Customs and Border Protection officers can download and read the information on the RFID chips in U.S. passports, but they can’t authenticate it, according to a Feb. 22 letter from two senators. CBP lacks the software to “verify the digital signatures stored on the e-Passport,” wrote Democratic Sens. Claire McCaskill (Mo.) and Ron Wyden (Ore.).
Without the software, CBP can’t “determine if the data stored on the smart chips has been tampered with or forged,” according to the letter to Acting CBP Commissioner Kevin McAleenan.
As a result, “a skilled hacker could alter the data on an e-Passport chip — like the name, photo, or expiration date — without fear that signature verification would alert a border agent to the changes,” Wired reported Feb. 22. In 2010, the Government Accountability Office reported that CBP “has not implemented the system functionality necessary to perform the verification.”
“While CBP does not verify the country certificate of an e-Passport at this time, CBP does verify the data contained within the chip and in the machine-readable zone (MRZ),” CBP wrote in a Feb. 23 statement to Wired. “The data on the chip and the MRZ is compared and any inconsistencies are immediately flagged for the CBP officer.” CBP also said it verifies that chips haven’t been modified or tampered with.
This means that “digital kiosks that scan passports during entry into the US compare the identifying data on the chip with the information on the biographical page of the passport,” Wired wrote. However, this would not solve problems such as a passport forged to match the data on a chip, a hacker altering information at the kiosk to match the chip, or someone who avoids the kiosk in favor of a manual passport check, Wired added.
And while CBP said it checks the physical condition of chips, most e-Passport hacks alter the data on chips, not the RFIDs themselves, Wired reported.
Since 2015, e-Passports have been required for travel to the U.S. under the visa waiver program, FCW reported.
Read more at Wired.