Trends and perspectives in the use and security of biometric technologies

May 9, 2017 - 

This is a guest post by Sándor Bálint, Security Lead for Applied Data Science for Balabit

The use of biometric technologies is clearly on the rise. Physiological and behavioral biometric data is being collected in quantities never seen before, and the possibilities to collect such information has also reached unprecedented levels. One contributing factor to this is the availability of data analysis solutions that are able to deal with massive amounts of information, making it possible to collect, store and process large amounts of biometric data. But perhaps even more importantly, it is linked to the ubiquity of smartphones and other mobile devices which have several sensors built in that can be used for biometrics in one way or another. Sometimes in ways that may be surprising.

Perhaps the most well-known use of biometric technologies today is fingerprint readers. Many current smartphones have readers built in, making it possible to record and verify fingerprint data. While this feature (primarily used to help unlock the device without PINs or passwords) is first and foremost a security feature, it is a convenience feature too, and incidentally, also increases the safety of using such devices (e.g. by not having to type in one’s password while walking on the street or while driving). It also enhances security by making screen unlocking operations less vulnerable to shoulder surfing, as an attacker cannot observe the keying in of a password or a PIN. Use of such technologies has gained general acceptance and by now, people who refuse to use them are often seen as eccentric, paranoid, or old-fashioned.

But there are other, lesser known ways smartphones may be used to collect biometric data. Consider the following:

• smartphone cameras may be used to take pictures or video, enabling face recognition (physiological biometrics);
• built-in microphones may be used to record audio signals, enabling voice recognition (behavioral biometrics);
• accelerometers and gyroscopes can be used to detect very slight movements of the device, enabling the analysis of the user’s gait (the way they walks), or even movements of the device when typing on the on-screen keyboard, enabling keystroke dynamics analysis (both are forms of behavioral biometrics).

By using sensor fusion, i.e. the combination of data from multiple sensors, the combined accuracy of the signals can be surprisingly high.

Since access to data to accelerometer/gyroscope data was not initially considered sensitive by mobile OS manufacturers, any application may access such sensor information without requesting any special permission from the user. These sensors are often extremely sensitive: there have been reports of developers successfully using the accelerometer to record audio signals from the environment without turning on the microphone. And if the accelerometer is used to record typing patterns on the virtual keyboard, the user can be identified using subtle variations of how they type. By analyzing typing, further traits of the user can also be extracted such as whether they are left or right handed, or what language they are typing. And if this wasn’t enough, individual keys, including usernames and passwords entered on a touchscreen can also be inferred this way, as well as key presses on nearby computer keyboards. All this without requesting any special access, so all of these may be completely invisible to the end user.

All of the above are significant from a security perspective for several reasons.

First of all, it’s time to realize that we are carrying the ultimate surveillance device in our pockets. All that it takes is the installation of an app to the smartphone, and once it’s done, the publishers of the app may have access to all of these sensors, and use collected data as described above. And some sensor information is also accessible without the installation of any app, through simply visiting a web page containing javascript code. Not only can this be an invasion of privacy, but this also means that any current or future services that use these biometric data for authentication can potentially be vulnerable to identity theft. Since the biometric properties producing such data often cannot be changed easily, once such data is compromised, there is not much that can be done. If a password is compromised, it can be changed. Biometric properties are different, they most often cannot be changed easily, if at all.

Second, as seen above, it is now within the bounds of possibility for attackers to gain unauthorized access to computer systems by stealing usernames and passwords through the clever use of smartphone sensors, whether they were entered on the phone or even in its close proximity. Knowing about this risk might be especially important for users with privileged levels of access to information systems handling highly sensitive data.

Third, it is worth noting that some of the data that may be used for biometric authentication is also actively being collected and used by some organizations to profile individuals and look for information not generally available otherwise (for example, collecting and using keystroke information to look for signs of self-censorship). This enables a better understanding of people’s motives, more accurate psychometric description of individuals and groups, and also creates new possibilities to influence or even manipulate masses. While such practice can clearly be profitable to these organizations, their long-term effects are hard to calculate and may carry significant risks.

Also, we should be aware that behavioral biometric technologies are more than likely already actively being used by governments and their intelligence agencies to spy on citizens and foreigners, whether at home or abroad. Although such gathering of data, if properly controlled, and if approved by court on a case-by-case basis requiring probable cause might be justifiable and help ensure national security and public safety, leaked information seems to suggest that such data gathering is often part of a far-reaching mass surveillance program. While some might simply say that they don’t care about their right to privacy because they have nothing to hide, as someone once said, it is the equivalent of saying that we don’t care about the right to free speech because we have nothing to say.

Collection of behavioral biometric data as part of mass surveillance programs carries significant security risks. Once the sensitive data is created, it must be adequately protected against unauthorized access and misuse, and due to the secretive nature of the operation of intelligence agencies, any potential misuse of such data is unlikely to be reported or detected.

Last, but not least, such biometric technologies may also be used to protect the valuable assets of an organization (company, school, government, etc). The true challenges are in part related to technologies (the kind of data to be collected and how to collect/use/analyze them), but just as much legal and ethical. Care must be taken that such tools are not only operated within the letter of the law, but in a way that is ethical, transparent to the monitored users, and which does not cause unnecessary invasion of privacy. Also, whenever biometric data is collected, it must be adequately protected against unauthorized disclosure, modification or misuse so that monitored users and assets are not exposed to additional risk.

DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.

Leave a Comment

comments

About Sándor Bálint

Sándor Bálint, Security Lead for Applied Data Science for Balabit, is a senior security professional with over 15 years of security experience in the telecommunications, financial and energy industries. He has previously served as security architect for Telenor, chief security officer at Hungarian Export-Import Bank, senior information security risk manager at KBC, security specialist at Erste Bank, network security regional coordinator (EMEA region) at ExxonMobil and senior IT security manager at Hungarian Telekom.