An inspector general issued an alert Thursday to Homeland Security saying one of its key immigration agencies is so lax in policing use of mobile devices that adversary nations could track agents or steal their data.
U.S. Immigration and Customs Enforcement has an “overly permissive” policy for use of its issued devices, the inspector general said. Employees are allowed to download third-party applications, including messaging apps produced by companies with ties to foreign governments.
The inspector general said his investigators looked specifically at ICE, but suggested the problem may extend throughout Homeland Security and urged the department to see how deep the risk runs.
The names of the adversary countries and the apps were redacted from the public report, but the inspector general said some are from companies that the U.S. government has banned. Other times the apps are outdated, meaning they might easily be breached through security flaws.
“Among other things, these applications introduce the potential for collecting and monitoring user and device information through device sensors such as a camera, microphone and Global Positioning System,” Inspector General Joseph Cuffari said. “This risk is intensified, given that some of the mobile applications identified are associated with U.S. government foreign adversaries.”
He said the problem traced back to ICE’s policy on devices, which he said allows “nearly unlimited personal use.”
Mr. Cuffari said his office is conducting a broader audit of ICE’s device security, but the issue with third-party apps caused his immediate alert.
Homeland Security said it ran a forensic analysis and found “no evidence of nefarious activity thus far,” though the department said it has taken steps to clamp down. Those include blocking use of virtual private network apps.
The department also said it relied on secure containers, which are a way to segregate data on a device so it’s not visible to other apps.
Mr. Cuffari said those steps represented progress but still aren’t enough.
“ICE’s corrective actions do not fully address removal of risky applications not explicitly identified by DHS [Office of Inspector General] or ensure third-party messengers are up to date,” he said.
ICE is the government’s chief deportation agency, and it includes a criminal investigative division, Homeland Security Investigations, which has a wide latitude to probe terrorism, national security, gang, smuggling and financial crimes.
Employees and contractors are issued smartphones for their work, such as allowing agents and officers in the field to check identities of those they encounter against government databases.
The ICE policy also lets them install apps directly from third parties, and that includes risky messaging programs.
The audit said it found numerous examples of risky apps, including some that are supposed to be banned for government work.
The audit didn’t name those apps, but Congress last year banned TikTok, a popular messaging tool linked to the Chinese government, from government workers’ phones.
In one case, the inspector general found a cloud data storage application whose CEO is sanctioned by the Treasury Department. Another unnamed app found on ICE devices can track location data and access photos and contact records.
Investigators also found what they called “extremely concerning” VPNs on some ICE devices.
Jim Crumpacker, Homeland Security’s liaison to the inspector general, said ICE began changes in June to try to fix things.
That included blocking risky apps, updating or removing apps with known vulnerabilities and blocking VPNs.
“To augment the department’s current mobile security posture, ICE [Office of the Chief Information Officer] personnel will also deploy additional technology to enhance existing monitoring of internal and public internet resources,” Mr. Crumpacker said.
He said ICE also is exploring whether to limit apps only to those that have been vetted and approved.
• Stephen Dinan can be reached at sdinan@washingtontimes.com.