Biometric passwords have become popular, but vulnerabilities in these systems leave users’ phones and data at risk of being hacked and sold on the dark web.
International white-hat researchers recently identified a vulnerability that allows them to access a phone’s contents in a mere 20 minutes. The researchers showcased this vulnerability and the associated methodology at the 2019 GeekPwn conference in Shanghai.
In a live demonstration, one of the presenters requested for volunteers from the audience to touch a piece of glass. The residual finger prints were then photographed with a smartphone, and released into an app designed by the researchers.
“Although the precise methodology was not revealed, the app is thought to extract the data required to clone a fingerprint, presumably using a 3D printer”.
The researcher then unlocked three different smartphones that were given to members of the audience. In the end, the researchers penetrated three different fingerprint scanning technologies that are commonly used in the smartphone industry.
The researchers’ demonstration of the fingerprint lock vulnerability is one of many ways that hackers can potentially access smartphone systems and data. To read more about the vulnerabilities of fingerprint locks, see this Forbes article.
How else can biometrics be hacked?
Biometric compromises can occur in numerous fashions. Hackers can go beyond capitalizing on flaws found in hardware and devices. Determined adversaries may look for flaws in terms of how biometric data is stored. Security researchers have previously found completely unprotected and unencrypted databases with stored biometric information. For those with malicious intent, these repositories can represent goldmines.
Notorious biometric hacks?
In 2015, fingerprints belonging to more than 5.5 million federal government workers were stolen from the US Office of Personnel Management. According to Congress, “The exact details of how and when the attackers gained entry … are not exactly clear.” This repository is was extremely valuable, as the fingerprints could provide easy access to what are otherwise high-security areas.
Wondering about how hackers actually use scans of fingerprints to gain illicit access? Attackers can create 3D fingerprints or wax models of biometric scans to infiltrate secured entry points. Alternatively, the truly scrappy have been known to use a glue-gun and adhesive.
The bottom line is that every security measure comes with advantages, opportunities and challenges for all. In using biometric data as a security mechanism, administrators must recognize that biometric passwords are permanent and unchangeable. As a result, keeping data properly secured is absolutely critical to the continued productivity and functionality of organizations that rely on this form of identification.