Centre for Internet & Society

There are growing concerns over biometric security in India. We ask the experts if biometrics can really be hacked.

The article by Shaikh Zoaib Saleem was published by Livemint on June 11, 2017. Pranesh Prakash was quoted.

There are growing concerns over biometric security. A compromised password can be changed but not a stolen biometric. We ask experts about biometrics security in India.

Pranesh Prakash, policy director, The Centre for Internet & Society

Biometric devices are not hack-proof. It depends on the ease with which this can be done. In Malaysia, thieves who stole a car with a fingerprint-based ignition system simply chopped off the owner's finger. When a biometric attendance system was introduced at the Institute of Chemical Technology (ICT) in Mumbai, students continued giving proxies by using moulds made from Fevicol.

Earlier this year, researchers at NYU and Michigan State University revealed that they were able to generate a "MasterPrint", which is a "partial fingerprint that can be used to impersonate a large number of users". While there are potential safeguards, they require re-capturing everyone's biometrics.

Even other technologies like iris scanner, gait recognition, face recognition, and others, are getting better, but all have problems. Our laws haven't evolved either, leaving many unanswered questions: who can demand your biometrics and under what circumstances? Can your biometrics be captured without your consent? Who is liable for failure? What remedies does one have?

This is an evolving area of technology studies, and every day new kinds of attacks are discovered. Further, they are probabilistic technologies unlike passwords. Given this, if you seek a reliable identity verification system, it doesn't make sense to deploy a system exclusively based on biometrics.

Umesh Panchal, vice-president, Biomatiques Identification Solutions

Biometric devices are instruments delivering added security check functions over traditional methods and these devices can be hack-proof, if the process of exploiting vulnerabilities to gain unauthorised access to systems or resources, is taken care of. With liveliness detection, iris biometric devices are far more hack-proof than fingerprint devices. Even Pentagon has been hacked. Theoretically, a biometric device can internally store or copy fingerprints or iris scans. Depending upon the use-case and ecosystem, a biometric device can internally store templates. However, the UID system (Unique Identification Authority of India) doesn’t permit storage of any biometric data in any biometric devices.

Several security measures can be incorporated to ensure strong transaction security and end-to-end traceability to prevent misuse. This can be achieved by implementing specification of authentication ecosystem. These include deploying signed application, host and operator authentication, usage of multi-factor authentication, SMS/email alerts, encryption of sensitive data, biometric locking, device identification with unique device identifier for analytics/fraud management, eliminating use of stored biometrics and so on.

For a consumer, the device security is determined by the certification it holds from the competent certification authority.

Bryce Boland, chief technology officer-Asia Pacific, FireEye

Biometrics take many forms. Most often people think biometrics are the actually measured biological feature, but they are actually measurements of a feature turned into a sequence of data that is compared against another set of data. You don’t actually need the physical feature, you need the measurements to generate the sequence of data to make a match. If you can inject that data into a biometric, bypassing the reader, you can potentially trick a biometric system.

Most successful biometric implementations have a controlled enrolment process where identity validation is undertaken, and have physically secured, tamperproof and closely monitored readers. Systems like those used for passport biometric enrolment with restricted deployments of readers at airports are an example. Self-enrollment is prone to fraud. Widely distributed readers are prone to tampering. Insecure paths from readers to central credential repositories are prone to credential theft.

Once biometric information is stolen, it usually cannot be changed. So stolen data can potentially be used for a long time, creating problems. This isn’t the case for airport fingerprint readers, but it is a problem for biometric devices in the hands of the public. The best way to check this is to keep the system’s environment physically secured, tamperproof and closely monitored.

Rajesh Babu, CEO, Mirox Cyber Security & Technology

Biometrics devices can be hacked. They have fingerprint sensors, which only check the pattern. It is possible to recreate these patterns through various techniques. Technically, it is difficult to recreate biometrics from a high-resolution picture. However, by using other image rendering tools we can recreate the patterns. Security experts and hackers have already proved that they can bypass mobile fingerprint scanners using a collection of high-resolution photographs taken from different angles using standard photo cameras to make a latex replica print.

Most of the biometric scanners have a date set of all fingerprints and other identities inside the device database. Not every manufacturer in India undergoes enough security auditing. Most of the companies manufacture low-cost biometric devices which are highly vulnerable. These devices are imported from China and other countries but they do not conduct or go through any security audits in our country. They may have kernel level back doors, which are highly vulnerable and can lead to launch of an any kind of attack, including compromising an organization’s network. Only a handful of companies conduct audits of their products as part of security practice.

Organizations and the government must have a clear and concise Security Devices Policy based on standard applicable laws and regulation framework.