CBP fails to protect data on tens of thousands of mobile devices

U.S. Customs and Border Protection’s (CBP) vast fleet of government smartphones and tablets suffer from basic security failures that has left personal and sensitive law-enforcement information exposed to cyberattack and loss.

According to an audit by the Department of Homeland Security (DHS) Inspector General (IG), CBP failed to consistently harden devices, corral high-risk apps, remediate compromised phones flagged by its own tools, or to reliably wipe lost and retired equipment.

More than 70,000 mobile devices are carried by CBP officers and staff across ports, airports, and field offices. The IG stressed that the security failures it documented have left CBP, and by extension the people whose data its workforce handles, unnecessarily exposed.

The IG’s findings paint a comprehensive picture of risk across the lifecycle of CBP’s mobile devices. Inspectors reviewing CBP’s mobile device management (MDM) platform and supporting servers found key security baselines were only partially applied.

Seventy percent of required settings were enforced on the MDM platform, while one class of servers hit 95 percent compliance and another lagged at 62 percent. Notably, local privileged accounts for the MDM did not require multi-factor authentication, accepted only a username and password, and allowed up to ten invalid logon attempts, far above typical federal hardening guidelines.

CBP’s own mobile apps added to the attack surface. CBP has developed five custom mobile applications supporting mission operations and that static code analysis revealed vulnerabilities in four of them.

In total, the four vulnerable apps exhibited 38 distinct weaknesses across 84 instances of insecure code. These are weaknesses CBP had not previously catalogued or addressed through plans of action or waivers.

Meanwhile, CBP permitted an unusually permissive app environment on government-issued iOS and Android devices. The Inspector General identified 564 store-distributed apps that either pose security risks, are explicitly prohibited, or enable explicitly prohibited activities installed on fully half of the device fleet under MDM.

The categories ranged from third-party file-sharing tools and managers for unapproved USB storage, to unofficial app stores, “privacy” browsers with built-in VPNs, and standalone VPN services that DHS policy deems inherently untrustworthy on the enterprise network.

Social networking, private messaging, webmail, streaming, gaming, rideshare-driver and tax-prep apps, and other blacklisted categories also appeared on government phones.

The IG’s findings cut directly against federal guidance. The National Institute of Standards and Technology’s (NIST) mobile security handbook advises enterprises to assume that unknown third-party apps are untrusted and to employ mobile application vetting along with MDM and mobile threat defense.

“Keep mobile operating systems and apps updated” and “regularly monitor and maintain mobile device security,” the standard requires. These are considered core practices that the Inspector General says CBP failed to perform consistently.

The risk is not abstract. The MDM flagged 284 enrolled devices as “compromised,” which typically means the devices were jailbroken or rooted, conditions that disable built-in operating-system protections and often allow the installation of unapproved apps.

Despite this, CBP had no policy to remediate them and left them active. The IG warned such devices can be gateways for data theft or malware.

Beyond configuration, oversight was inconsistent. At least 52 percent of CBP’s devices were running outdated operating systems and the agency lacked a managed photo app or screenshot controls, enabling personnel to capture and forward imagery from within CBP apps, content that could include sensitive case information or personally identifiable information through email and messaging.

International travel multiplied exposure. DHS policy requires explicit authorization, pre-travel risk assessments, and “minimal-feature” configurations for devices that leave the country, with post-travel inspection before reconnecting to a DHS network.

CBP employees nevertheless took agency phones on 10,957 trips to 121 foreign locations over two years without consistently performing those steps, and CBP lacked a component-wide international-travel policy for mobiles, despite acknowledging the requirement and “currently developing” procedures.

The agency also had the capability, but not an implemented process, to monitor and block unauthorized foreign network access, leaving gaps adversaries could probe.

Perhaps the most alarming failure is what happens when devices go missing or out the door for disposal. In a statistically valid sample, DHS auditors found evidence of proper sanitization in just 9 of 259 lost devices, implying that roughly 93 percent of the 881 lost devices during the period were not wiped.

For disposed devices, the sample suggested about 82 percent of 24,465 retired phones and tablets lacked documented sanitization. Incredibly, some devices reported as retired remained actively enrolled in MDM more than a year later.

These sorts of lapses carry obvious privacy and operational stakes. Modern mobile phones blend sensitive personal data with agency credentialing, case notes, and investigative apps.

The Inspector General warned that compromised devices can be used to eavesdrop via microphone or camera, track location, or serve as staging points for attacks against DHS systems.

CBP, for its part, formally concurred with all fourteen IG recommendations and laid out a multi-step remediation plan. The Office of the Chief Information Officer (OCIO) committed to implement missing configuration settings, document risk acceptances where mission requirements require deviations, and enforce consistent standards for custom-developed apps by the end of this year.

CBP also agreed to move from a “blacklist” model where nearly any store app is allowed unless explicitly banned, to a stricter “whitelist” regime that blocks everything except pre-approved, official-use apps.

Because that shift affects user workflows across thousands of devices, CBP set a longer runway, targeting completion by December 31, 2026.

CBP further pledged to ensure all single-user “smart” devices are enrolled in MDM or have documented waivers, and to establish policy that user-installed apps be vetted for risk and monitored routinely.

In parallel, CBP’s Office of Facilities and Asset Management agreed to tighten property oversight; refer negligent losses to the Personal Property Management Oversight Board; require remedial training where staff mishandle sensitive assets; improve disposal controls; and coordinate with OCIO to ensure every lost or disposed device is unenrolled and sanitized before it leaves CBP custody.

CBP officials disputed that they had denied the IG read-only access to inventory systems and said they provided data extracts instead. The IG said the lack of direct access delayed its work and required extra validation of the data supplied.

Outside experts say the report underscores a persistent federal pain point: mobile devices are now first-class computers, and attackers know it. NIST’s Special Publication 800-124 urges agencies to “employ enterprise mobility management, mobile threat defense, [and] mobile application vetting” and to “regularly monitor and maintain mobile device security,” with whitelisting and strict configuration as cornerstone controls.

Asked about the audit’s findings, CBP pointed to its formal responses within the IG report, emphasizing that remediation is underway.

CBP said the OCIO will “implement the recommended configuration settings,” “enforce consistent standards for custom-developed mobile applications” and “develop policy ensuring that all single-user ‘smart’ mobile devices are enrolled and managed,” with most actions slated for completion in 2025 and the whitelisting overhaul by the end of 2026.

The IG’s recommendations go beyond policy. They require CBP to stand up a repeatable process to quarantine jailbroken and rooted devices; to enforce credentialed vulnerability scanning and timely patching on MDM infrastructure; to monitor and block unauthorized foreign log-ons; and to put in place the hard, sometimes unglamorous property controls that ensure every lost or retired phone is remotely wiped, unenrolled, and documented.

The audit also surfaced a gap with CBP’s shadow inventories and semi-managed devices. In 2023, CBP’s MDM covered 38,403 of 72,042 devices. For the remainder – more than 33,000 – only about a quarter even had active service lines, leaving tens of thousands of corporate endpoints in ambiguous status.

The IG also found unsupervised devices on the MDM, limiting CBP’s ability to push updates or enforce protections like disabling AirDrop or filtering content.

Unsupervised and unmanaged devices can bypass key controls and “increase the risk of data breaches, malware infections, or unauthorized access to CBP IT systems,” the audit concluded.

Article Topics

biometric authentication  |  biometrics  |  border security  |  CBP  |  cybersecurity  |  DHS  |  mobile app  |  mobile device  |  U.S. Government