A report has claimed that there are vulnerabilities in the US Consular Consolidated Database (CCD) that contains personal details from everyone who has applied for a US visa over the past twenty years.
The CCD information includes names, addresses, birthdates, biometric data (fingerprints and facial images), race, identification numbers (e.g. social security numbers and alien registration numbers) and country of origin.
It is suggested that these vulnerabilities could allow third parties to access and alter the database details.
If this is true, it suggests that hackers could potentially legitimize the application for a visa from someone who would normally be rejected. Last year more than 2000 people applied for and were denied visas for having a suspected connection to terrorism.
Sean Sullivan, a security advisor with F-Secure , told SecurityWeek that he suspects the vulnerabilities fall “into the class of vulnerabilities that would allow for a record to be returned on request. And in theory, you could script a large enumerated set of requests.” Hopefully there are systems in place that will block any attempt at large scale scraping.
“I’d be more concerned with manipulation of the data in the database used to validate travelers. Depending on the quality of the fingerprints stored – Apple Pay and the like.”
Officials are playing down the vulnerabilities. There is no suggestion that the visa database has been breached or misused, and a State Department spokesperson told ABC News that the vulnerabilities would be difficult to exploit – requiring “the right level of permissions.”
The ‘right level of permissions’ is, however, precisely what is obtained through successful spear-phishing. It has been the start-point for most of the successful major breaches of the last few years.
The database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
The vulnerabilities, associated with the aging legacy systems that comprise the CCD, were found during routine monitoring and testing, and are reportedly being remediated. However, ABC News also reports doubts that this is completely true. Vulnerabilities have not all been fixed,” and “there is no defined timeline for closing [them] out,” according to a congressional source informed of the matter.
The mere fact that the CCD systems are aging is another problem. “Legacy systems require work arounds and compromises to get them connected to newer systems. Not a great thing for security,” added Sullivan.
According to the ABC report, CCD connects to “other federal agencies like the FBI, Department of Homeland Security and Defense Department.” These connections are likely to require the work arounds that Sullivan worries about.
Furthermore, if the front-end is already vulnerable, as seems likely, then Sullivan warns, “Vulnerable front-end systems can also reveal details about back-end systems, details that could further direct exploitation.”