Study: US-VISIT's RFID system needs better security

14.07.2006
The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program's RFID system has not done enough to secure personal data stored in its Automated Identification Management System (AIDMS) database, according to a recent partially-censored report issued by Richard Skinner, the inspector general of the U.S. Department of Homeland Security (http://www.dhs.gov/interweb/assetlibrary/OIG_06-39_Jun06.pdf).

US-VISIT is a program established in 2004 by the DHS to control and monitor the entry, visa status and exit of foreign visitors to the U.S.

Currently, US-VISIT is testing the use of RFID technology on Form I-94 visa documents to determine whether the technology meets the requirements of the program at five points of entry: Alexandria Bay, N.Y.; Nogales East and West, Ariz.; and the Peace Arch and Pacific Highway sites in Blaine, Wash. The test began in August 2005, and if it is successful, RFID tags will be deployed to the 50 busiest land ports by Dec. 31, 2007.

Although data on the RFID-enabled Form I-94s is not encrypted and could be intercepted, it does not contain any personal information and can be used only to obtain such information when combined with data stored in the AIDMS database, according to the report. But if US-Visit decides to store personal information on the tags, additional controls should be implemented, the inspector general said.

"During our vulnerability assessment on selected DML [Device Management Layer] servers, we discovered no high or medium security vulnerabilities," Skinner said. "However, our assessment results on the AIDMS database revealed some security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data. Specifically, we identified deficiencies in user account and password management [and] user access permissions.

"Periodic reviews of security settings would identify security weaknesses in user and password management," Skinner said. Otherwise, US-VISIT officials might not detect unauthorized activity or determine who is responsible for such activity, he said.