FB pixel

Biometrics company allegedly leaves unhashed fingerprint data of thousands exposed to internet

Biometrics company allegedly leaves unhashed fingerprint data of thousands exposed to internet

Unsecured fingerprint biometric data from up to 76,000 people has been left exposed on the internet, as security researcher Anurag Sen detected a web-facing identity server belonging to Brazilian company Antheus Tecnologia, an Automated Fingerprint Identification System (AFIS) developer and distributor, containing nearly 2.3 million data points, including sensitive employee information.

Sen is a researcher for Safety Detectives, who published his findings in a blog post. In addition to fingerprint data, biometric data vulnerabilities including accessible facial recognition data were also found.

The 76,000 unique fingerprint records include Ridge Bifurcation and Ridge ending data, and Safety Detectives suggests that they could be reverse-engineered from their binary records to recreate a full biometric fingerprint image. Two indices were found, possibly indicating two different companies using Antheus server, and logs relating to certain fingerprint scans were discovered, and the records could be reconstructed from index numbers stored on the server.

“The unsecured method in which Antheus Tecnologia stores information is rather alarming considering its importance. It’s even more alarming that Antheus Tecnologia was built and deployed by a security company,” writes Safety Detectives researcher and post author Jim Wilson.

“Instead of saving a hash of the fingerprint (that cannot be reverse-engineered), Antheus is saving people’s actual fingerprints through rudimentary encoding which can then be replicated for malicious purposes.”

The vulnerable server contained roughly 16 gigabytes of data, with 81.5 million records also including administrator login information, employee telephone numbers, email addresses and company emails. Brazil’s national Civil Identification System uses Antheus services for issuing driver’s licenses, and the access portal for onboarding new users is not secured with password protection, according to the report.

Safety Detectives emphasize the importance of fingerprint data, and keeping it secure, in the post.

The vulnerability is reminiscent of the OPM hack, in which a trove of unencrypted biometric records were stolen from the U.S. government agency. It also highlights the importance of liveness detection.

In a statement covered by CNet following the initial reports, an Antheus Tecnologia spokesperson said the fingerprint data was publicly available information obtained from its development team and a NIST dataset.

“There is no sensitive data on this server,” the spokesperson asserts.

The spokesperson also claimed that the data was in fact hashed, making it “cryptographically impossible to obtain the original image.”

Updates at 1:11pm on March 15, 2020 with the statement from Antheus Tecnologia.

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


HumanCode AI sued for alleged misuse of Redrock Biometrics technology

Forgame Holdings Limited, a company listed on the Hong Kong Stock Exchange and a shareholder of Redrock Biometrics, is initiating…


Kenya contracts Idemia for faster biometric police clearance certificates

The Kenya Police Service says it is working to put in place a new biometric system that will accelerate the…


Nepal MPs say popularize national ID before mandating for service access

Some lawmakers in Nepal are unhappy that the government is in a rush to make the national digital ID card…


DHS awards SVIP contract to Procivis for decentralized identity software

Procivis AG, a subsidiary of Swiss institution Orell Füssli, has been awarded a tender through the U.S. Department of Homeland…


IDnow rides online betting wave from UEFA Euro Championship

IDnow is capitalizing on UEFA European Football Championship fever, registering over eight times more identity verification requests on sports betting…


Android 15 integrates biometric security across the board

In the latest Android 15 Beta 3 release, significant progress has been made in the area of biometric authentication. In…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events