FB pixel

Biometrics company allegedly leaves unhashed fingerprint data of thousands exposed to internet

Biometrics company allegedly leaves unhashed fingerprint data of thousands exposed to internet
 

Unsecured fingerprint biometric data from up to 76,000 people has been left exposed on the internet, as security researcher Anurag Sen detected a web-facing identity server belonging to Brazilian company Antheus Tecnologia, an Automated Fingerprint Identification System (AFIS) developer and distributor, containing nearly 2.3 million data points, including sensitive employee information.

Sen is a researcher for Safety Detectives, who published his findings in a blog post. In addition to fingerprint data, biometric data vulnerabilities including accessible facial recognition data were also found.

The 76,000 unique fingerprint records include Ridge Bifurcation and Ridge ending data, and Safety Detectives suggests that they could be reverse-engineered from their binary records to recreate a full biometric fingerprint image. Two indices were found, possibly indicating two different companies using Antheus server, and logs relating to certain fingerprint scans were discovered, and the records could be reconstructed from index numbers stored on the server.

“The unsecured method in which Antheus Tecnologia stores information is rather alarming considering its importance. It’s even more alarming that Antheus Tecnologia was built and deployed by a security company,” writes Safety Detectives researcher and post author Jim Wilson.

“Instead of saving a hash of the fingerprint (that cannot be reverse-engineered), Antheus is saving people’s actual fingerprints through rudimentary encoding which can then be replicated for malicious purposes.”

The vulnerable server contained roughly 16 gigabytes of data, with 81.5 million records also including administrator login information, employee telephone numbers, email addresses and company emails. Brazil’s national Civil Identification System uses Antheus services for issuing driver’s licenses, and the access portal for onboarding new users is not secured with password protection, according to the report.

Safety Detectives emphasize the importance of fingerprint data, and keeping it secure, in the post.

The vulnerability is reminiscent of the OPM hack, in which a trove of unencrypted biometric records were stolen from the U.S. government agency. It also highlights the importance of liveness detection.

In a statement covered by CNet following the initial reports, an Antheus Tecnologia spokesperson said the fingerprint data was publicly available information obtained from its development team and a NIST dataset.

“There is no sensitive data on this server,” the spokesperson asserts.

The spokesperson also claimed that the data was in fact hashed, making it “cryptographically impossible to obtain the original image.”

Updates at 1:11pm on March 15, 2020 with the statement from Antheus Tecnologia.

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

New PIA for US Secret Service’s use of facial recognition raises questions

The U.S. Department of Homeland Security (DHS) issued a new Privacy Impact Assessment (PIA) for the U.S. Secret Service’s (USSS)…

 

Report explores efforts to curb environmental risks posed by identity documents

In the past couple of years, the identity industry has been involved in efforts to shift away from the use…

 

Malta opposition party demands minister’s resignation over ID card fraud scandal

Malta’s Green Party, ADPD, has intensified its demands for the resignation of a Maltese government minister following revelations of a…

 

Philippines’ central bank enters arbitration over failed ID card project

After the Philippines’ central bank decided to cancel its contract with identification system company AllCard Inc. (ACI) to produce the…

 

Visa biometrics provider VFS in talks to sell minority stake to Temasek

A significant minority stake of about 20 percent in the Blackstone-owned digital services outsourcing company VFS Global might be sold…

 

UK Virgin Islands launch digital transformation tender

Tourist hotspots Thailand, Sri Lanka, the Seychelles and the Virgin Islands are not just offering beaches and sunshine, they are…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events