Latest news with #SISII
Irish Independent
03-07-2025
- Politics
- Irish Independent
EU border software vulnerable to hacks, confidential reports warn
The Schengen Information System II (SIS II) had thousands of cybersecurity issues that the European Data Protection Supervisor, an EU auditor, deemed to be of 'high' severity in a 2024 report. It also found that an 'excessive number' of accounts had administrator-level access to the database, creating 'an avoidable weakness that could be exploited by internal attackers'. While there is no evidence that any SIS II data was accessed or stolen, a breach 'would be catastrophic, potentially affecting millions of people', said Romain Lanneau, a legal researcher at EU watchdog Statewatch. SIS II, which was first implemented in 2013, is part of an EU-wide effort to strengthen the bloc's external borders using digital and biometric technologies at a moment in which governments around the world are taking tougher stances on migration. The system allows member states to issue and view real-time alerts when tagged individuals, a group that includes terror suspects and people with outstanding arrest warrants, attempt to cross an EU border. SIS II, which currently runs on an isolated network, will eventually be integrated with the EU's Entry/Exit System, which will automate registration of the bloc's hundreds of millions of annual visitors. EES will be connected to the internet, which could make it easier for hackers to access the highly sensitive SIS II database, the report warns. Alerts issued by SIS II can contain photos of suspects and biometric data such as fingerprints taken from crime scenes. Since March 2023, the alerts have also incorporated so-called 'return decisions' – legal rulings that flag a person for deportation. While the vast majority of the system's estimated 93 million records relate to objects such as stolen vehicles and identity documents, about 1.7 million are linked to people. Of those, 195,000 have been flagged as possible threats to national security. Since individuals don't generally know that their information is in SIS II until law enforcement acts on it, a leak could potentially make it easier for a wanted person to evade detection. The audit determined that SIS II was vulnerable to hackers overwhelming the system, as well as attacks that could enable outsiders to gain unauthorized access, documents show. A spokesperson for EU-Lisa, the agency that oversees large-scale IT projects such as SIS II, said the agency couldn't comment on confidential documents, but that 'all systems under the agency's management undergo continuous risk assessments, regular vulnerability scans, and security testing.'
Engadget
02-07-2025
- Politics
- Engadget
The EU's border security software is reportedly full of holes
The software used by EU border security forces to prevent undocumented immigrants and suspected criminals from travelling in the region is allegedly riddled with holes and vulnerable to cyber attacks. The Second Generation Schengen Information System (SIS II) is an IT system and database shared between most EU states for law enforcement and public security purposes. And according to a new collaborative report between Bloomberg and investigative non-profit Lighthouse Report s, SIS II — which has been used since 2013 — is plagued with "thousands" of cybersecurity issues, to the extent that an EU auditor flagged them to be of "high" severity in a report filed last year. The report notes that there is no evidence of any data theft, but the "excessive number" of accounts that unnecessarily have access to the database means it could be fairly easily exploited. During its initial rollout, SIS II's major additions included fingerprint technology and photographs in alerts, and in 2023 the software was updated with upgraded data and enhancements to its existing functionality, including the ability to signal when someone has been deported from a country. Bloomberg reporters spoke to Romain Lanneau, a legal researcher at an EU watchdog called Statewatch, who warned that an attack would be "catastrophic, potentially affecting millions of people." Right now SIS II operates within an isolated network, but will soon be rolled into the EU's Entry/Exit system (EES) , which will make registering biometric details a requirement for individuals travelling to Schengen-associated areas when it comes into effect, likely later this year. As the EES will be connected to the internet, a hack on the SIS II database will become significantly easier. Bloomberg and Lighthouse note that while most of the SIS II system's estimated 93 million records pertain to objects such as stolen vehicles, there are around 1.7 million linked to people. It adds that people usually aren't aware that their details are logged in the database until law enforcement gets involved, so if the information was leaked, wanted individuals may find it easier to evade the authorities. SIS II's development and maintenance is managed by a Paris-based contractor called Sopra Steria. According to the report, as vulnerabilities were reported, they took between eight months and upward of half a decade to resolve. This is despite it being contractually obligated to fix issues deemed to be of critical importance within two months of releasing a patch. A spokesperson for Sopra Steria did not respond to Bloomberg regarding the detailed list of allegations concerning SIS II's security holes, but said in a statement printed in the report that EU protocols had been adhered to. "As a key component of the EU's security infrastructure, SIS II is governed by strict legal, regulatory, and contractual frameworks," it said. "Sopra Steria's role was carried out in accordance with these frameworks." EU-Lisa, the EU agency that oversees large-scale IT systems like SIS II, regularly farms out duties to external consulting firms as opposed to building its own in-house tech, according to the investigation. The audit accused the agency of not informing its management about security risks that had been flagged, to which it responded by saying that all systems under its management "undergo continuous risk assessments, regular vulnerability scans, and security testing."
Time of India
02-07-2025
- Politics
- Time of India
Europe's Schengen border security system vulnerable to hacks. Audit warns of catastrophic beach risk
Tired of too many ads? Remove Ads Tired of too many ads? Remove Ads Tired of too many ads? Remove Ads An information-sharing system used by EU border forces to flag illegal immigrants and suspected criminals in real time was rife with software and security vulnerabilities, according to emails and confidential audit reports obtained by Bloomberg News and investigative newsroom Lighthouse Schengen Information System II had thousands of cybersecurity issues that the European Data Protection Supervisor, an EU auditor, deemed to be of 'high' severity in a 2024 report. It also found that an 'excessive number' of accounts had administrator-level access to the database, creating 'an avoidable weakness that could be exploited by internal attackers.'While there is no evidence that any SIS II data was accessed or stolen, a breach 'would be catastrophic, potentially affecting millions of people,' said Romain Lanneau, a legal researcher at EU watchdog II, which was first implemented in 2013, is part of an EU-wide effort to strengthen the bloc's external borders using digital and biometric technologies at a moment in which governments around the world are taking tougher stances on migration. The system allows member states to issue and view real-time alerts when tagged individuals, a group that includes terror suspects and people with outstanding arrest warrants, attempt to cross an EU II, which currently runs on an isolated network, will eventually be integrated with the EU's Entry/Exit System, which will automate registration of the bloc's hundreds of millions of annual visitors. EES will be connected to the internet, which could make it easier for hackers to access the highly sensitive SIS II database, the report issued by SIS II can contain photos of suspects and biometric data such as fingerprints taken from crime scenes. Since March 2023, the alerts have also incorporated so-called 'return decisions' — legal rulings that flag a person for deportation. While the vast majority of the system's estimated 93 million records relate to objects such as stolen vehicles and identity documents, about 1.7 million are linked to those, 195,000 have been flagged as possible threats to national security. Since individuals don't generally know that their information is in SIS II until law enforcement acts on it, a leak could potentially make it easier for a wanted person to evade audit determined that SIS II was vulnerable to hackers overwhelming the system, as well as attacks that could enable outsiders to gain unauthorized access, documents show. When EU-Lisa, the agency that oversees large-scale IT projects such as SIS II, reported these issues to Sopra Steria, the Paris-based contractor responsible for developing and maintaining the system, the company took between eight months and more than five-and-a-half years to fix the problems, according to the report and emails between EU employees and Sopra the terms of its contract with EU-Lisa, Sopra Steria was obliged to fix 'critical and high' software vulnerabilities within two months of a patch being released, emails and two audit reports show.A spokesperson for Sopra Steria declined to respond to a detailed list of allegations about security vulnerabilities in SIS II, but said in a statement that the company followed EU protocols.'As a key component of the EU's security infrastructure, SIS II is governed by strict legal, regulatory, and contractual frameworks,' the spokesperson wrote. 'Sopra Steria's role was carried out in accordance with these frameworks.'Emails seen by Bloomberg and Lighthouse Reports showed that EU-Lisa employees flagged cybersecurity issues to Sopra Steria on several occasions in 2022. Sopra Steria argued in one email exchange that patching some of the vulnerabilities would cost an extra €19,000. In response, EU-Lisa said the work should be covered by the existing contract, which included a fee of between €519,000 and €619,000 per month for 'corrective maintenance,' according to a document detailing Sopra Steria's fees for the EDPS audit also noted that 69 team members not employed directly by the EU had access to SIS II despite lacking the necessary security clearance. It's not clear if they were Sopra Steria employees or other audit blamed some lapses on EU-Lisa, which did not inform its management board about security vulnerabilities after they were identified. In the documents, auditors described the EU agency as struggling with 'organizational and technical security gaps' and recommended that it set up an action plan with a 'clear strategy' for addressing vulnerabilities. In addition to SIS II, the agency maintains a database of asylum seekers' fingerprints, called Eurodac, and a visa waiver system similar to that of ESTA in the US.A spokesperson for EU-Lisa said the agency couldn't comment on confidential documents, but that 'all systems under the agency's management undergo continuous risk assessments, regular vulnerability scans, and security testing.''Any risks identified are assessed, prioritized, and addressed based on their criticality, with appropriate mitigation measures defined and closely monitored,' the spokesperson of the problems with SIS II stemmed from EU-Lisa's tendency to rely heavily on consulting firms rather than build technological capabilities in-house, according to three people familiar with the matter, who asked not to be identified as they weren't authorized to speak publicly. This was partly because of pressure to deliver on projects that the agency did not have the staff to complete Entry/Exit System, the high-tech border system intended to automate visitor registration in Europe — and another project overseen by EU-Lisa — has also been struggling. The system was supposed to launch in 2022, but has been delayed multiple times due to technical problems largely attributed to the French IT firm Atos, Bloomberg and Lighthouse Reports reported in December. The EU Commission said two months ago that member states would switch on some parts of EES in the last decade, the European Union has been trying to implement so-called smart borders to keep track of the increasing number of people traveling into the bloc. The creation of a decentralized agency like EU-Lisa in 2012 should have made developing these systems easier, said Francesca Tassinari, a lawyer and researcher at the University of the Basque Country and an expert on EU IT systems. 'But unfortunately the agency has not proven sufficient to manage the scale and complexity of the project.'Part of the reason for that, explained Leonardo Quattrucci, a senior fellow at the Center for Future Generations, is that the EU lacks people with experience in procuring and managing these contracts.'Procurement should be treated as a strategic function, but it's currently a compliance process,' he said. 'You need the owners of the process to be specialists.'
