Reason not to unlock smartphones for US customs? Hackers breach US customs subcontractor database

The US Customs and Border Protection (CBP) agency had admitted that photos of travellers and license plates collected at one US border point have been exposed in a malicious cyberattack.

The news of the hack will renew privacy concerns about the use of facial recognition and surveillance systems by US authorities, as well as demands from US customs officials that travellers to the US must unlock their mobile devices for inspection.

In April three US Customs and Border Protection (CBP) officers detained Apple employee Andreas Gal at San Francisco airport, following a business trip aboard.

Customs hacked

Gal, who was also the former chief technology officer at Mozilla Foundation, and is a US citizen, was detained for three hours after he refused to unlock his work Macbook Pro and iPhone XS. Both were clearly labelled as “Property of Apple. Proprietary.”

And now CBP has admitted a “malicious cyber-attack” hit a CBP “subcontractor” that had stored “copies of license plate images and traveller images collected by CBP”, the agency was quoted by the Guardian newspaper as saying in a statement Monday.

CBP reportedly said “none of the image data has been identified on the dark web or internet”, but declined to answer questions about the scope of the attack and stolen data, and refused to name the subcontractor involved.

However, media reports state that a Tennessee-based company that bills itself as the sole provider of stationary license plate readers at US borders had been compromised last week.

It is thought that the stolen images involved fewer than 100,000 people.

Essentially, it seems that photographs were taken of travellers in vehicles entering and exiting the United States through a few specific lanes at a single land-border port of entry over 1 and a half months.

No other identifying information was included with the images.

US data collection

However those travelling to the United States should be aware that the US government does maintain databases of travellers personal information, including passport and visa photos.

CBP has reportedly been expanding its facial-scanning systems to airports across the US since Donald Trump’s 2017 executive order expediting the deployment of this surveillance, the Guardian reported.

Last year the CBP placed new restrictions on when its agents are permitted to copy data from devices such as mobile phones and laptops at border crossing points such as airports, amidst a surge in such “advanced” searches.

Agents now need to have “reasonable suspicion” to conduct advanced searches, which may include copying data from the devices of people entering or leaving the country.

Expert concerns

The news that the CBP had its data compromised has worried the security industry.

“What is strange in this story is the timing,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb. “Just after the unwarranted transfer of confidential data to the subcontractor’s network, they suddenly got hacked as if someone has been purposefully waiting for this.”

“Of course, we may suppose that the subcontractor had been breached and backdoored for a while already, but this puts in question the vetting process at CBP when selecting suppliers to handle sensitive data,” said Kolochenko. “In any case, it is imperative that CBP conducts an internal audit on their suppliers to review how the latter enforce internal security and data handling procedures.”

Another expert said this breach underlines the need to vet third-parties security practices.

“This once again highlights the knock-on effects of third-party cyber-attacks and the implications caused by a lack of cybersecurity,” said Jake Moore, cybersecurity specialist at ESET. “Although the dataset has not yet been located online, no doubt it will find its way onto the dark web in due course.”

“There is a chance phishing emails could occur but more importantly, such data could be used in conjunction with facial recognition software,” said Moore. “Vetting third parties is hugely important when dealing with sensitive and personal data so maybe penetration testing companies could be included when due diligence is carried out on prospective new clients.”

And one security expert said the breach shows the need to adopt safe storage of such data.

“The access to CBP data via a third party contractor speaks to a bigger issue with the use of biometric data for customs and immigration,” said Irra Ariella Khi, CEO of VChain Technologies.

“Facial recognition technology has been developed and widely adopted, but government agencies the world over have been much slower at adopting the technology that allows the safe storage, transfer and verification of that data,” Ariella Khi said. “It is not hard to identify the mistakes that were made in this case. This highly-sensitive ‘personally identifiable information’ should not have been either exposed to or stored as a copy by the subcontractor in a central, third party database.”

“If the right suppliers are used, there should be little need for anything more than a secure signal that governments can use in order to to verify that an individual is who they say they are, but would be utterly useless should anyone get a hold of that secure signal,” Ariella Khi said. “This technology exists and governments should adopt the safest of security practices and innovative technology with the same level of pertinacity that they adopt biometrics.”

Can you protect your privacy online? Take our quiz!