Biometric data processing and storage system threats
#1
Bug 
Quote:
[Image: biometric-data-processing-and-storage-sy...eats-1.png]
 
CONTENTS
Initially, digital biometric data processing systems were used primarily by government agencies and special services (police, customs, etc.). However, the rapid evolution of information technology has made biometric systems accessible for ‘civil’ use. They are increasingly becoming part of our everyday lives, augmenting and replacing traditional authentication methods, such as those based on logins and passwords. Indeed, identifying people using characteristics that are unique to each person, such as fingerprints, voices, facial shapes or their distinctive eye structure, seems an obvious and incredibly convenient method.

Today, biometric authentication is used to access government and commercial offices, industrial automation systems, corporate and personal laptops and mobile phones. Both the number and the variety of applications for these technologies continues to grow.

Unfortunately, like many other technologies that have been rapidly evolving lately, biometric authentication systems have proved to have significant drawbacks. The key shortcomings of biometric authentication technologies have to do with information security issues.

In this report, we will discuss the numerous information security issues affecting biometric authentication systems and present the results of our own research, to provide additional information for a more objective evaluation of risks associated with using existing biometric authentication system implementations.

Biometric data processing and storage

The concept of biometric data as a unique personal identifier that cannot be forged is fundamentally wrong and can foster a false sense of security.

Firstly, the accuracy of biometric data recognition by authentication systems, although relatively high, can still be insufficient for many applications. After all, such recognition is not about simply calculating whether two hash sums are equal or not, as in the case of password-based authentication. Biometric systems usually have a greater-than-zero probability of false-negative and false-positive results.

Secondly, research demonstrates that many human biometric characteristics can be forged (falsified) by malicious actors, and copying digitized biometric data may be even easier than copying physical biometrics.

Thirdly (and most importantly), biometric data, once compromised, is compromised for good: users cannot change their stolen fingerprints the way they do stolen passwords. What’s more, biometric data may turn out to be compromised for all applications at the same time. An individual will therefore potentially be affected for the rest of his or her life.

Given all of the issues above, it is remarkable how careless biometric authentication system developers and users are about protecting these systems and the biometric data collected by them against computer attacks.

It turns out that biometric data may be stored in a format that is easily accessible to attackers. A striking example is the notorious story of a major breach found in BioStar 2, a web-based biometric security smart lock platform. According to researchers, the service had a publicly accessible database – over 27.8 million records, a total of 23 gigabytes of data on employees within 5,700 organizations, from 83 countries. The database contained, among other confidential data, about one million fingerprint records, as well as facial recognition information. According to the report, “…instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.”

Unfortunately, the problem pointed out by researchers in connection with the BioStar 2 story is by no means far-fetched. There are known cases of biometric data being targeted by attackers. For example, information stolen in a 2015 cyberattack included nearly six million fingerprints of people associated with the US government.

As the number of potential applications for biometric authentication systems grows, it could easily be envisaged that biometric data will be of interest not only to special services (which the Office of Personnel Management believes is most likely to have been behind their 2015 attack), but other categories of attackers, as well.

Threats blocked on biometric data processing and storage systems

With the risks described above in mind, we decided to evaluate to what extent biometric data processing systems (servers that process and store data, as well as workstations used to collect biometric data) are open to malware attacks, so we analyzed the threats blocked by Kaspersky products on such systems.

Research focus

Computers (servers and workstations) used to collect, process and store biometric data (such as fingerprints, hand geometry, face, voice and iris templates) on which Kaspersky products are installed.

Reporting period

Q3 2019.
...
Continue Reading
Reply


Messages In This Thread
Biometric data processing and storage system threats - by harlan4096 - 04 December 19, 16:31

Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06
GFYI [Official] Revo Uninstaller Pro v5...
"Share feedback...damien76 — 09:01
GFYI [Official] SpyShelter PRO v15 Chri...
Merry Christmas and ...damien76 — 08:56
GFYI [Official] IObit Christmas 2024 Bl...
Merry Christmas and ...damien76 — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>