ICE faces heat after agents install thousands of personal apps, VPNs on official phones
Audit: Craptastic security potentially put govt info in hands of enemies
America's immigration cops have pushed back against an official probe that concluded their lax mobile device security potentially put sensitive government information at risk of being stolen by foreign snoops.
Between April 27 and August 17, the US Department of Homeland Security Office of the Inspector General conducted an audit of equipment managed by Immigration and Customs Enforcement (ICE) and the agency's IT policies.
In an October 30 write-up, the inspector general came down hard on the Feds' device management practices, highlighting "urgent issues" on ICE-managed handhelds – including concerns about devices running apps that could be hijacked by foreign adversaries. Think: software linked to or developed within reach of China or Russia, which could be altered or compromised to spy on Uncle Sam.
"Specifically, we found mobile device management issues that put ICE mobile devices — and potentially other [Homeland Security] mobile devices demonstrating similar issues — and sensitive data at greater risk of potential espionage, leaks, and attacks from viruses," wrote Inspector General Joseph Cuffari in a redacted report [PDF].
The investigation found "thousands" of applications installed on ICE-managed devices that had been installed by employees, contractors, and other DHS staff. This included third-party file sharing services and virtual private networks (VPN), outdated messaging platforms, and apps developed by companies banned from US government IT systems.
While we don't know which of these naughty-list apps auditors found on ICE employees phones, it's probably safe to assume one of the offenders was TikTok — banned from US federal government staff and contractors' devices because of espionage concerns, due to the influence the Chinese government can exert over Beijing-based parent ByteDance.
The DHS OIG report added the software it found on the handhelds included "applications associated with [redacted] and [redacted]." We're guessing the redacted names are China and Russia. According to the inspector general, these user-installed apps potentially put ICE's operations, employees, and all of DHS at risk.
"These applications introduce the potential for collecting and monitoring user and device information through device sensors such as a camera, microphone, and Global Positioning System," the report stated. "The applications may also collect and distribute information stored on the device (eg, photos, videos, and documents), including potentially sensitive information outside the secure containers."
- US govt now bans TikTok from contractors' work gear
- Your ex isn't the only one stalking your social media posts. The Feds are, too
- ICE data dump reveals names, locations of 6,000+ asylum seekers
- How ICE became a $2.8b domestic surveillance agency
Because ICE considered these downloads to be "personal applications," it didn't monitor them, we're told, despite their presence on the federal agency's devices. To be fair, some of the ICE-approved apps sound equally concerning, such as "one ICE-owned application allows ICE personnel to capture and search biometric information of people they encounter in real-time."
An ICE spokesperson declined to comment on this scanning app, and also did not answer The Register's questions about its last personal-use policy update, which happened in 2014, and if it planned to review the policy more frequently from here on out.
In a lengthy statement emailed to The Register, an ICE spokesperson said:
We appreciate the OIG's focus on the important issue of device security. After discussions with the OIG regarding user-installed applications on a very small number of mobile devices used by US Immigration and Customs Enforcement (ICE), ICE swiftly took action to remedy all identified vulnerabilities in June. There is no evidence of any nefarious activity occurring on these devices, and we have no evidence of any breach of ICE data.
ICE employs a multi-tiered digital security posture to protect ICE data which includes mobile device management software to control what a device can and cannot do, use of a 'secure container' on all mobile devices to house and protect ICE data, a mobile application management solution to protect and manage ICE applications outside the secure container, and a mobile threat defense capability to continuously monitor the behavior of all third-party applications downloaded to an ICE mobile device to protect ICE data. At all times, ICE had visibility of the actions and behavior of third-party applications on ICE devices. ICE will continue to further strengthen device management.
The report acknowledged that ICE has implemented some of the auditors' recommendations already to boost device security, such as blocking and disabling prohibited apps, vulnerable messaging applications, and VPN applications.
"ICE also stated it has taken steps to implement application vetting and is in the process of updating its mobile device use policy," the report says.
Additionally, DHS, in its response to the audit, disagreed that ICE security controls did not reduce the risk to federal mobile devices and their sensitive information. Homeland Security also claimed the percentage of ICE-managed devices that did not have mobile threat defense capability installed is significantly lower than the inspector general's audit number.
While ICE's actions "demonstrate progress," the report concludes that ICE still hasn't fully addressed "risks associated with user-installed applications communicated in this alert." ®