Sunday, March 10, 2024

How Biometrics Is A Double Edged Sword In Cyber

 


I have been in IT Security for a long time, probably at least 20+ years.  I first got started in the Biometrics field.  Of course, I had no idea what this was all about, so I had to teach myself a lot about what the technology is.  From there, I started the first security gig, in which I was reselling Hand Geometry Scanners and Fingerprint Scanners from two leading vendors. 

I had to define my market, and I decided to focus on Physical Access Entry applications.  This is simply meant that I would present these two devices as a means to replace the traditional lock and key.  I thought that this would be more or less an easier sales cycle, because who wouldn’t want an automated to open up their doors?

Well, I was proved wrong, and in a big way.  Even despite the craze that Biometrics got after the 9/11 attacks (especially that of Facial Recognition), people simply either did not understand it, or simply just did not care about it.  So as result, I found myself educating people about it, more than selling it.  Of course, I did not make much money in those years that I had the business, but this new path put me on a different trajectory.

I ended up closing down this first business, and opened up a new one 15 years ago.  This focused on content generation about Biometrics, such as authoring articles and doing podcasts with top Biometrics vendors.  I even wrote and published three books on this subject through a leading publisher, CRC Press.  But now fast forward some 20 years later to the present time.

Where is Biometrics today?  Honestly, I have been out of the field for too long to see where the trends are.  One fact that I do know of is that is has received strong as being used as an authentication mechanism for an MFA solution.  In this regard, both Fingerprint Recognition and Iris Recognition have received a lot of attention.

But even despite the good that Biometrics can bring to an organization, it is one of those technologies that still receives more negative attention.  And now, it may be at its worst.  Just in November of 2023, the Department of Defense (DoD) released a detailed report about the specific weaknesses of Biometrics.  This report can be downloaded at this link:

http://cyberresources.solutions/blogs/DOD_Biometrics.pdf

But to just summarize, here are the some of the major weaknesses that were reviewed in the report:

*Data Theft:  This was compared to stealing a password, and from there, access to just about anything can be yielded.

*Spoofing/Impersonation:  There were instances where something like a Fingerprint Recognition Template was hijacked, and spoofed in order to gain access to a high secure area.

*Data Privacy:  Just like AI, Biometrics are often viewed as a “black box solution”.  Meaning, you give it the input, and from there, you get the output, with no knowledge as to how the insides of the system work.  This has led to huge concerns with respect to data protection and privacy.

*Integration:  From the best of my knowledge, it appears that Biometrics is not being heavily used as a standalone solution.  Rather, it is being used as an add on, such as in MFA, as reviewed earlier.  So, there are integration challenges here as well, especially if Biometrics is going to be used to further secure our Critical Infrastructure.

My Thoughts On This:

In fact, Biometric data is now viewed as “Personal Identifiable Information” (or “PII” for short).  Because of this, they are now prone to the data privacy laws such as the GDPR, CCPA, HIPAA, etc.  More details on this can be seen at the link below:

https://www.darkreading.com/cyber-risk/thought-gdpr-compliance-was-hard-buckle-up

Now again, I am not sure about all of the technological advancements that have occurred in the recent with regards to Biometrics, one thing I can tell you for sure is that when an image of a fingerprint is captured, it is usually converted over into a mathematical file.  In this case, it would be a binary one, which is represented as a series of 1’s and 0’s, like this:  1100010101000100111.  So if you think about it, if a Cyberattacker were to steal this, what can they do with it?

IMHO, not much really.  It’s not like stealing a credit card number.  And for that matter, there should really be no issue at all with data privacy laws, unless the end user has some sort of extremely unique identifier that is associated with their particular Template.  I can agree with the last point, but in terms of spoofing, I still find that a little hard to believe.

One of the only ways I can see this happening is if an image of a fingerprint has been left on the sensor, and has not been completely wiped away.  If you choose to use Biometrics as means of defense, my best advice would be to deploy it with the same amount of caution as you would with other Cyber related devices, and use the same approaches to make sure that it will work well in your particular environment.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...