Even though fingerprints, iris images, voice prints, and other biometric data are used more and more for system user authentication and customer service as very convenient and accurate recognition methods, they do not ensure 100% information security. This is a digest of recent biometric data leaks and incidents of bypassing relevant security systems, prepared by InfoWatch Analytical Center.
Some countries, which have been using biometric data of citizens at nationwide elections, have already suffered from election commission database breaches. The most recent such incident hit Zimbabwe in the summer of 2018, where hackers cloned the election commission’s domain, broke into its database, and stole crucial personal information of voters, which included not only fingerprints, but also photos, addresses, cellphone numbers, and national identity numbers. The attack raised fears that the election results would be manipulated.
Indeed, fingerprints have been widely used for identification for many years now, with smartphone and laptop vendors having developed many Touch ID-like systems. However, this identification method is becoming less and less secure. Thus, last year, a high-severity vulnerability was identified in Lenovo Fingerprint Manager Pro, a fingerprint recognition utility installed on a wide range of Lenovo laptop models, that, due to a weak encryption algorithm, made it possible for someone with local non-administrative access to log in and then obtain users' Windows login credentials and other sensitive data.
The history of information security demonstrates that cybersecurity systems need to constantly evolve as even the most advanced defenses can be bypassed in time. For example, researchers from the New York University proved that it is possible to hack into a fingerprint-based identification system over time using a machine learning technique. The researchers used a neural network, based on artificial intelligence and special algorithms, to generate artificial fingerprints, dubbed “DeepMasterPrints”, that can imitate real fingerprints in a biometric system working as a “master key”. As of November 2018, the neural network successfully bypassed security systems using 23% of the generated images.
While face recognition systems, such as Face ID, proved to be a much better identification method than fingerprints, they still do not guarantee 100% security. Thus, at the end of 2018, Thomas Brewster, Forbes journalist, used his 3D-printed head to test facial recognition systems on five smartphones, an iPhone X and four Android devices. He first registered his own real-life head for facial recognition across all five phones and then held up his fake head to the devices to see if they would unlock. For all four Android phones, the spoof face worked just fine, though with differing degrees of ease. Even though Face ID on the iPhone X was the only one to never be fooled, cybersecurity specialists warn that its data can be copied as well.
Today, a database of Aadhaar numbers, 12-digit unique identity numbers collected by the Unique Identification Authority of India (UIDAI), is the world's largest biometric ID system with over 1.1 billion registered holders. In addition to identity numbers, the database contains citizens’ fingerprints and iris scans. Although Indian authorities claim it is impossible to break into this biometric data storage, recent UIDAI records show that an Aadhaar operator’s biometrics were used multiple times in different locations on the same day without his knowledge, indicating vulnerabilities in the system.