Hacking biometrics and device IDs together is possible and dangerous: research
New research indicates that it is possible to secretly build rich profiles of people in highly connected homes and other locations not by going after personal biometrics or device identities alone, but by treating the relevant systems as a single, leaky channel.
Efforts to secure face, fingerprint, voice and other biometric identifiers continue, and continue in isolation from efforts to prevent hackers from linking personally identifying information to device identity information, including MAC addresses and cookies, according to a new report.
An international team of researchers conducted two experiments over a month, and found that compound identity leaks from devices can enable criminals to build online and real-world profiles on people by correlating hardware identifications and biometric data.
It was possible, “in certain cases,” to de-anonymize more than 70 percent of device identifications and capture biometric clusters with about 94 percent accuracy, according to the report. The project prototype and code are available here.
The scientists wrote that, “results show that our approach is feasible in two real-world scenarios where face images and voice segments are captured and associated with device MAC addresses.”
Quoting Gartner Inc. research, the paper states that there should be 20 billion IoT devices by year end. Absent a networked camera, the researchers found that it is easy enough to secretly plant common, small sound and/or video sensors to correlate device identifications.
The envisioned attacks could target businesses as well as consumers, although they typically are more levels of information security in environments away from homes.
Chris Xiaoxuan Lu, with the University of Liverpool, led the team, which included scientists from New York University, The Chinese University of Hong Kong and the University of Buffalo, SUNY.