Data breach at the border. Are your subcontractors an easy target?

border fence

It’s near-impossible to travel anywhere today without submitting to the most extensive of security checks. We know of the pat-downs, the metal detectors, the shoes off, the interviews at airports. Increasingly, biometric fingerprint and facial scans are being implemented to add “convenience” for travellers. Opting out can be prohibitively difficult. Sometimes there is no choice–if you want to catch your flight, or cross the border, you have to play ball. The question often asked is whether these checks are too invasive, or patently illegal. But there’s another, equally important question to ask about the way our data is collected at travel points: where is it all going?

Back in May, a hacker using the pseudonym “Boris the Bullet Dodger” (a reference to the movie Snatch) reached out to The Register to inform them of a breach of a small engineering company based in Tennessee.

Have you heard of Perceptics? No? That’s the idea. The company markets itself as “the sole provider of stationary [license plate readers] installed at all land border crossing lanes for [privately owned vehicle] traffic in the United States, Canada, and for the most critical lanes in Mexico.” If you’ve recently driven across the U.S. border, a picture of your face and your license plate may have been captured by Perceptics technology, on behalf of U.S. Customs and Border Patrol. Did you know that?

Using a contractor like Perceptics may make financial and logistical sense for CBP, but it comes with risks.  A private company may not be subject to the scrutiny that a government body is. Think about it like hiring a babysitter.  If you have a family member look after your children, you can be pretty confident that they’ll do a good job: they care about the well-being of your children, and they’re accountable to you if anything goes wrong.  If you hire a stranger to look after your children, you better take a few extra steps to make sure they won’t lose or hurt them.

When The Register reported that a government surveillance contractor was hacked last May, they speculated that “The nature of the company’s business – border security data acquisition, commercial vehicle inspection, electronic toll collection and roadway monitoring – means that it’s likely to have a significant amount of sensitive information.”

It was an omen, and an understatement.

Not three weeks later, on June 10th, news broke of a U.S. Customs and Border Patrol hack.  The agency didn’t say outright which of its contractors was at fault for the breach, but the title of their public statement read “CBP Perceptics Public Statement”.

In total, some 65,000 files totalling around 400 GB made it onto the dark web.  The details of the breach have not been disclosed publicly, and an investigation into the matter remains ongoing, but all indications suggest that what began as a privacy issue has blossomed into a national security issue, and a Perceptics hack turned into a much wider U.S. government data dump.  In addition to tens of thousands of photographs of drivers and their license plates, there is now a wealth of intriguing government data available–around a terabyte, total–well outside Perceptics’ domain. You can see it for yourself.  There’s video of Julian Assange in prison, plans for Trump Tower Moscow, entire folders on Chelsea Manning, Eric Snowden, Enron, Sony, Emmanuel Macron, and much more.

Although the scale of the hack may be unusual, the means by which it likely occurred is not.  Major organizations are almost always breached from a targeted weak point. Instead of having to hack the U.S. government, for instance, a hacker might simply target a third-party contractor through one unsuspecting employee.  All that’s needed is one bite: a malicious email opened, a laced PDF of hyperlink clicked. After having broken through the path of least resistance, attackers can scope out and move laterally within a network, towards user accounts and databases of greater and greater value.  If you’ve seen a spy movie, you know how the story goes. A talented special agent will probably have the tools necessary to break any lock, carve any wall, sneak into any corner along the way. If nobody’s monitoring of who’s accessing these areas, and what they’re doing there, nobody’s any the wiser.

As it so often goes, what data is ultimately leaked has more consequence for ordinary people than it does the organization that lost it.

We tend to think of the “government” as some sort of invisible, ubiquitous presence.  If your face is captured by an airport kiosk, or border checkpoint camera, it goes to them, wherever they are.  In reality, the government contracts high-tech surveillance solutions to independent companies. Because these partnerships aren’t made with public input (or, more often than not, public knowledge), and because these contractors work for agencies rather than the people subject to their tech, there’s no guarantee these contractors will act with the proper care required to keep safe the data of ordinary citizens.  Can you blame them?

Perhaps nobody better summed-up the lesson of the Perceptics-CBP hack than Boris the Bullet Dodger himself.  When Vice reached out to the hacker who started it all, he said in an email, “I think that idiots manage the company Perceptics.”  Unfortunately, if government contractors like Perceptics are, in fact, managed by idiots, you and I will be the ones to pay the price.





About the author: 
Nathaniel Nelson writes the internationally top-ranked “Malicious Life” podcast on iTunes, hosts programs on blockchain and SCADA security, and contributes to AI and emerging tech blogs.