May 29, 2012 -
According to Biometrics Institute Technical Committee Chair Ted Dunstone, biometric systems are more susceptible to vulnerabilities or spoofs because hardware vendors cannot update their biometric systems immediately.
Unlike spoofs that are found in software systems, hardware is complicated due to its hands-on components. In contrast, software firms such as Microsoft and Google can often immediately patch an issue through an online update.
Companies such as Google have reached out to the developer community by providing incentives to identify flaws that can be found in their software. Software developers who report bugs are asked not to disclose these deficiencies publicly until a patch is developed. However, with regards to potential bugs found in biometric systems, Dunstone would rather not encourage vendors to provide incentives to find bugs since this would be counter-productive to the overall security of the systems.
Dunstone says: “It’s very important not to set up an incentive to get people to break these systems. You need to find a way that encourages people that have broken systems to provide that information, but it’s a dangerous path to go down [to provide incentives]”. He also added, “In order to break the systems, you can’t just be hacking around the edges; it requires a relative amount of sophistication and set-up to be able to do that.”
Dunstone also believes that there aren’t many people capable of finding such bugs due to the level of sophistication needed to diagnosis biometric systems. Despite this fact, Dunstone acknowledged that there are still be some individuals, with both expertise and good intentions that should report vulnerabilities found in biometrics systems. He also stressed such people should be protected from legal actions, referencing the case of Patrick Webster, a security researcher who was reported to the police by the same organization that he was trying to help.
“It is important to make sure that people that bring vulnerabilities to light are not unfairly prosecuted; there needs to be mechanisms whereby people can provide that information in a secure environment where they don’t feel that they need to go public with it,” said Dunstone.
Dunstone asserted that it is the responsibility of system users to find potential vulnerabilities that the systems may have. Greater collaboration is also required between users and vendors to develop a standard way of discovering vulnerabilities in both existing and as well as in new biometric systems, and thus develop a secure way of providing information among relevant organizations.
Should legal protections be put in place for users who report vulnerabilities in biometric systems?