Biometrics: The New Pandora's Box

[Music] sadly under interrogation and here you need to talk about biometrics and some of the the problems that are inherent with biometrics that a lot of us just may not think about which is what happy coin the fantastic failure point of the future before we get started with with that I found something very interesting in preparing for this this talk and that biometrics has a very long history it's been around for over 4000 years so it was used to fingerprint for you to prevent forgery way in 2000 BC they were used in Syria and or you put your thumb on a clay tablet it's been used forever 650 ad it was already being used to

solve crimes mid-1800s it was used for just identification for individuals in the 60s who got voice recognition in the 80s we got retina an iris scan in the 2000s we got facial recognition facial recognition was actually more used for identifying individuals in crowds as opposed to any kind of authorization or any kind of a factor biometric factor and the thing that changed it all for most of us was 2013 when Apple introduced touch ID it was a highly distributed easily available very reliable biometric and through these times there hasn't been a lot of consideration as to some of the fall backs of this as far as there's been some on the military level how you deal

with identity fraud and how you can improve the detection mechanisms to determine if that is someone's fingerprints you know facial recognition is is just a picture of those types of things but all these things create a singular problem and the specific problem that biometrics have is in being stolen so Oh Yahoo in 2014 they announced it last year but in 2014 they had 500 million user records stolen this crowd probably knows that better than most in this in his jeweler records were things that people use to verify in an individual right knowledge factors these security questions data burden this was part of the records that were stolen half a billion if there were biometric data in

there that'd be a serious problem fortunately though biometric data anthem last year seventy eight point eight million records including some biometrics a lot of history information when you steal medical records you get a lot of people's history where they've lived who their parents are who they've had contact with a lot of informations you can use for social engineering without having to actually by having to do the social engineering part the data is already there for you I'm biometrics the worst one so far as far as as far as I can see is the office of personal management if you if anyone here have security clearance is your security clearance more than two years old then

if you submitted your fingerprint it's possible that it's out there and you probably have this wonderful stuff that says will protect you against someone stealing your identity that's what they basically done so far but the other problem is is that as biometrics and multi-factor authentication become more and more than norm and they're going to be required right NIST has said the only way to stop these credential problems as you have to have multi-factor authentication through multi-factor which includes biometrics if your information was in those files that was taken then your risk from this point on and this particular breach is the one that we know about and the reason that it's going to become such a target in

the future is that biometrics are more valuable than passwords over time so so when you think about passwords and what passwords are worth they have an immediate high value before the breach is discovered they are worth a lot of money and the reason if they're worth a lot of money is because until the breech is discovered and the users change their passwords you have access to their accounts the other thing that you have ax two is every other account that that individual has it shares the same passwords 60% of people on the planet use the same password for more than one thing and most of them use their same passwords on some social site as they do

for their email so if you go grab that you can grab their email you can grab their bank account you've now owned that user and you're able to do just terrible terrible things but once the breach is known the value of that password goes down over time because individuals most individuals will change their passwords today when these breaches happen you actually are told and go change every other account that has that password it didn't used to say that but now they're saying that the biometrics are very different the value of a biometric increases over time even an unencrypted one has a value today but there's not a whole lot of people using biometrics that you could actually use that to

forge access but over time as it's required more and more if you have some of the fingerprints that fingerprint becomes more valuable and those individuals that are what at a certain level when that was taken let's say today last year and the next year or two some of those individuals are going to become very high-profile individuals imagine if you've got the biometric fingerprint of let's say the head of the Harvard Law Review right ten fifteen years later he's the president United States so the biometric never changes if you've got their passwords they would change their password to do all these things they can't change their fingerprint you can't change your fingerprint there are certain things you

can do for your facial characteristics to change it but the whole idea of a biometric is it belongs to an individual it is unique that individual and it can't change but even if you take a look at encrypted data so the things that we do to protect data is that we encrypt it but over the period of years that fingerprint doesn't change your biometrics don't change encryption technology and computer technology changes I would say 90% of the people in this conference that anyone who's a decent hacker could break into any brute force any crypto from 1970 all right I think that would be a real no-brainer you'd be able to bust hashes from 1970 I

don't think that's going to become a problem so if you steal the identity of a 30 year old today or 20 year old in 20 years 30 years 40 years it becomes less and less expensive to actually utilize that data it can sit around forever because it doesn't lose a shelf life right it gets better with age and it gets easier to crack and less expensive to crack so it's a very very scary thing and what that means is that we have to protect biometrics better than passwords today if you're a security professional you're trying to buy yourself three days right you're putting in these cracking techniques that will protect the users of terrible passwords for three days

because when you get a password list you can run against the top hundred the top 500 whatever that is some of your users are going to get pwned early some of them are going to get pwned late hopefully most of the people that are using bad passwords don't get pwned before they find out that their password needs to be changed it doesn't work with my metrics all right you can't go change it so there's a few things that you can do and you can think of most of us probably aren't writing biometric systems if we if you are you probably know about all of this but you may be looking at you may be told or

have been given the mandate that you have to implement multi-factor authentication that must include biometrics right if you're in banking if you're in medical if you're any sort of finance or any side of security you're going to have to do a multi-factor authentication and there's things that you should really think about and protecting your users protecting yourself your own biometrics are going to be in the system so think about that one of the things that you can do is you can create knowledge-based entropy versus via what's called private biometrics there's been a Wade where when you do your Krypton you don't have blanket encryption right the way that we don't create we can create entropy right

you have initialization vector that's different across all of your encryption one of things that you can do and make that very quick and not have that stored anywhere so it's much harder to crack it requires brute force because you can do that via a pin that someone's going to enter in write a knowledge factor that someone's going to enter that only the user the belongs that biometric should know and you can use that to encrypt that biometric so it makes it much more difficult to decrypt but again over time encryption doesn't really mean much so one thing that you can do is you can obfuscate the relationship between the biometric and the individual don't have

a very easy to determine one-to-one account so this is one way where you can use that that knowledge factor given to you by the user and use that to create a hash and that's how you identify which biometric to use for that user you're going to be able to crack that biometric that biometry is going to be able to be decrypted in 30 years 40 years maybe even ten years right the way we're we're moving towards quantum computing we're all we're all nervous about quantum but if you can find a way to break that tie between the user and their biometric and make that much more difficult to understand that's going to give you an

advantage it's not going to solve everything but it's going to give you an advantage because again the biometric value is just going to raise over time and because of that there's something very important that you can do that is I would say it's not an easier thing to do it's much harder but what you can do is you can decentralize biometric stores and what that mean is that you don't have a central repository right the reasons that passwords are so valuable is because you can go grab them all if you can run this top 100 passwords or top 500 passwords you can try and see which accounts have these top 500 passwords and you can hope

that that individual has the same for the email they might have the same thing for their bank account you try and log in with their email and their password out of the top five banks you might find it there but if you decentralize then you're going to have to go after these decentralized stores and that brings us back this device mobile devices are reasonably secure if I was going to try and steal a biometric from you I would not probably get it from your phone and find a way to get it from your finger all right I'd find a way to take a 3d image of your face before I try and crack your phone but these devices are

very good at holding secure information they're very good at verifying fingerprints they're very good that selfie cams today are over a megapixel that's enough information especially if you take multiple frames to get a good 3d image to get facial recognition last year Bank of America came out with this great selfie right the selfie off thing because they're using a smart phone because the technology is there yeah I feel uncomfortable with anything that I have to constantly sign-in with but I can't just use my thumbprint on my phone it's become expected all right these devices have changed everything as far as biometrics is concerned but what most of the services do today with the exception of the actual fingerprint

reader is they'll take your picture and they'll send it off to a central service to go verify and validate they'll listen to your voice they'll send it to a central service will verify and validate what you can do is you can do this all in the device if you create a good enough good enough way to link the device and understand it yes I have I have a high level of confidence that this is the user for this device I can trust the device can make those determinations as to whether or not this is the same person on their photo that I can use the biometrics that are inherent in that device with a thumbprint reader

I can do certain things some of them can even determine your pulse heart rate all those types of things that confuses biometrics today we can leverage this device as a decentralized store that protects you and your users from being home by a massive grab like the OPM grab that even people in this room here I volleyball - and as individuals I think we need to ask for this right we should be in control of our own destiny right when you own your own data store for your biometrics you're in control of your own destiny some people some of us do that they have the cards that will do it as well hold it there there's a couple different ways

you can do that outside of the smart phone the smart phone puts everything in one place right where you're not going to have to transmit data across and make that susceptible to being grabbed it all happens to all verifies it's all local any questions there should be a lot no question okay

so what I'm suggesting is that you have very secure communication and very good identification between the device the linking process between the authorization system and the device you create basically bulletproof rock-solid communication there with a with a good linking process to be able to understand it is the correct user possibly out-of-band even do it visually like a lot of places where you set up you'll actually go to your Minister a tour and they'll set up there where you put in a code off of their screen you can have a high confidence level that the communication is not being intercepted you can have a high confidence level this is the actual individual responding or if not the

individual responding they've allowed someone to respond in their stead that's your question

correct and the reason it gets happen on the purple is the data stored on the peripheral so it the systems are available today a majority of them there are a lot of different systems that you do that with your thumb currently right I log into my bank with my thumbprint that's just for my phone app now what you're going to start see coming is you going to start seeing the same thing of when you go log into your bank on the website it's going to put it off request onto your phone alright Yahoo they're big they're big recovery from the 2014 is on 2016 they have password with logins they have no credentials so the last time they told

me go change my password I didn't have to because I don't have one I have a mobile app that's installed if I'm insulted my device I can do that with once you start adding in biometrics with that as well which are available on the device you get up you get even more secure password lists centered where there's no central credentials whatsoever besides your identity yes question

because in the trust execution environment that's not accessible by your Bluetooth so devices have this trusted execution environment which is where your your iPhone or your Samsung or your Google phone that's where they store the fingerprint restoring a trusted execution environment it's not available to other processes now they're starting to come out with and it's actually very expensive to do right now because it's fantastically a trademark and a lot of legal stuff around there for licensing but you can get phones with trust execution environments where your application can run a trusted execution environment and I don't not saying trust the phone don't just don't just stick it in the secure store on the phone encrypt your data stick in the

right place use the right thing that you're going to do on any single application that you have today but if you do that right and if you have a good enough bug bounty and good enough people that are trying to attack it you can you can defend against I've seen so far every one of those vectors I work for a company that's what we do and no one has been able to actually have to finger for it yet even on on any one of the devices that have the fingerprint they have been able to do it even with a rooted phone they've not been able to bypass that currently I'm sure there's there's someone someone actually got the bounty

for the zero day whatever that is for remote routing of an apple phone we haven't seen it and we also if you test against security against rooted phones you've got the advantage there of making sure that your stuff is very secure even if it's rooted

alright and infos come with different security levels right so you've got right now you have the Google phone right that a president uses and you have the BlackBerry that is completely secure right on separate networks completely unknowable well completely unknowable right so you have highly secure phones you have less secure phones but as a user you get to make that decision as opposed to once everyone on the planet starts requiring biometrics who are you going to trust alright when I have to go a lot of Facebook I'm going to trust them with my biometrics am I going to trust Google with my biometrics right Who am I going to trust because if everyone's going to require it right am

I gonna small bank I use a small bank because I like customer service but do I trust that bank with biometrics

Craig it requires a good linking strategy usually an out-of-band linking strategy to some extent but that's also depend on how you're going to do that usually when you have these biometric systems you determine how you're going to do the linking between the biometric and the user so that's one of the things you definitely have to be careful of and there's a few different ways that you can do that as far as you know determine the credentials of individuals so it's going to be more difficult farther out once you start moving from your local enterprise out to you know Google for accessing Google Apps they're not going to come and come to your door and watch

you pair every time but there are ways that you can do that through very very high confidence systems that will allow you to use your identification right your identification has markers in it that can be determined if that's a valid identification and whether it's actually your identification so there's a few things you can do on that for remote stuff as well more question thanks if you have any more questions I'll be around I flights been delayed somebody here though later and I thought and just kind of discussion if you don't believe any things I said I'd love to hear what your what's your cons are to the whole system because I don't believe in arguing I

believe in discussing and I gave you my point of view I'd love to hear yours so thanks very much [Applause]