United States The government is notorious for its “better late than never” approach to deploying its technology. Following this tradition, US Customs and Border Protection (CBP) today confirmed that, after 16 years, it has finally implemented the necessary software updates to verify the cryptographic signatures stored in passport RFID chips.
Since 2006, the United States and many other countries have embedded these small chips in the back of their passports, or “e-passports” as they are called. The chip digitally stores the document’s owner’s personal information, including name, date of birth, passport number, and biometric data such as your photograph, as well as a cryptographic signature designed to protect against forgery or forgery. For years, the US has required visa waiver countries to issue e-passports to their citizens who wish to enter the US. However, in all this time, CBP has not actually deployed the software to perform these validation checks.
In early 2018, U.S. Senator Ron Wyden of Oregon and former Senator Claire McCaskill of Missouri wrote a letter to CBP urging the agency to conduct cryptographic verification, given that the RFID ePassport infrastructure has been in place for many years. Last week, five years after the request, CBP told the Wyden office that the ePassport verification system has been operational since June 2022.
CBP says the verification process has so far verified more than 3 million visa waiver traveler passports and “facilitated” the arrest of 12 people who allegedly tried to enter the US with “fraudulent” identities.
“During primary processing, the ePassport technology alerted to the documents and travelers were directed to secondary verification, where CBP officials determined that travelers were in possession of counterfeit travel documents,” the agency said in a statement.
“Improving passport security is a healthy way to make sure people entering our country are who they say they are. This is already making America safer without resorting to invasive searches or massive databases of private data,” Wyden says in a statement to WIRED. “I thank CBP for getting the job done and making sure counterfeiters and criminals can’t use fake passports to get through security at the border.”
While verification has been ongoing since June, CBP says it still cannot verify e-passports issued by Andorra, a tiny country between Spain and France with a population of less than 80,000. However, in addition to this, CBP conducts checks for all countries without a visa.
“This has been a major investment by the US, so I’m happy to see that they are taking advantage of these opportunities and doing what they should,” says Matthew Green, a cryptographer at Johns Hopkins University. “This system is really a simple check to help catch people traveling with fake documents, and we are interested in this. And it’s not as intrusive as facial recognition or other systems deployed at the border, so overall it seems like a good system to activate.”
Government Accounts Chamber 2010 report outlined the case for rapid implementation of signature verification for ePassports. The U.S. Department of Homeland Security (DHS) “does not have the ability to fully verify digital signatures because it … has not implemented the system functionality necessary to perform verification,” the GAO wrote at the time. “The additional protection against counterfeiting and forgery that could be provided by the inclusion of computer chips in ePassports issued by the United States and foreign countries … has not been fully implemented.”
After more than a decade and a half, verifying the digital signature of an ePassport is finally something DHS can check off its to-do list.