Flaws Found in USCIS RFID Card Production System

The system that’s used to produce RFID-enabled identification cards–including permanent resident IDs–by the United States Citizenship and Immigration Service has a number of serious security issues, according to a new report from the Office of the Inspector General at DHS. Among the issues the OIG found is that nearly all of the workstations in the system were missing six years worth of Java patches and an Oracle database server was missing nearly two dozen patches.

USCIS is the section of the Department of Homeland Security that handles immigration into the country and monitors the status of visitors and permanent residents, among other things. One of its functions is to produce and issue the identification cards given to permanent residents. Those cards contain RFID tags that make them machine-readable, and the OIG recently conducted an audit of the infrastructure that handles the process of producing those cards. The audit found that the system was working as designed, but that there were several security shortcomings that needed to be addressed.

“For example, USCIS has granted its card production system the authority to operate, evaluated privacy implications of using the system ,and ensured that no personal data is transmitted by permanent resident cards. However, USCIS had not deployed timely security patches on the servers and workstations that support radio frequency identification processes, assessed annually the effectiveness of security controls implemented on the system that produces radio frequency identification cards, or ensured employees producing these cards receive the mandatory annual privacy awareness training.,” the report says.

One of the more serious issues that the OIG’s audit found is that the Card Personalization System Technology Refreshment component, which pulls the biographical and biometric information from an internal system and then returns production results to the system after a card is produced, had many workstations and servers that were missing key security patches. Of the 31 Windows workstations in the CPSTR system, 27 of them were missing Java patches dating back to 2008.

On top of that, Oracle database servers that are part of the system were missing 22 critical patch updates, which works out to more than five years worth of patches from Oracle, which releases updates on a quarterly schedule.

One of the problems that contributed to this state of affairs is that, while USCIS uses an automatic patching application, the department’s firewall architecture prevented specialists from determining whether patches have been deployed to the CPSTR system.

“USCIS uses centralized and automated patch deployment software to identify and install updates to the workstations and servers that connect to its network. However, a firewall that segregates CPSTR from the rest of the USCIS network prevents Office of Information Technology (OIT) personnel from determining if they had installed the patches on the CPSTR network.To mitigate this limitation, OIT mails a disc containing patches to personnel at the Corbin Production Facility quarterly. Personnel at this facility then install the provided patches to each CPSTR server or workstation individually. However, since OIT cannot accurately determine if they had installed the patches, many patches are not added to the disc and installed as needed,” the OIG report says.

The OIG report recommends that the USCIS integrate the CPSTR system into the rest of the network, apply patches in a timely manner and perform required annual security assessments.