How to Protect Apps from BioMetric Security Flaws

Welcome to the world of biometric authentication, where your eyes, ears, and fingerprints are the access code to prove individual identity. Biometric technology will soon become the default identification standard.

Biometric identification is a technology that identifies and authenticates individuals based on physical characteristics. A biometric identification system includes fingerprint identification, iris and retina, facial recognition, gait, or voice.

The biometrics market is growing as the technology is being hailed as the new generation of defense for law enforcement against hackers. The biometric market is expected to be worth $32.7 billion by 2022.

Biometrics are definitely better than passwords when it comes to security, but they aren’t fool-proof.

Various financial institutions like Bank of America have started piloting a biometric system from Samsung that scans the iris to determine person identity. Wells Fargo and British bank TSB are working on iris scanning for mobile banking as well.

Unique Isn't Enough

Biometrics seem secure on the surface. After all, you’re the only one with your ears, eyes, and fingerprint. But that doesn’t necessarily make it more secure than passwords.

Of course hackers can steal passwords by brute force attacks or phishing, but generally, passwords can be changed in an event of a breach. On the other hand, biometrics are immutable (cannot be changed) as its a machine representation of human characteristics.

In wake of the recent security flaw at a biometrics-based company called Suprema, 28 million records and 23GB of data, including fingerprints, facial recognition data, passwords and security clearance information were exposed. This exposure puts 5,700 organizations across 83 countries, including the UK Metropolitan Police at high risk.

The security flaw was picked up by Israeli researchers Noam Rotem and Ran Locar, from VPN review service vpnmentor. In a routine network scan conducted last week, the pair found that Biostar 2’s database was publicly available, and that by manipulating URL search criteria they were able to access nearly 28 million records and 23GB of data, including fingerprints, facial recognition data, passwords and security clearance information.

Speaking to The Guardian, Rotem said that the flaw meant he could change data and add new users, which would allow him to add his own fingerprint to the system and access whatever facilities an original user was permitted to access. He added that not only was the sheer scale of the breach shocking — the service is used in 1.5 million locations around the world — but the nature of the data leak will have future consequences: you can change a password but you can’t change your fingerprint.
— excerpt from post in Engadget, by Rachel England

A data breach is a consequence of either data exfiltration due to an attack, data leak caused by inadvertent configuration/programming errors or poor design decisions (storing sensitive data without encryption).

Programmers certainly have a lot on their plates and while security has been a burning issue in recent times, it hasn’t been their top priority. Although there may be some resistance to expanding their roles in securing software, most want to write secure code but many don’t know what that means. The awareness is restricted to some basic principles: authorization/authentication to sensitive resources, input validation, and data encryption in storage and transit.

In order to reason about data leaks, lets apply first principles thinking to quantify an application’s surface in four concrete dimensions: entry point(s), data , flow(s) and exit point(s).

An aerial view of information flow in an application

• An application comprises of one of more primary “flows”
  
  
• A flow is a set of functions working in concert with each other to serve a business need. Multiple flows in an ordered sequence represent a primary flow
  
  
• A flow is triggered at an entry point, which marks the beginning of a business process workflow. The entry point could be a web route (e.g., /login, /register, /logout, /followers, /following, /search?q=meme)
  
  
• Upon being triggered, a data model instance is either created, accessed or updated to represent business entities (e.g., customer, finerprint, retinascan, adSense, tweets, followers, following) participating in the business process (e.g., updateProfile, unFollow, follow). Some data models can be deemed sensitive (based on compliance and regulations). Such sensitive data instances need to be treated with proper care. Can we, as application or data stewards, confidentiality answer the following questions about our hosted applications?

Can Secure Coding Measures be Verified Proactively?

1. Can you identify sensitive data using semantics (based on variable names, entity name and its properties and what business purpose is being served)? e.g. fingerprint, retinascan, facialscan, voicesample
2. Is the sensitive data instance in question participating upon a flow having no authorization at entry point?
3. Is the sensitive data instance exiting the crevice of an exit point without being hashed, encrypted, salted or anonymized?
4. What is the organization wide strength of the encryption algorithm ? Is it sha1(FIXED_SALT + [data_field]) , sha1(PER_USER_SALT + [data_field]) or BCrypt(..) ?
5. If BCrypt(..) , is it consistently used across all applications/micro-services in the organization?
6. If multiple micro-services of an application are working in concert with each other, what is the defined trust boundary?

ShiftLeft’s Ocular is a application security platform built over the foundational Code Property Graph that is uniquely positioned to deliver a specification model to query for vulnerable conditions, business logic flaws and insider attacks that might exist in your application’s code base.

If you’d like to learn more about ShiftLeft’s Code Property Graph, and how it can be used to help identify SSRF, please request a demo.

photo: Pixabay