Full Report
The findings of our research can be used to make a more objective assessment of risks associated with using modern biometric authentication systems.
Analysis Summary
# Research: Biometric data processing and storage system threats
## Metadata
- **Authors:** Kirill Kruglov
- **Institution:** Kaspersky ICS CERT (Industrial Control Systems Cyber Emergency Response Team)
- **Publication:** Kaspersky ICS CERT Reports
- **Date:** December 2, 2019
## Abstract
This research analyzes the cyber threat landscape surrounding information systems used to process and store biometric data (facial recognition, fingerprints, iris scans, etc.). By examining telemetry from computers running biometric software, the study identifies the primary sources of infection, the types of malware encountered, and the specific risks these threats pose to the integrity and confidentiality of biometric templates.
## Research Objective
The study aims to provide an objective assessment of the risks associated with modern biometric authentication systems. It specifically seeks to identify:
1. What types of malware target systems processing biometric data.
2. The primary vectors through which these systems are compromised.
3. The potential impact of these threats on the security of "digital identities."
## Methodology
### Approach
The researchers utilized a statistical analysis of anonymized telemetry data collected from the Kaspersky Security Network (KSN). They identified a subset of computers performing biometric processing tasks and monitored them over a six-month period (H1 2019).
### Dataset/Environment
- **Scope:** Hundreds of thousands of computers worldwide.
- **Selection Criteria:** Systems filtered based on the presence of biometric data processing and storage software (e.g., facial recognition servers, fingerprint enrollment workstations).
- **Timeframe:** First half of 2019.
### Tools & Technologies
- Kaspersky Security Network (KSN) global threat intelligence.
- Heuristic and signature-based detection engines.
- Sandbox environments for malware behavior analysis.
## Key Findings
### Primary Results
1. **High Infection Rate:** 37% of computers involved in biometric data processing encountered malware at least once during the observation period.
2. **Diversity of Threats:** Attacks aren't always "biometric-specific" but include general-purpose malware that can effectively steal biometric data.
3. **Prevalence of Web-based Threats:** The internet remains the primary infection vector for these systems.
### Supporting Evidence
- **Threat Sources:** Internet (21%), Removable Media/USB (4.4%), and Network Shares (3.2%) were the top entry points.
- **Malware Composition:** Spyware (6.1%), Phishing scripts (5.9%), and Ransomware (1.5%) were frequently blocked on these machines.
### Novel Contributions
- This research shifts the focus from theoretical "presentation attacks" (spoofing a sensor with a mask/photo) to the **infrastructure-level vulnerabilities** where biometric data is stored and processed as digital files.
## Technical Details
The research highlights that biometric systems often run on standard operating systems (Windows/Linux) and are susceptible to:
- **Remote Access Trojans (RATs):** Which allow attackers to intercept biometric data directly from the camera or scanner buffers before encryption.
- **Insecure Databases:** Many biometric systems store "templates" (mathematical representations). While not the original image, these templates can often be used for "reverse mapping" to recreate the physiological characteristic or to perform "replay attacks" on other systems.
## Practical Implications
### For Security Practitioners
- Realize that the "uniqueness" of biometrics is their greatest weakness; once a biometric template is leaked, it cannot be changed like a password.
- Systems processing biometrics must be treated as High-Value Targets (HVTs) with isolated network segments.
### For Defenders
- **Air-gapping:** Where possible, isolate biometric processing workstations from the public internet.
- **Strict Media Control:** Block unauthorized USB devices, as they are a significant secondary infection vector.
- **Encryption:** Ensure end-to-end encryption from the capture device (sensor) to the storage database.
### For Researchers
- There is a need for better "liveness detection" that integrates with the software stack, not just the hardware sensor.
- Further study into the security of "biometrics-as-a-service" cloud models is required.
## Limitations
- The study relies on telemetry from systems already running Kaspersky products; it may not capture attacks on completely unprotected or highly isolated proprietary systems.
- The data focuses on general malware hits rather than successfully executed, targeted espionage campaigns against biometric databases.
## Comparison to Prior Work
Unlike most biometric research which focuses on **False Acceptance Rates (FAR)** or **False Rejection Rates (FRR)**, this study focuses on **Information Security (InfoSec)**—viewing biometric data as a digital asset prone to traditional hacking, rather than just a physical spoofing challenge.
## Real-world Applications
- **Access Control:** Critical infrastructure facilities using facial recognition for entry.
- **Border Control:** Electronic gates and visa processing centers.
- **Corporate IT:** Biometric logins for workstations and mobile device management.
## Future Work
- Analysis of the security of mobile biometric authentication (FaceID/TouchID) integrations in corporate environments.
- Investigating the impact of Deepfakes on the reliability of biometric facial recognition systems.
## References
- Kaspersky ICS CERT: hxxps://ics-cert[.]kaspersky[.]com/
- ISO/IEC 24745: Information technology — Security techniques — Biometric information protection.