U.S. border officials have been unable to verify the authenticity of data stored on passport RFID chips for more than a decade, two senators revealed Thursday.

In a letter to Kevin McAleenan, the acting Commissioner of U.S. Customs and Border Protection (CBP), Sens. Ron Wyden (D-Ore.) and Claire McCaskill (D-Mo.) stated that the agency has failed to purchase the software needed to ensure a passport’s digital data hasn’t been altered.

“It’s past time for U.S. Customs and Border Protection to take basic steps to stop passport forgery,” Wyden tweeted. “@clairecmc and I wrote to @CBP urging them to use digital signatures to prevent tampering and fakes.

As noted in the senators’ letter, e-Passports, which store cryptographically verifiable traveler information, became the standard domestically in 2007 following a U.S. government-led effort to have the technology adopted worldwide.

Despite the U.S. requiring every visitor from countries on the visa-waiver list to have an e-Passport, the CBP “lacks the technical capabilities to verify e-Passport chips.”

“CBP has deployed e-Passport readers at many ports of entry, which CBP personnel use to download data from the smart chips in e-Passports,” the letter notes. “However, CBP does not have the software necessary to authenticate the information store on the e-Passport, which means that CBP is unable to determine if the data stored on the smart chips has been tampered with or forged.”

The senators also found that the CBP was first warned about the issue in 2010 after a report from the Government Accountability Office (GAO) highlighted the security failure.

“Eight years after that publication, CBP still does not possess the technological capability to authenticate the machine-readable data in e-Passports,” the letter adds.

While the letter does not detail any incidents in which criminals have abused the loophole, researchers in 2009 revealed the ability to copy legitimate e-Passport chips and apply them to fake documents.

“1 billion passports now include anti-forgery encryption technology, but CBP never bought the software it needs to take advantage of it and spot digital fakes,” Wyden also tweeted. “We can secure our borders against national security threats with smart policies that don’t threaten our liberties.”

Wyden and McCaskill are calling on the CBP to work with the General Services Admiistration to “develop and implement a plan” to fix the issue by 2019.

Got a tip? Contact Mikael securely: keybase.io/mikaelthalen

Related Articles