Pierluigi Paganini June 19, 2014

The system used to produce RFID identification cards including permanent resident IDs by the USCIS has a number of serious security issues.

A report from the Office of the Inspector General (OIG) at DHS titled “Radio Frequency Identification Security at USCIS Is Managed Effectively, But Can Be Strengthened” confirms the presence of serious security issues in the system used to produce RFID-enabled identification cards. The system is used by the United States Citizenship and Immigration Services (USCIS) which is responsible for the permanent resident card program which distributes the permanent resident cards (aka green cards) for foreign citizens that received the authorization to live and work permanently in the USA. The experts discovered numerous issues in the system, including almost all of the workstations in the system were using no updated Java software.The OIG discovered a serious issue in the Card Personalization System Technology Refreshment component, which retrieve citizen biographical and biometric information from an internal system and then pass it to the system for the card production.The CPSTR system analyzed was composed of 31 Windows workstations, 27 of them were missing Java patches dating back to 2008.

Of the 31 Windows workstations in the CPSTR system, 27 of them were missing Java patches dating back to 2008.

The system is also composed of many Oracle database servers, the database that was audited were non upgraded with at least 22 critical patch updates, this means that patch management for Oracle was not working for more than  five years considering that the company release a patch quarterly.The permanent resident cards currently produced by USCIS use radio frequency identification, the OIG recently conducted an audit of the system used for the production of those cards, discovering numerous issues.

“For example, USCIS has granted its card production system the authority to operate, evaluate privacy implications of using the system, and ensured that no personal data is transmitted by permanent resident cards. However, USCIS had not deployed timely security patches on the servers and workstations that support radio frequency identification processes, assessed annually the effectiveness of security controls implemented on the system that produces radio frequency identification cards, or ensured employees producing these cards receive the mandatory annual privacy awareness training.,” states the report.

According to the results of the audit the presence of no upgraded software is attributable to the use of an automatic patching application made by USCIS, the department’s firewall architecture prevented specialists from determining whether the patches have been deployed to the CPSTR system.

“USCIS uses centralized and automated patch deployment software to identify and install updates to the workstations and servers that connect to its network. However, a firewall that segregates CPSTR from the rest of the USCIS network prevents Office of Information Technology (OIT) personnel from determining if they had installed the patches on the CPSTR network.To mitigate this limitation, OIT mails a disc containing patches to personnel at the Corbin Production Facility quarterly. Personnel at this facility then install the provided patches to each CPSTR server or workstation individually. However, since OIT cannot accurately determine if they had installed the patches, many patches are not added to the disc and installed as needed,” the OIG report says.

Office of Information Technology plans to fully integrate CPSTR with the USCIS network by the second quarter of fiscal year 2015, this integration will allow the office to automatically deploy security patches directly to CPSTR. The integration of CPSTR into the USCIS network is already in progress and it will be completed by the August 2014.As recommended by OIG, it is fundamental for CPSTR to ensure that all the servers and databases are properly patched in a timely manner.

“Expedite CPSTR’s integration into the USCIS network to facilitate the timely identification and deployment of security patches to protect the sensitive information processed and stored by the system”

The OIG also provided the following recommendations:

• Perform the required assessments periodically to evaluate the effectiveness of  management,operational, and technical security controls implemented on ICPS and document the assessment results.
• Implement procedures to ensure and verify that ICPS users receive the required privacy training annually.

The security of systems like the one used to produce RFID-enabled identification cards by USCIS is crucial for Homeland Security, unauthorized accesses could have serious repercussions.