Another day, another data breach. On Monday, the U.S. Customs and Border Protection announced that one of its subcontractors was hacked, compromising tens of thousands of photos of license plates and images of drivers taken by the agency at border checkpoints. CBP maintains that its systems are intact and that a subcontractor is to blame for CBP violating security and privacy protocols. Though it refrained from naming this subcontractor, it didn’t take much to figure out the weak link. The Washington Post reported that “a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, including the name ‘Perceptics’ in the title: ‘CBP Perceptics Public Statement.’ ”
Though the Post was first to report on CBP’s statement on Tuesday, British tech news site the Register reported the breach weeks ago after being tipped off by “Boris Bullet-Dodger,” who provided a list of hacked files. It appears the files were ripped directly from an employee’s computer. Along with JPGs purportedly of license plates and drivers, the document stash also included MP3 files of “Superstition, by Stevie Wonder, and Wannabe by Spice Girls, and a variety of AC/DC and Cat Stevens songs.”
One imagines that this hacked Cat Stevens fan is probably having a weird month at work, and the fallout from the incident is still unraveling. It appears that the stolen data is available for download on the dark web, but how much danger can it pose? What can someone actually do with a license plate and a photo of a driver sitting inside a car?
Luckily, probably not much. Anil Jain, a computer science professor who runs the Biometrics Research Group at Michigan State University, calls it a “low-risk situation.” If the driver photos are high enough resolution that hackers could potentially match a person’s face to an ID, like a driver’s license, then they could, in theory, find out who you are. Then they could gather additional information, like where you live, and eventually how to access your accounts.
But that would take a fair amount of effort, and hackers may not be motivated enough to take on that much detective work to mess with a stranger. Honestly, you might be worse off if you’re driving like a jerk and motivate someone to track you down. After all, license plate numbers and driver faces are pretty easily visible if you’re just driving around town. If anything, an in-person sighting would have more context than stolen CBP files to help you track down a person by photo and license plate: You can see where they’re driving, telltale bumper stickers, and who else is in the car. (Please don’t actually do this.)
Still, this CBP hack should be a cautionary tale for any entity collecting or storing sensitive personal data from individuals. “In this case, the data was not stolen from a central database, but taken from a contractor,” says Jain. “That raises the question of how the central database is protected, and who has the right to access it.” And as the CBP continues to expand its biometrics programs, the consequences of stolen data will grow graver. You can get a new license plate, but it’s not so easy to get a new face, despite what you may have seen in Face/Off.
While the U.S. has not yet experienced a major biometrics data breach, experts are bracing themselves for one. It’s already happened in India: The country’s government-run biometrics database, Aadhaar, has been hacked and tampered with. It’s also possible that this CBP hack is worse than we think. Chad Loder, CEO of cybersecurity firm Habitu8, told the Atlantic that the breach could have involved more than just license plate and driver photos. Given that the CBP collects biometrics like face scans and fingerprints, “it’s unlikely that the attacker would have stopped with just photo data,” he said. To be fair, though, it’s unclear whether the sites from which the data was stolen match up with those that collect biometric data. Perceptics has plate readers at Border Patrol checkpoints in Texas, New Mexico, Arizona, and California, whereas it appears CBP is mostly using biometrics at airport checkpoints, though it appears to be testing it with cars at border checkpoints as well.
To prepare for biometrics hacking, researchers and self-styled hackers are trying to test the weaknesses of existing systems in hopes that they’ll find and address vulnerabilities before hackers can exploit them. For example, after Apple unveiled Face ID, a feature that unlocked users’ phones using their faces, consumers and researchers had a field day trying to break into phones. Some succeeded using shoddy masks, while others have failed using elaborate ones. Jain’s lab doesn’t focus on phone biometric readers, but in its work, he says they’ve successfully fooled face biometric readers using a tight-fitting silicon mask that costs about $4,000 to make.
3D masks are just one way to spoof a face. Other methods including using a static photo (or set of photos), or a looped video that more closely emulates the look of a live face. Researchers, in turn, have tried to find ways to distinguish between a live face and a spoofed one: some detect motion and gestures like blinking; others perform complicated calculations on images to determine whether specific features of the face, like light reflectance of skin, correspond with a real person; and still others use sensors like thermal imaging to identify a live face. Jain and his colleagues are taking a different approach: They train algorithms on what data sets of real fingerprints or faces look like, and then the algorithm makes a determination on whether a sample is real. I asked what differences there are in features of a real versus spoofed sample, and Jain said that’s the billion-dollar question. “There are very subtle differences,” he says. “No one can quantify them except a learning algorithm that looks at a large number of images.” There are researchers looking into explaining what’s driving the network’s determinations, but for now, it’s a bit of a black box.
The possible methods here and how to protect against them depend a bit on the context in which stolen data is being used. Stolen biometrics could be especially dangerous in cases where “unlocking” an account is done in private, like logging into a bank account from your home. In those cases, it’s much easier for a hacker to futz around with a looping video, a photograph of you, or a shoddy mask until they gain access. But you’d never get away with such shenanigans in any in-person interaction, like an airport check-in or a border crossing. If you look like That Suspicious Person in a Mask or clearly try to hold up someone else’s photo to the scanner, you’ll probably get arrested lickety-split. Plus, as Jain points out, in many in-person biometrics readings you’re required to show other identifiers like a passport, or an ID badge, if you’re signing in at work. Forging a document and crafting a convincing biometric spoof would be some Hollywood spy-level trickery.
As the government and private companies amass our fingerprints, retinas, and faces, their collections become increasingly valuable to hackers. Perhaps, Jain suggests, access to sensitive data servers could be controlled via biometrics. That sounds like a good idea as long as biometrics system engineers are winning the arms race against the spoofers. Otherwise, maybe researchers can take up the charge in designing us all new faces and fingerprints.