Why Bio-metric Data Use Poses Unique Security Risk

By Morey Haber, CTO, BeyondTrust

We live in sensitive times. One “sensitive”, under-discussed topic that we need to directly confront and have an open conversation about is around the sensitivity of data. Yes, that’s right, what do people today consider “sensitive” data?

The definition of Personally Identifiable Information (PII) often includes your name, email addresses, usernames, passwords, birthdate, address, social security number, credit card information, medical history, etc. I would stipulate that most people can agree that these are all sensitive data sets.

But there is an entire classification of sensitive data in the world that we do not discuss and is going to be a problem in the very near future. The sensitive data we are failing to adequately address is the linkage of our physical, carbon-based human bodies to all the biometric data being stored by IoT devices and services in the cloud. If you think this sounds farfetched, ask yourself if you or any of your loved ones participated in an ancestry DNA kit or received a new notebook, mobile device, or smartwatch that stores health or login data via fingerprints or facial recognition—I am willing to bet, that either you or someone close to you has.

Compromised biometric data poses unique risks

To understand the sensitivity of biometric data and why it should be a part of your conversations, consider the potential risk. You are a person. Typically, you have one single identity. One could argue that, even if you are a spy or have a criminal alias, you still only have one identity since, regardless of your aliases or the names you impersonate, you only have one set of biometric data. You cannot change your fingerprints, voice, face, eyes, EKG, or even veins in your arm.

When information technology uses biometric data for either authorization or authentication (and yes, they are different), it needs to compare the results with a stored profile of your biometric data. The storage is electronic.

While extraordinary safeguards can be placed on the storage and encryption of biometric data, at some point, it needs to be reassembled (at least in parts) to compare to assessed input. If the storage is flawed by design, has vulnerabilities, or the host system is misconfigured, we have a potential exposure of the most sensitive biometric data.

However, the biggest problem with biometric data is not the storage or authentication technology used, rather it is the static nature of biometric data itself. If a password is compromised, you can change it, putting a stop to password re-use attacks that rely on the compromised password. However, if biometric data is compromised, you cannot change it. Your eyes, face, or fingerprints are permanently linked to your identity (excluding bio-hacking which is a topic for another day). Any future hacks that solely rely on compromised biometric data can be an easy target for threat actors.

Biometrics alone should never be used to authenticate or authorize action or commit a transaction. Biometrics should be paired with a password or, better yet, a two-factor or multi-factor authentication solution for a higher degree of confidence.

Assessing how your biometric data is being used and accessed

Some vendors emphasize security for biometric data (Apple Secure Enclave), while others treat biometric data with little safe regard. If you think my latter claim is questionable, consider VTech’s My Friend Cayla doll and the ramification for sales, the collection of voice fingerprints, and the mischievous potential for a threat actor against you or your children.

The storage of biometric data is quickly increasing, but the implications are just beginning to be understood and well-grasped. We need to begin discussing what we will allow being stored about our identity and what is just too risky. And, most importantly by whom.

Just consider all the new technology that may now possess your biometric data:

• Personal Assistants: Devices from Amazon, Google, and Apple all process voice recognition commands and can be programmed to understand individual voices. Your unique vocal patterns are stored and processed in the cloud. While threat vectors for human voice patterns are still very theoretical, be mindful that this data is being stored.
• DNA Kits: If you purchased or used one of these, your DNA is now on file. And, if you give permission, your data can be used by law enforcement to help solve outstanding criminal cases. You’re most private and sensitive data, your DNA, is now in the hands of a third party. You should be aware of everything they can do with it and what the ramifications are if those services are ever breached.
• Mobile Devices and IoT: Cellular phones, tablets, and even door cameras capture some form of biometric data and stores it on the device or in the cloud—even if it is not used for authentication or authorization. The risk here is obvious. Some door cameras, based on location, capture photos or video based on movement and may capture your picture just by your walking or driving past it. Your likeness, unknown to you, is now potentially on another end user’s device, or in the cloud. And, your mobile phone or tablet now has fingerprints and facial metrics stored within it too. There are plenty of tools and documents on how to bypass these security models if you have the device in hand. You cannot trust these security models based on biometrics alone, and AI may actually make the matter worse by performing the PII linkage for threat actors.

Opening up a dialogue about biometric data

Now is the time to begin sensitive discussions on biometric data. When you purchase a device, use new technology, or consider how you are interacting with a new service, ask yourself, and potentially the vendor (especially, if the technology is used for work), the following:

• How are you storing biometric data?
• Where is it being stored? (Especially, what countries, since this may have other legal and compliance ramifications.)
• How is it secured? Who has access?
• Is my biometric data being purged over time?
• Do you sell my biometric data?
• Does law enforcement have access to my biometric data or logs? Even with a warrant?

Biometric data is perhaps the most sensitive information you possess. It is a part of your identity and can never be changed. It is a worthy conversation we need to have in this sensitive world. It affects everyone, does not discriminate, and as new technology emerges, stands to cause potential trouble for everyone unless we understand how our likeness is being captured, stored, processed, and ultimately utilized.

About the Author

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor’s of Science in Electrical Engineering from the State University of New York at Stony Brook.