FB pixel

Biometrics company allegedly leaves unhashed fingerprint data of thousands exposed to internet

Biometrics company allegedly leaves unhashed fingerprint data of thousands exposed to internet
 

Unsecured fingerprint biometric data from up to 76,000 people has been left exposed on the internet, as security researcher Anurag Sen detected a web-facing identity server belonging to Brazilian company Antheus Tecnologia, an Automated Fingerprint Identification System (AFIS) developer and distributor, containing nearly 2.3 million data points, including sensitive employee information.

Sen is a researcher for Safety Detectives, who published his findings in a blog post. In addition to fingerprint data, biometric data vulnerabilities including accessible facial recognition data were also found.

The 76,000 unique fingerprint records include Ridge Bifurcation and Ridge ending data, and Safety Detectives suggests that they could be reverse-engineered from their binary records to recreate a full biometric fingerprint image. Two indices were found, possibly indicating two different companies using Antheus server, and logs relating to certain fingerprint scans were discovered, and the records could be reconstructed from index numbers stored on the server.

“The unsecured method in which Antheus Tecnologia stores information is rather alarming considering its importance. It’s even more alarming that Antheus Tecnologia was built and deployed by a security company,” writes Safety Detectives researcher and post author Jim Wilson.

“Instead of saving a hash of the fingerprint (that cannot be reverse-engineered), Antheus is saving people’s actual fingerprints through rudimentary encoding which can then be replicated for malicious purposes.”

The vulnerable server contained roughly 16 gigabytes of data, with 81.5 million records also including administrator login information, employee telephone numbers, email addresses and company emails. Brazil’s national Civil Identification System uses Antheus services for issuing driver’s licenses, and the access portal for onboarding new users is not secured with password protection, according to the report.

Safety Detectives emphasize the importance of fingerprint data, and keeping it secure, in the post.

The vulnerability is reminiscent of the OPM hack, in which a trove of unencrypted biometric records were stolen from the U.S. government agency. It also highlights the importance of liveness detection.

In a statement covered by CNet following the initial reports, an Antheus Tecnologia spokesperson said the fingerprint data was publicly available information obtained from its development team and a NIST dataset.

“There is no sensitive data on this server,” the spokesperson asserts.

The spokesperson also claimed that the data was in fact hashed, making it “cryptographically impossible to obtain the original image.”

Updates at 1:11pm on March 15, 2020 with the statement from Antheus Tecnologia.

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Alexa, sue Amazon: tech giant faces class action over voice recordings

Users of Amazon’s Alexa are clear to pursue a class action over allegedly illegal recordings of private conversations. In Seattle,…

 

Epic Games provides Yoti facial age estimation to Bluesky for UK users

Social media platform Bluesky has selected Epic Games’ software, including biometrics-based age estimation from Yoti, to ensure its compliance with…

 

RealSense targets robotics, 3D facial recognition security with $50M in hand

RealSense has cut the cord tying it to Intel Corp, where the 3D camera company was born, with $50 million…

 

Will Congress reaffirm US cyber threat sharing framework before it’s too late?

As the September 30 expiration date for the Cybersecurity Information Sharing Act of 2015 (CISA 2015) rapidly approaches, Congress faces…

 

World pauses German operations for Orb update amid regulatory faceoff

World is facing a potential cease-and-desist order in the Philippines, and has put its iris scanning stations on hold in…

 

QR-based digital ID drives transformation in Khyber Pakhtunkhwa

The Khyber Pakhtunkhwa province of Pakistan is taking broader moves toward digital transformation with the launch of the Khyber Pass…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Biometric Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events