Biometric ‘doomsday scenarios’ identified by cyber IoT expert
A leading Israeli cybersecurity expert warns there are three worse case scenarios he envisions with the expansion of biometrics, especially by way of nation-state espionage/sabotage via IoT devices.
Referring to them as, “Doomsday Scenarios,” Yotam Gutman of Israel-based SecuriThings, told Biometric Update in an exclusive interview they are “disruption of service, insider manipulation and theft of biometric data.” He issued the disturbing warning that, “With more biometric services and physical security, including access control in general, moving to the cloud, it is likely that we will see more hacking and intrusion attempts unfold.”
Nation-states are quickly recognizing the potential for cyber espionage and sabotage via IoT devices, he said, noting that the Department of Homeland Security issued a warning that government-backed Russian hackers are using compromised routers and other network infrastructure to conduct espionage and potentially lay the groundwork for future offensive cyber operations.”
Earlier this year, HID Global predicted that in 2018, “cloud authentication and credential management will further integrate mobile devices, tokens, cards and machine-to-machine endpoints,” and that,” Digital certificates in the IoT will draw upon these trusted cloud services to deliver and manage certificates across thousands of devices.”
Consequently, the company said, “More connected devices and environments [will] drive focus on securing the IoT,” adding, “Digital certificates will become a core component for adding trust in the IoT by issuing unique digital IDs to printers and encoders, mobile phones, tablets, video cameras, and building automation systems, plus a broader range of things like connected cars and medical devices.”
According to Pancom, “The need for secure [cloud-based access control] management systems is pushing the service aspect of the security industry, a major factor of which is the cloud. What started as merely a service to open doors has evolved into an industry that interacts with people and provides ongoing support in security measures.”
Gutman, a retired Lieutenant Commander in the Israel Navy where he specialized in C4i applications, maritime domain awareness and maritime intelligence, and chief instructor of the Tactical Officers advanced course at the naval academy, he’s worked the last ten years in various technical, sales and marketing roles within the defense and homeland security and intelligence industries — specifically addressing biometric security access controls, such as from insider threats and direct hacking into biometric access systems.
He was also project manager of a team of technical writers in varied projects, including weapon systems, C4ISR systems and unmanned vessels. In addition, the job included managing a team of 10 employees in various testing and developments tasks, working closely with leading defense projects like RAFAEL. In addition, he was the Specification and Testing Team Leader at BVR Systems managing a team of specification and testing engineers responsible for the specification and testing of world-leading simulation systems.
In speaking to Biometric Update, Gutman said, “Biometric access control is a relatively advanced security measure that is considered more secure than traditional access control systems because it relies upon the employee himself and not just something like a card that he physically possesses.” However, “given that this technology demands a centralized database, sophisticated (i.e. hackable) devices, and connectivity between devices, it is also vulnerable to hacking, manipulation and service disruption.”
Still, Gutman told Biometric Update, “This is a big debate here in Israel. The government wants a central biometric database, and privacy experts object, stating that the government is known for less-than-perfect security and that this database will likely get hacked and fall into the wrong hands. So, currently, citizens can opt out of this database (when you issue a new ID you can choose a regular one that is in order for 5 years or a biometric one for 10 years). As for businesses, this now falls largely under the domain of GDPR – which is becoming the world’s de facto standard for privacy. Companies that would like to keep such information must adhere to stringent security and reporting rules, so they are required to try harder to secure this information. Governments, as far as I’m aware, are not obliged to adhere to these, so they are ‘allowed’ to handle data in a less secure manner and also refrain from reporting a data breach.”
Both centralized and de-centralized databases have their pros and cons, largely based on cost, training, and ease of use. Which way the majority of governments and business will go remains to be seen, although HID said it believes “2017 was the year mobile access went mainstream and adoption will accelerate even further in 2018. Maturity in mobile solutions and integration into other systems, coupled with mobile’s ability to enhance user convenience, improve operational efficiency and provide higher security will drive accelerated growth for mobile access and mainstream adoption.”
Today, Frost & Sullivan said in a new White Paper, Unleashing the Smart Enterprise: A Foundational Approach to Efficiency, Agility and Security, “Organizations of all sizes are flocking to cloud services, but often have difficulty with the associated compliance, control, integration and cost implications. Overall, many organizations are struggling with intensifying reliability, security and flexibility needs.”
“The accelerating speed of business, combined with rapidly changing end-customer and employee preferences and fast-emerging security threats, are compelling all organizations to become more agile and proactive—to become a smart enterprise,” said Ram Menghani, Senior Vice President, Smart Enterprise Solutions & Services at, NEC. “There is a lot to consider when laying the necessary foundation and many places your organization can start—in the data center, in any network layer, with user apps, by locking down on security, etc.”
Still, whether centralized or de-centralized, both have their access security vulnerabilities, as Gutman pointed out.
Grid manipulation attacks. “What if,” he said, “instead of hacking secured power plants, a nation-state was to hack millions of smart devices connected to the power supply, so that it could turn them on and off at will?
He said, “By attacking Internet-facing utility devices such as sewage and water flow sensors and actuators, attackers could create significant damage without having to penetrate robust IT or OT networks.”
Then there’s what he calls, “smart city mayhem. If the connected traffic lights, traffic monitoring cameras and parking sensors are taken offline or manipulated, cities could suffer with large scale interference to their inhabitants’ daily lives.”
Or, it could be a form of “simple terror. Just imagine someone hacking a street sign and altering it to display messages from the country’s enemies.”
Gutman said, “The three worst-case scenarios we envision are disruption of service, insider manipulation and theft of biometric data,” which he broke down as follows:
Disruption of service. “If hackers could get control over the finger/face/palm readers and disrupt their operation, shut them down or destroy the firmware, it would create havoc at the facility gates,” he said, noting that, “Until the devices were replaced, the place would be effectively shut down. This can happen even without hackers specifically targeting these devices; many connected devices are identified and infected by botnets and then utilized to participate in either denial of service attacks or mining cryptocurrencies — activities that consume much of the device’s compute power and clog its communication channels to other devices or the cloud. More aggressive types of malware simply bring the device to an endless reboot loop, rendering it non-operational.”
The next “doomsday” scenario, he said, is “insider manipulation,” explaining that, “A capable insider such as an IT administrator could tamper with the biometric database, erasing entries of employees (a cruel way to get back at a rude executive would be to erase his fingerprint or corrupt it, making his entry into the building a challenge), or adding those of people who do not belong to the organization but are colluding with the insider.”
Finally, he said, there’s the outright “heft of biometric data theft could occur if the data is improperly secured locally or in the cloud.” He pointed out that, “With biometric identification being adopted in many places, this new form of PII (personal identification information) could be very profitable for sellers on the Dark Net, just as credit card details are today.”
The company says, “For cloud-connected IoT applications, monitoring is … crucial,” emphasizing “the typical application has dozens of different devices, with very little security, all connected to the cloud. Every connection to the cloud is a vulnerability.”
SecuriThings is a user and entity behavioral analytics solution provider for IoT. It monitors users and the IoT devices themselves. It uses machine learning security algorithms adapted for IoT to identify and mitigate threats.