Radio chips leave visa data unsecured; homeland vows to safeguard systems
Foreign visas and information on U.S. aircraft protection are vulnerable to unauthorizedaccessbecause of shortcomings in the Homeland Security Department’s use of technology, according to a report released on Aug. 21 by the department’s inspector general.
The report says the security issues involve the use of radio frequency identification chips (RFID) and databases at three Homeland Security agencies.
“These security-related concerns, if not addressed, increase the potential for unauthorized access to DHS resources and data,” the report said. “We identified vulnerabilities on databases that could be exploited to gain unauthorizedor undetectedaccess to sensitive data.”
The report was only able to focus on Customs and Border Protection (CBP), Transportation Security Administration (TSA), and the U.S. Visitor and Immigrant Status Indicator Technology program (USVISIT) because the department lacks “an accurate inventory of systems using RFID technology.”
RFID chips use wireless technology to store data that can be retrieved to confirm the identity of a person or location of an object through a tiny radio transmitter.
“The flexibility and portability of RFID technology and devices, as well as the information that resides on the tags, increases the need for security and privacy controls,” the report said.
The report found security concerns in password management, user access permission and a lack of auditing in the systems that CBP uses to track foreign visitors upon entry at the two U.S. land borders. The Free and Secure Trade (FAST) program on the Mexican border and the Global Enrollment System on the Canadian border collect information that is fed into the USVISIT program, which contains personal and biometric information on 17.5 million foreign visitors who have passed through nearly 200 air, land and sea ports.
Homeland officials agreed with the inspector general’s findings and say additional security measures will be taken and guidelines developed to secure databases. The chips are still in the testing stage at the TSA to identify airline pilots, track their weapons,cargoandpassenger bags.
The inspector’s general findings on the weapons-tracking system was redacted. However, the Federal Flight Deck Officer operation that would identify pilots and track guns “is currently capturing operational data in support of TSA’s mission,” Inspector General Richard L. Skinner said in a July 7 letter to Edmund “Kip” Hawley, TSA assistant secretary.
The weapons-tracking system does not use encryption and is neither certified or accredited for operation, the letter said.
The State Department is using RFID chips in new e-passports for all U.S. citizens that will be issued by the end of this year, despite concerns the chips canbe easily cloned.
Infineon, aGermancompany,announced on Aug. 21 that it will supply the technology for the newpassports, which will contain the tiny RFID chips on the back of their covers. Frank Moss, deputy assistant secretary for consular affairs at the State Department, says Infineon’s epassport systemhasbeenapproved by the National Institute of Standards and Technology.
However, researchers at the Black Hat Briefings security conference in Las Vegas earlier this month were able to copy information from the chip.