RFID NEWS
Text size:
T
T
T
US-VISIT RFID Trial Shows Security Holes
A report from the DHS Office of Inspector General highlights data security issues and recommends that US-VISIT develop and follow policy and procedures for its RFID system.
By Mary Catherine O'Connor
July 7, 2006—The US-VISIT program is failing to adequately protect personal data being stored in databases and collected via RFID inlays embedded in its I-94 visa forms, according to a report released last month by the Department of Homeland Security's Office of Inspector General. The report suggests the organization should design and follow policies and procedures regarding the use of RFID technology and protections around personal information linked to RFID tags.
In 2004, the DHS launched the US-VISIT program to heighten border security by taking digital fingerprints and photos of all non-U.S. visitors entering the country (see Homeland Security to Test RFID). The report is based on an audit the office performed to determine whether US-VISIT "has implemented effective controls to protect its mission-critical data processed by its RFID systems from unauthorized access."
The audit consisted of visits to the U.S. border point-of-entry stations, where the RFID-enabled forms are being tested, as well as interviews with US-VISIT and Customs and Border Patrol (CBP) personnel (US-VISIT is a CPB program). The audit examined the physical layer of the system—how the tags, readers and I-94 forms are used and secured—as well as whether adequate policies and procedures have been enacted to ensure the "confidentiality, integrity and availability" of data contained in the Automated Identification Management System (AIDMS). The latter is the system of record used by the US-VISIT program to maintain databases for storing information about foreign nationals entering and exiting the country. The audit was conducted between November 2005 and February 2006.
During the audit, a team from the Office of Inspector General used a tool called the Internet Security Systems' Database Scanner to review database settings and to detect and analyze vulnerabilities on database servers. It also used an RFID spectrum analyzer and an interrogator (reader) to attempt to read I-94 forms being carried by persons going through the ports of entry where the technology is being tested. While the DHS still considers the distribution and reading of RFID-enabled I-94 forms a proof-of-concept rather than a permanent technology deployment, it has distributed more than 150,000 of the forms.
The audit results of the AIDMS database reportedly "revealed some security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data [relating to person carrying I-94 forms]." The report says these vulnerabilities were based in the areas of user account and password management, and user-access permissions. The details of such vulnerabilities are removed from the redacted version of the report, available online.
July 7, 2006—The US-VISIT program is failing to adequately protect personal data being stored in databases and collected via RFID inlays embedded in its I-94 visa forms, according to a report released last month by the Department of Homeland Security's Office of Inspector General. The report suggests the organization should design and follow policies and procedures regarding the use of RFID technology and protections around personal information linked to RFID tags.
In 2004, the DHS launched the US-VISIT program to heighten border security by taking digital fingerprints and photos of all non-U.S. visitors entering the country (see Homeland Security to Test RFID). The report is based on an audit the office performed to determine whether US-VISIT "has implemented effective controls to protect its mission-critical data processed by its RFID systems from unauthorized access."
The audit consisted of visits to the U.S. border point-of-entry stations, where the RFID-enabled forms are being tested, as well as interviews with US-VISIT and Customs and Border Patrol (CBP) personnel (US-VISIT is a CPB program). The audit examined the physical layer of the system—how the tags, readers and I-94 forms are used and secured—as well as whether adequate policies and procedures have been enacted to ensure the "confidentiality, integrity and availability" of data contained in the Automated Identification Management System (AIDMS). The latter is the system of record used by the US-VISIT program to maintain databases for storing information about foreign nationals entering and exiting the country. The audit was conducted between November 2005 and February 2006.
During the audit, a team from the Office of Inspector General used a tool called the Internet Security Systems' Database Scanner to review database settings and to detect and analyze vulnerabilities on database servers. It also used an RFID spectrum analyzer and an interrogator (reader) to attempt to read I-94 forms being carried by persons going through the ports of entry where the technology is being tested. While the DHS still considers the distribution and reading of RFID-enabled I-94 forms a proof-of-concept rather than a permanent technology deployment, it has distributed more than 150,000 of the forms.
The audit results of the AIDMS database reportedly "revealed some security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data [relating to person carrying I-94 forms]." The report says these vulnerabilities were based in the areas of user account and password management, and user-access permissions. The details of such vulnerabilities are removed from the redacted version of the report, available online.
