Inspector General's Report Confirms CBP Contractor Was Hacked, Resulting In Sensitive Info Making Its Way To The Dark Web

from the collect-it-all,-protect-it-barely dept

Last year, a CBP vendor suffered a data breach affecting more than 100,000 people who had crossed the border at checkpoints. The CBP refused to name the contractor involved in the breach, but internal documents indicated it was Perceptics. Perceptics provided and maintained the system that photographed cars and their occupants as they crossed the border.

The vendor's involvement in the breach has now been publicly confirmed, thanks to an Inspector General's investigation of the incident. Sensitive information that was never supposed to be located on Perceptics' servers was obtained by hackers and (partially) distributed on the dark web. [h/t Motherboard]

The report [PDF] lists the extent of the damage, which was fairly minimal given what was involved.

The subcontractor’s network was later the subject of a malicious cyber attack that compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. After removing duplicate images, CBP reduced its estimate to 100,000 individual images, of which they discovered 19 were posted to the Dark Web.

From which the IG draws this inevitable conclusion:

This incident may ultimately result in damage to the public’s trust in Government biometric programs.

Yes, whatever trust there is that hasn't been damaged yet, I guess.

Perceptics was authorized to be on-site to perform maintenance work. It was never authorized to transfer any photos to its own servers. But it did. And it did this in the worst way possible.

According to documentation from Unisys and CBP, Perceptics subsequently admitted to Unisys that it had downloaded approximately 184,000 traveler images from the equipment in conjunction with the work order tickets. Perceptics personnel accomplished this using an unencrypted USB hard drive that was eventually transported back to their corporate office in Knoxville, Tennessee. From there, subcontractor personnel uploaded CBP’s images to a Perceptics server.

This unauthorized data exfiltration led directly to another unauthorized data exfiltration.

Perceptics’ corporate network was subjected to a ransomware attack at some point prior to May 13, 2019. The attack compromised thousands of driver and passenger images that CBP captured during the VFS pilot. CBP determined that more than 184,000 traveler facial image files, as well as 105,000 license plate images from prior pilot work, were stored on the subcontractor’s network at the time of the ransomware attack. In addition, the hacker stole an array of contractual documents, program management documents, emails, system configurations, schematics, and implementation documentation related to CBP license plate reader programs.

Perceptics refused to pay the ransom and the hacker (d/b/a "Boris Bullet Dodger") released "9,000 unique files" on the dark web.

The Inspector General says Perceptics should never have taken files offsite. But it's not the only party to blame. CBP should have made this far more difficult to achieve.

Perceptics was able to make unauthorized use of CBP’s biometric data, in part because CBP did not implement all available IT security controls, including an acknowledged best practice. Additional IT security controls in place during the pilot could have prevented Perceptics from violating contract clauses and using an unencrypted hard drive to access and download biometric images at the pilot site.

The rest of the report is the CBP promising to secure barn doors as per the IG's recommendations. Certainly this will have some effect going forward. But the fact remains the CBP collects a lot of personal information that can be tied to border crossers' vehicles. All of this in one place continues to make the CBP -- and most government agencies -- tempting targets for malicious hackers.

Filed Under: border crossing, cbp, dark web, facial recognition, hacked, inspector general, leaked, security
Companies: perceptics, unisys

Securing The Nation With Insecure Databases: CBP Vendor Hacked, Exposing Thousands Of License Plate, Car Passenger Photos

from the guess-you-have-to-give-up-some-security-to-gain-some-security? dept

US Customs and Border Protection has suffered an inevitability in the data collection business. The breach was first reported by the Washington Post. It first appeared to affect the DHS's airport facial recognition system, but further details revealed it was actually a border crossing database that was compromised.

The breach involved photos of travelers and their vehicles, which shows the CPB is linking people to vehicles with this database, most likely to make it easier to tie the two together with the billions of records ICE has access to through Vigilant's ALPR database.

The breach involved a contractor not following the rules of its agreement with the CBP. According to the vendor agreement, all harvested data was supposed to remain on the government's servers. This breach targeted the vendor, which means the contractor had exfiltrated photos and plate images it was specifically forbidden from moving to its own servers.

According to reports from other news agencies, the breach likely involve Perceptics, a Tennessee-based manufacturer of stationary license plate readers. The Register first reported a breach there on May 23, after being contacted by a hacker possibly involved with the attack on the company's servers. The CBP claims it was not aware of this breach until May 31. But this piece of info from the Register's article seems to indicate Perceptics may be the vendor the agency has refused to name.

Perceptics recently announced, in a pact with Unisys Federal Systems, it had landed "a key contract by US Customs and Border Protection to replace existing LPR technology, and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol check point lanes in Texas, New Mexico, Arizona, and California."

This is all but confirmed in the Washington Post's report, which contains another link to Perceptics the CBP has refused to officially confirm.

CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”

No personal info was included in the breach, which the CBP said affected about 100,000 travelers entering and exiting the US through a single point of entry. It also claims it hasn't seen any of the data surface on the light or dark web, so there's that, if that statement is actually true.

This news has prompted many reactions, including some very obvious ones: first and foremost, the easiest way to minimize the damage of inevitable data breaches is to not harvest so much damn data. Unfortunately, the DHS's plans only involve expansion of its existing collection programs, including a larger rollout of its airport biometric scanning and its new mandatory collection of social media info from incoming foreigners.

It's pretty tough to secure a nation when you can't secure a database. This breach may have been the result of a vendor breaking the rules, but the Office of Personnel Management breach proves the US government isn't immune from these attacks. The more you gather and store in one place, the more often you'll be targeted by enemies foreign and domestic.

Finally, the incident has angered a handful of Congressional reps.

House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) announced on Monday that his committee would hold hearings next month to examine the collection of biometric information by the Department of Homeland Security (DHS), which includes CBP.

Thompson also noted that he wants to ensure “we are not expanding the use of biometrics at the expense of the privacy of the American public.”

Homeland Security Committee ranking member Mike Rogers (R-Ala.), used the breach to criticize DHS’s handling of cybersecurity challenges, saying in a statement to The Hill that “the agency is ill-equipped to handle emerging cyberthreats.”

“The data breach resulted from a contractor acting improperly and against agency policy,” Rogers said. “We need to take steps to ensure this does not happen again.”

Ensuring contractors follow the rules isn't really a solution. It may reduce the number of attack vectors, but it doesn't address the underlying issue: we're collecting more data on people than ever before and breaches are not a matter of "if," but "when." Until Congress gets serious about scaling back these massive collections, these will remain popular targets with the potential to cause a tremendous amount of harm to the millions of people who pass through our borders and airports.

Filed Under: alpr, cbp, hacked, license plates, photos, privacy
Companies: perceptics