits who still call deep-fried potato slices "crisps", and I don't assume they're doing it through some sense of entitlement or snobbery.

0
0
Silver badge

I don't think it's just America

Creating Information ( read "IT") based projects on the "cheapest and least we can get away with while appearing to be doing something" basis seems endemic. On that background this just seems another example. - though I suspect it's spread to other fields, as in aircraft carriers without aircraft.

Essentially it's about giving the appearance without the substance. Like one of the Hollywood stage sets.

So, for example, get an expensive powerful new Data management system that is expected to run on an old, ageing network and no staff training will be provided.

9
0
Anonymous Coward

Re: I don't think it's just America

Terry 6,

You were very close to the truth .....

It is called 'Security Theatre' !!!

You make a very obvious 'Song & Dance' about some aspect of Security to 'Demonstrate' the huge effort being made for your security & safety, only it is more to hide the fact that the system does not work or is incomplete etc.

It has been spoilt by the fact that the lack of s/w to check the validity of the Signatures has now been made known to 'Everyone' !!! :) ;)

Looks like they will have to spend the money to complete the system and make sure it does 'work' or create another piece of 'Security Theatre' to convince the public that there is some 'other' system/process protecting them !!!

Guess which one is *more* likely !!! :)

N.B:

The Gullibility Quotient of the *majority* is already known ..... from events that culminated on November 8, 2016. :) :)

11
0
Anonymous Coward

American border cops, can they even read?

Or am I confusing them with TSA personnel?

11
1
Silver badge

Just a TSA anecdote

The last time I went through a US airport I decided to re-enact the Ninja's Flute, a story where a pair of ninja infiltrate a guarded palace by arguing about whose flute is of higher quality to distract the guards inspecting them. This is because I am a ninja, even though I mostly use my powers for good. As I handed the TSA agent my legitimate, electronically authoritative American passport, I pulled a water bottle out of my bag, made to hand it to her, and asked her if she thought it was barely small enough to bring on board. Completely distracted by this important security issue requiring discriminating judgement, she closed my passport without even looking at the picture or comparing my name to my boarding pass, handed it back, and took my water bottle for inspection.

So basically... the fact that no one is bothering with working electronic passport authentication is really, really not the important issue here.

42
1
Anonymous Coward

Re: Just a TSA anecdote

Clearly, the dihydrogen monoxide you had was an extreme dangerous good. Compare to the passport, they had to dispose the hazardous chemical immediately as its tasteless and odorless properties can be easily inhaled, potentially causing suffocation and deaths.

Those agents are very good at putting their priorities in order to protect the children. Did you know that dihydrogen monoxide is the leading cause of unintentional injury-related death among children ages 14 and under? From 2006 to 2010, there are at least 400 fatalities caused by dihydrogen monoxide.

You should be glad that they didn't force you to inject those substances into your body on the spot after you took it out. Just imagine what it would do to your body afterward!

/s

13
0
Silver badge
Coat

Re: Just a TSA anecdote

But what if it had been Hydrogen Hydroxide, or worse - Hydric Acid! - Have you seen how high the pH of that stuff is!

1
0
Silver badge
Facepalm

Re: Just a TSA anecdote

@DNTP "...she closed my passport without even looking at the picture or comparing my name to my boarding pass,..."

I recall having a Miami Twice* moment when I was checking in at an airport in the Land of the Free. The agent "checked" my fine brown British passport, "Dieu et mon Droit" proudly emblazoned in gold letters across the bottom of the majestic royal coat of arms.

And then proceeded to ask me if I was Australian.

Icon is how I would have responded if I didn't have an aversion to intimate inspections.

*One of the running jokes through this Only Fools and Horses special is everyone thinks these two chancers from South London are from Australia.

4
0
Silver badge

Re: Just a TSA anecdote

, "Dieu et mon Droit" proudly emblazoned in gold letters across the bottom of the majestic royal coat of arms.

You should have claimed to be French, that would have fooled them...

5
0
Silver badge
Go

Re: Just a TSA anecdote

"You should have claimed to be French, that would have fooled them..."

That would probably have worked. I wonder how many Americans think all Frenchmen speak with a perfect English Shakespearian accent thanks to Star Trek TNG...?

3
0
Silver badge

Re: Just a TSA anecdote

All of us. We're to stupid to know the difference and none of us have ever discussed the issue.

1
0
Silver badge
Paris Hilton

Software?

" the software to verify the e-passport chips "

Like a db of trusted certs?

Seriously, what extra software is needed to verify cryptographically signed data that you can already decrypt and read?

7
0
Joke

Re: Software?

Well, obviously a framework of some sorts will need to be made in which a suite of applications can be created that creates an interoperable, secure system which forms the basis of national security.

2
0
Silver badge

Re: Software?

I bet everyone came unstuck when they decided they wanted to do it online in realtime.

0
0

Re: Software?

a front-line desk Ethernet connection to check the server in Singapore!

2
0
Silver badge

Re: Software?

what extra software is needed to verify cryptographically signed data that you can already decrypt and read

The ability to access a CRL and parse the presented cert against it? Agreed, it's not the science that puts metal in orbit but it does need a teensy bit of writing.

0
0
Anonymous Coward

' taking the "optical" in optical networking a little too far'

Mmmh, if you put these 2 stories together then a bigger picture emerges...

Not dealing with the smartest kid on the block... American Xceptionalism:

.

https://www.theregister.co.uk/2018/02/22/us_customs_optical_networking/

https://www.theregister.co.uk/2018/02/22/us_borders_e_passports/

1
0
Big Brother

Shiney - Lets Be Bad Guys

Nice new machines at the new YYC terminal building, to read\scan your passports & fingerprints when travelling into the US, the first time I went through seemed to be a lot quicker than the second 7 months later, but then I was traveling with family members.

Coming back into Canada, the spanky new machines doesn't seem to have simplified\accelerated the whole customs experience of coming home.

0
0

Re: Shiney - Lets Be Bad Guys

Last time I went into the US, last summer at Oakland, they had these ESTA checking machines, which had a long line of people trying to use, and they aren't especially easy if you've never seen one before. Then, of course, we had to join an even longer line to see the regular Immigration guy, with the usual photo and fingerprint dance. Since the desk guy has to scan the passport, why don't they do the ESTA check there?

0
0
Silver badge
Pint

Border crossings, with or without Network access

If one is crossing a border in (for example) the hinterlands of Mongolia, where they utterly fail to have Network access, then the friendly border agents working in the shed are forced to reply on your "Papers Please" hard copy documents.

Everywhere else in the world, where there's electricity and an Ethernet cable, a simple bar code or memorized string should be enough to bring up your file. The agents can review the information on their screen, ask you to remove your hat, look in your left ear for the mole, and generally carry on from there.

If the multi-factor "What You Have" factor is needed, then - based on the electronic information - they can ask to see (for example) your car keys to confirm it's Honda or whatever. If not car keys, then the head from the GI Joe doll that you always carry and have registered as the "Have" factor.

The whole concept of a hard copy Passport is obsolete given that it's mostly used to bring up your online file anyway.

5
1

memorize? Re: Border crossings, with or without Network access

all you have to memorize is your 1st name &home 'phone number

1
0

The only news here would be that some people think that this collection of dim bulbs should be given more authority and control over our lives.

2
0
Anonymous Coward

Who cares if it works?

Do you seriously suggest all the extremely expensive chipping, body-scannig and snooping is implemented in order to increase "security"? Financial security, maybe.

5
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018