US border cops confirm: Maker of America’s license-plate, driver recognition tech hacked, camera images swiped

The US Customs and Border Patrol today said hackers broke into one of its bungling technology subcontractors – and made off with images of people and their vehicle license plates as they passed through America’s land border.

The CBP issued a statement outlining how it learned on May 31 that the unnamed contractor, against Uncle Sam’s privacy rules and security measures, copied license plate scans and traveler pictures to its own network, only to have that network invaded by hackers and the data stolen.

In an email to The Register, a spokesperson for the border cops said:

The CBP went on to say it has removed all of the equipment used to gather the images involved in the leak, and will be “closely monitoring” the subcontractor for further screw-ups:

While a CBP spokesperson declined to name the subcontractor at the heart of the incident, the Washington Post was first to receive the above statement as a Microsoft Word document that had the name “Perceptics” in the file title. (Our copy arrived as a plain-text email body.)

The presence of Perceptics in the Word doc title would reconfirm the exclusive Register report from May 23 that Perceptics, a maker of license-plate reader hardware and software extensively used at the US government’s borders and checkpoints, had been ransacked by hackers, who made off with and dumped on the dark web a snapshot of its entire IT estate. Perceptics touts systems that can recognize drivers and their cars from camera footage, allowing officials to verify travelers.

That information dump, which encompassed hundreds of gigabytes of data, included internal emails and databases, documentation and client details, blueprints, backups, music, and more.

A further review of those files today uncovered at least a few hundred .JPG and .TIF image files of license plates, some identified and some not, taken in 2017 of vehicles passing through CBP’s checkpoints in Santa Teresa and Columbus, New Mexico, on the southern border with Mexico, and bicycles passing through the Hidalgo Port of Entry on the Texas-Mexico border.

It appears the images were collected for troubleshooting or further development of the technology, rather than harvested en masse, and were inappropriately retained as per the CBP’s statement. There may be more images, of course. There are references to pictures taken in Alaska and San Diego, as well as sensor logs and error reports, in the leaked data trove.

While El Reg last month reported the data was being offered on the Tor network for anyone to download if they could find it – and indeed, we found it on a hidden .onion service after a tipster alerted us to the leak – the CBP’s carefully worded statement on Monday this week noted that “as of today, none of the image data has been identified on the Dark Web or internet.”

As of today? Make of that what you will. We reckon it has taken from May 31 to now for Uncle Sam to get the site removed, or for it to disappear, before publicly confirming the security breach. It is also possible the hackers stole much more than what was leaked, and only a subset of the swiped data was hosted on Tor, leading to this week’s revelation that, unfortunately, license plate and traveler photos were taken as well as internal company documents and messages.

Should Perceptics indeed prove to have been the source of the leaked images, which seems rather likely, and the dates provided are correct, that would mean the CBP learned of the security snafu some eight days after we contacted Perceptics on May 23 to warn it of the intrusion – a cyber-break-in Perceptics at the time acknowledged had happened but wouldn’t go into further details.

A CBP spokesperson declined to confirm or deny Perceptics was the pwned subcontractor. A spokesperson for Perceptics, a former subsidiary of Northrop Grumman with customers around the world as well as various US states, could not be reached for immediate comment. ®

READ MORE HERE