Biometrics company allegedly leaves unhashed fingerprint data of thousands exposed to internet
Unsecured fingerprint biometric data from up to 76,000 people has been left exposed on the internet, as security researcher Anurag Sen detected a web-facing identity server belonging to Brazilian company Antheus Tecnologia, an Automated Fingerprint Identification System (AFIS) developer and distributor, containing nearly 2.3 million data points, including sensitive employee information.
Sen is a researcher for Safety Detectives, who published his findings in a blog post. In addition to fingerprint data, biometric data vulnerabilities including accessible facial recognition data were also found.
The 76,000 unique fingerprint records include Ridge Bifurcation and Ridge ending data, and Safety Detectives suggests that they could be reverse-engineered from their binary records to recreate a full biometric fingerprint image. Two indices were found, possibly indicating two different companies using Antheus server, and logs relating to certain fingerprint scans were discovered, and the records could be reconstructed from index numbers stored on the server.
“The unsecured method in which Antheus Tecnologia stores information is rather alarming considering its importance. It’s even more alarming that Antheus Tecnologia was built and deployed by a security company,” writes Safety Detectives researcher and post author Jim Wilson.
“Instead of saving a hash of the fingerprint (that cannot be reverse-engineered), Antheus is saving people’s actual fingerprints through rudimentary encoding which can then be replicated for malicious purposes.”
The vulnerable server contained roughly 16 gigabytes of data, with 81.5 million records also including administrator login information, employee telephone numbers, email addresses and company emails. Brazil’s national Civil Identification System uses Antheus services for issuing driver’s licenses, and the access portal for onboarding new users is not secured with password protection, according to the report.
Safety Detectives emphasize the importance of fingerprint data, and keeping it secure, in the post.
The vulnerability is reminiscent of the OPM hack, in which a trove of unencrypted biometric records were stolen from the U.S. government agency. It also highlights the importance of liveness detection.
In a statement covered by CNet following the initial reports, an Antheus Tecnologia spokesperson said the fingerprint data was publicly available information obtained from its development team and a NIST dataset.
“There is no sensitive data on this server,” the spokesperson asserts.
The spokesperson also claimed that the data was in fact hashed, making it “cryptographically impossible to obtain the original image.”
Updates at 1:11pm on March 15, 2020 with the statement from Antheus Tecnologia.