Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label biometric vulnerability. Show all posts

Massive Data Breach Exposes Sensitive Information of Indian Law Enforcement Officials

 

Recently, a significant data breach compromised the personal information of thousands of law enforcement officials and police officer applicants in India. Discovered by security researcher Jeremiah Fowler, the breach exposed sensitive details such as fingerprints, facial scans, signatures, and descriptions of tattoos and scars. Alarmingly, around the same time, cybercriminals advertised the sale of similar biometric data on Telegram. 

The breach was traced to an exposed web server linked to ThoughtGreen Technologies, an IT firm with offices in India, Australia, and the United States. Fowler found nearly 500 gigabytes of data, encompassing 1.6 million documents dating from 2021 to early April. This data included personal information about various professionals, including teachers, railway workers, and law enforcement officials. Among the documents were birth certificates, diplomas, and job applications. 

Although the server has been secured, the incident highlights the risks of collecting and storing biometric data and the potential misuse if leaked. “You can change your name, you can change your bank information, but you can't change your actual biometrics,” Fowler noted. This data, if accessed by cybercriminals, poses a long-term risk, especially for individuals in sensitive law enforcement roles. Prateek Waghre, executive director of the Internet Freedom Foundation, emphasized the extensive biometric data collection in India and the heightened security risks for law enforcement personnel. 

If compromised, such data can be misused to gain unauthorized access to sensitive information. Fowler also found a Telegram channel advertising the sale of Indian police data, including specific individuals’ information, shortly after the database was secured. The structure and screenshots of the data matched what Fowler had seen. For ethical reasons, he did not purchase the data, so he could not fully verify its authenticity. In response, ThoughtGreen Technologies stated, “We take data security very seriously and have taken immediate steps to secure the exposed data.” 

They assured a thorough investigation to prevent future incidents but did not provide specific details. The company also reported the breach to Indian law enforcement but did not specify which organization was contacted. When shown a screenshot of the Telegram post, the company claimed it was “not our data.” Telegram did not respond to requests for comment. 

Shivangi Narayan, an independent researcher, stressed the need for more robust data protection laws and better data handling practices by companies. Data breaches are so frequent that they no longer shock people, as evidenced by a recent face-recognition data breach involving an Indian police force.

Globally, as governments and organizations increasingly use biometric data for identity verification and surveillance, the risk of data leaks and abuse rises. For example, a recent face recognition leak in Australia affected up to a million people and led to a blackmail charge. It also has to be noted that many countries are looking at biometric verification for identities, and all of that information has to be stored somewhere. If they decide to farm it out to a third-party company, they lose control of that data.

Researchers Unveil Sound-Based Attack: Swipe Sounds Used to Recreate Fingerprints

 

A group of researchers from China and the US has introduced an intriguing new method for compromising biometric security systems. Their study, titled "PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound," presents a novel side-channel attack aimed at the sophisticated Automatic Fingerprint Identification System (AFIS). 

This attack exploits the sound produced by a user's finger swiping across a touchscreen to extract fingerprint pattern details. Through testing, the researchers claim success rates of attacking "up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%." This research marks the first instance of utilizing swiping sounds to deduce fingerprint information.

Fingerprint biometric security measures are prevalent and widely trusted, with projections suggesting the fingerprint authentication market could reach nearly $100 billion by 2032. However, with growing awareness of potential fingerprint theft, individuals and organizations are becoming more cautious about exposing their fingerprints, even in photographs.

In the absence of direct access to fingerprints or detailed finger images, attackers have found a new avenue for obtaining fingerprint data to bolster dictionary attacks like MasterPrint and DeepMasterPrint. The PrintListener study reveals that "finger-swiping friction sounds can be captured by attackers online with a high possibility," using common communication apps such as Discord, Skype, WeChat, and FaceTime. By exploiting these sounds, the researchers developed PrintListener, a sophisticated attack method.

PrintListener overcomes significant challenges, including capturing faint friction sounds, separating fingerprint influences from other user characteristics, and advancing from primary to secondary fingerprint features. The researchers achieved this through the development of algorithms for sound localization, feature extraction, and statistical analysis.

Through extensive real-world experiments, PrintListener demonstrates remarkable success rates in compromising fingerprint security, surpassing unassisted dictionary attacks. This research underscores the importance of addressing emerging threats to biometric authentication systems and developing robust countermeasures to safeguard sensitive data.