Biometric Security Risks: Beyond Fingerprints and Facial Recognition
Biometrics, the science of identifying individuals based on their unique physical and behavioral characteristics, has a rich history. However, it wasn’t until the late 19th century that Sir Francis Galton established the scientific basis for fingerprint identification.
Over the years, biometrics has evolved from manual methods to sophisticated electronic systems. In the 1960s, the FBI began using computers to store and match fingerprints. The 1970s saw the development of voice recognition systems, and the 1980s brought iris recognition technology. The advent of digital cameras in the 1990s paved the way for facial recognition systems.
Biometrics has become integral to various applications, from securing smartphones to controlling access to high-security facilities. Fingerprint scanners, for instance, are now standard on most smartphones, allowing users to unlock their devices with just a touch. Airports and border control increasingly adopt facial recognition technology to verify travelers’ identities. In other areas, such as India’s Aadhaar program, iris scanners are used for national identification. Meanwhile, wearables and smart home devices continuously collect data from their users’ daily activities. In some cases, individuals willingly hand over their sensitive data, as seen with 23&Me, a company facing financial difficulties and considering selling the DNA data of its 15 million users.
However, the widespread use of biometrics also raises significant privacy concerns. Unlike passwords or other credentials, biometric data such as DNA is immutable—you can’t change it once it’s compromised. This permanence fuels fears about the security of biometric databases. It is a growing concern, as they present attractive targets for threat actors seeking to gain access to sensitive personal data.
What Are Biometrics?
Biometrics refers to the automated recognition of individuals based on their unique biological and behavioral characteristics. This technology leverages measurable physical traits, such as fingerprints, facial patterns, iris scans, and voice recognition, to establish identity or verify claimed identities.
Conversely, behavioral biometrics focus on unique patterns in someone’s behavior. Some examples of behavioral biometrics are the way that people type, interact with touchscreens, move their mouse, or walk.
Generated by ImageFX
How Does Biometric Identification Work?
Biometric systems typically involve several components: a scanning device to capture the data, software to process and compare this data against stored templates, and a secure database for storing the information. The comparison can occur in two modes: identification (1:N matching), where an individual is matched against a database of many, or verification (1:1 matching), where the individual’s data is compared to a specific stored template.
A person’s biometric information is first entered into the system during enrollment. At this stage, a specific characteristic, such as a fingerprint, is collected to serve as the individual’s biometric reference. This can be stored as raw information (like the image itself) or as a digital template. In the case of a digital template, key features are extracted and processed to create a unique identifier, which is then stored in a database.
Later, during recognition, the system detects the person’s biometric characteristics, extracts key features, and matches them against the stored templates to authenticate or identify the individual.
These templates are often unique to the specific solution and may even be exclusive to the particular model. As a result, a template generated by one manufacturer might not be recognized by a system from another vendor and sometimes even by newer versions of the same system. Because of this specificity, storing templates poses a significantly lower risk than storing raw biometric data, such as a complete fingerprint image.
Threats and Vulnerabilities in Biometric Systems
Just like any other system, biometric systems also have vulnerabilities.
One threat against biometric systems comes from fake props, where attackers attempt to deceive the system into accepting a fake trait as legitimate. This can involve creating synthetic fingerprints, high-resolution photographs for facial recognition, or even 3D-printed masks that mimic a person’s face. The risk here is that if an attacker successfully impersonates a legitimate user, they can gain unauthorized access under that user’s name.
Data breaches represent another critical vulnerability in biometric systems. Unlike passwords, which can be changed if compromised, biometric data—once stolen—cannot be altered. This creates a long-term security risk, as attackers can use stolen biometric data indefinitely for identity theft or unauthorized access.
For instance, in 2019, a publicly accessible database containing the fingerprints of over 1 million people, along with facial recognition data, unencrypted usernames, passwords, and personal information of employees, was discovered. This database belonged to a company serving major clients, including the UK Metropolitan Police, defense contractors, and banks, highlighting the potential risks associated with storing biometric data.
Another threat to biometric systems is pretty similar to the cyber risks commonly associated with traditional technologies. Replay attacks occur when an attacker captures a valid token or signature during an authentication session and later reuses it to gain unauthorized access to the system. Since any type of data is vulnerable to such attacks (if the system is not secure), the data can also be stolen from a vulnerable system and used by threat actors.
These systems are open to other vulnerabilities as well. In a research from the Ruhr Institute for Software Technology at the University of Duisburg-Essen, the researchers were able to detect previously unknown security problems. According to the research, all tested fingerprint drivers, as well as cryptocurrency wallets, were affected. Threat actors could exploit these vulnerabilities to read biometric data or steal the entire balance of the stored cryptocurrency. The identified vulnerabilities have been assigned numbers CVE-2021-3675 (Synaptics Fingerprint Driver), CVE-2021-36218 (SKALE sgxwallet), and CVE-2021-36219 (SKALE sgxwallet).
SOCRadar’s Vulnerability Intelligence provides an advanced alert system, notifying you of new critical vulnerabilities or exploits in your public-facing services and technologies.
SOCRadar Vulnerability Intelligence
Biometric technologies have expanded beyond simple authentication to applications in surveillance, tracking, and personalized advertising. While these advancements offer significant benefits, they also introduce various risks, particularly concerning profiling, misuse of data, and privacy concerns. The following examples are not exactly threats but concerns around the use of the data.
In a hacker forum monitored by SOCRadar, an alleged database sale is detected for Indonesia’s Automatic Fingerprint Identification System
The post highlights several compromised files, including images of INAFIS members (.PNG) linked to emails, fingerprint data (.WSQ) connected to email addresses, and a Java-based Spring Boot application with database configuration properties. The threat actor explicitly mentions the potential for further exploitation, stating that anyone able to crack or reverse-engineer the Spring Boot application could gain access to over 200 million Indonesian ID card numbers through its API and database.
SOCRadar scans numerous sources to track threat actor activity. The allegation above was found with the SOCRadar Advanced Dark Web Monitoring module. This can be your ultimate compass for navigating through the hidden corridors of the internet. Using state-of-the-art search algorithms and highly customizable news feeds tailored to your industry or region, reveal potential threats with laser-like precision.
SOCRadar scans more than 5,000 sources to track threat actors
Biometric systems can facilitate extensive profiling of individuals based on their unique traits. This profiling can include sensitive information such as age, gender, race, and even behavioral characteristics. The risk here is that organizations may use this data to make decisions about individuals without their consent or knowledge. For example, profiling could lead to discriminatory practices in areas like employment or insurance, where decisions are made based on biased interpretations of the data.
Another concern is around the misuse of the collected data. Organizations may collect the information for specific purposes, such as security or customer service enhancements, but this data can be repurposed for other uses without user consent. Such practices raise ethical questions about user autonomy and the transparency of data handling practices.
Privacy is another concern. Biometric data can be collected without an individual’s knowledge or consent through surveillance technologies that passively capture facial images or fingerprints. Even when informed, many users may not fully understand the implications of providing their biometric information. The complexity surrounding consent becomes problematic when individuals are required to participate in biometric systems to access services or employment.
Deepfakes and AI Manipulation
Deepfakes and AI manipulation represent significant risks in biometric data, particularly concerning identity theft and social engineering. These technologies leverage advanced algorithms to create hyper-realistic synthetic media, which can be used maliciously to deceive individuals and systems.
A viral video where a man uses AI face-changing technology by transforming into a young woman
Deepfakes can facilitate identity theft by allowing attackers to create convincing replicas of a person’s likeness. This can involve generating fake videos or audio recordings that appear genuine, making it difficult for individuals and organizations to discern authenticity. Attackers can use deep fakes to impersonate individuals to bypass various security measures in video calls or social media, potentially gaining access to sensitive information or financial resources by exploiting trust.
In the example above, a man changes his face into that of a young woman with the power of AI deepfake technology, demonstrating how easily individuals can be transformed into someone else online.
Conclusion: Balancing Innovation with Security
In conclusion, while biometrics present a compelling alternative to traditional passwords, it is unlikely that they will completely replace them in the near future. The rise of their authentication is driven by the significant vulnerabilities associated with passwords, such as their susceptibility to theft and the challenges users face in managing multiple complex passwords. Biometrics, which utilize unique physical traits like fingerprints, facial recognition, and iris scans, offer enhanced security and a more seamless user experience by eliminating the need to remember and input passwords.
However, several challenges remain that hinder the total replacement of passwords. These include concerns about the reliability and accuracy of biometric systems, potential privacy issues, and the irreversible nature of the data—once compromised, an individual’s biometric identifiers cannot be changed like a password can. Additionally, the need for multi-factor authentication strategies suggests that biometrics are best used with traditional passwords rather than as standalone solutions.
As technology continues to advance, biometrics is likely to play an increasingly dominant role in identity verification. Organizations are already beginning to adopt biometric solutions alongside traditional methods to create a layered security approach that balances convenience with robust protection against unauthorized access. Therefore, while they may not entirely replace passwords, they are set to transform the digital security landscape by enhancing authentication processes and user experience.
Article Link: Biometric Security Risks: Beyond Fingerprints and Facial Recognition - SOCRadar® Cyber Intelligence Inc.