Why Biometric Data Use Poses Unique Security Risk
Author: Morey Haber, CTO, BeyondTrust
What do people today consider “sensitive” data?
The definition of Personally Identifiable Information (PII) often includes your name, email addresses, usernames, passwords, birthdate, address, social security number, credit card information, medical history, etc.
The sensitive data we are failing to adequately address is the linkage of our physical, carbon-based human bodies to all the biometric data being stored by IoT devices and services in the cloud.
If you think this sounds farfetched, ask yourself if you or any of your loved ones participated in an ancestry DNA kit or received a new notebook, mobile device, or smartwatch that stores health or login data via fingerprints or facial recognition—I am willing to bet, that either you or someone close to you has.
Compromised biometric data poses unique risks
Typically, you have one single identity. You cannot change your fingerprints, voice, face, eyes, EKG, or even veins in your arm.
When information technology uses biometric data for either authorization or authentication (and yes, they are different), it needs to compare the results with a stored profile of your biometric data. The storage is electronic.
While extraordinary safeguards can be placed on the storage and encryption of biometric data, the biggest problem with it is not the storage or authentication technology used, rather it is the static nature of biometric data itself.
If a password is compromised, you can change it, putting a stop to password re-use attacks that rely on the compromised password. However, if biometric data is compromised, you cannot change it. Your eyes, face, or fingerprints are permanently linked to your identity (excluding bio-hacking which is a topic for another day).
Any future hacks that solely rely on compromised biometric data can be an easy target for threat actors.
Biometrics alone should never be used to authenticate or authorize action or commit a transaction. Biometrics should be paired with a password or, better yet, a two-factor or multi-factor authentication solution for a higher degree of confidence.
Assessing how your biometric data is being used and accessed
Some vendors emphasize security for biometric data (Apple Secure Enclave), while others treat biometric data with little safe regard. If you think my latter claim is questionable, consider VTech’s My Friend Cayla doll and the ramification for sales, collection of voice fingerprints, and the mischievous potential for a threat actor against you or your children.
Just consider all the new technology that may now possess your biometric data:
- Personal Assistants: Devices from Amazon, Google, and Apple all process voice recognition commands and can be programmed to understand individual voices. Your unique vocal patterns are stored and processed in the cloud. While threat vectors for human voice patterns are still very theoretical, be mindful that this data is being stored.
- DNA Kits: Your most private and sensitive data, your DNA, can be in the hands of a third party. You should be aware of everything they can do with it and what the ramifications are if those services are ever breached.
- Mobile Devices and IoT: Cellular phones, tablets, and even door cameras capture some form of biometric data and stores it on the device or in the cloud. The risk here is obvious. Your likeness, unknown to you, is now potentially on another end user’s device, or in the cloud. And, your mobile phone or tablet now has fingerprints and facial metrics stored within it too.
Opening up a dialogue about biometric data
Now is the time to begin sensitive discussions on biometric data. When you purchase a device, use a new technology, or consider how you are interacting with a new service, ask yourself, and potentially the vendor (especially, if the technology is used for work), the following:
- How are you storing biometric data?
- Where is it being stored? (especially, what countries, since this may have other legal and compliance ramifications.)
- How is it secured? Who has access?
- Is my biometric data being purged over time?
- Do you sell my biometric data?
- Does law enforcement have access to my biometric data or logs? Even with a warrant?
Securing biometric data
For organizations that have already embraced biometrics in their environments, there are a few mitigation strategies that can help secure the information:
- Ensure all communications from the biometric device to the authentication application/database are encrypted using modern encryption protocols.
- If the biometric database is centralized, ensure that all of the data is encrypted and the keys to decrypt the biometric information is not stored on the same database server. Typically, organizations will deploy an HSM solution to ensure that even if the data is compromised, the threat actor can’t decrypt the information.
- Treat biometric information similar to credit card information and specifications from PCI DSS. This implies that one asset should never contain all the information necessary to link identity to corresponding biometric data. This is similar to not storing credit card information in its entirety.
- Request the supplying biometric vendor to provide their service level agreement for patching identified vulnerabilities in their solutions and make sure they explain what their process for patching them is.
- Determine the end of life date for your biometric devices. End of life devices are more susceptible to attacks since security updates and potential hardware recalls are no longer being provided by the manufacturer.