The security research team at SafetyDetectives has discovered a significant data leak in addition to other security flaws (such as lack of password protection) relating to fingerprint data on an Antheus log server in Brazil.
Our team, led by Anurag Sen, discovered almost 2.3 million data points in total and estimates that 76,000 unique fingerprints were found on the database.
Approximately 16 gigabytes of data were found on the Elasticsearch server including highly sensitive information related to identification and biometric details.
The Antheus server investigated by our security team is an identity server, which means it gives users access to the system or the ability to register as a new user. It also has fingerprint information in at least two “indices” from a total of 91 found by our research team.
Who is Antheus Tecnologia?
Founded in April 1996, Antheus Tecnologia develops and distributes Automated Fingerprint Identification Systems (AFIS), automated fingerprinting and other systems such as iris recognition devices.
Antheus Tecnologia claims it is the first Brazilian company to be certified by the US Federal Bureau of Investigation (FBI) and develops biometric solutions for domestic and overseas clients.
What has been leaked?
The Antheus server stored server and API access logs but also contained fingerprint data comprising of Ridge Bifurcation and Ridge ending – essential components for identifying and verifying fingerprints.
Number of Records Leaked: Over 81.5 million records including employee company emails, telephone numbers and 76,000 unique fingerprints
Size: 16 gigabytes
In addition to fingerprint information, there were also instances of biometric data vulnerabilities, such as face recognition data being accessible and retrievable from the database.
In parallel to the biometric data breach, Antheus Tecnologia also has another related vulnerability which we noticed during our investigation. The company provides services to a national Civil Identification System in Brazil used to issue driving licenses although the access portal used for onboarding new users is not secure given the lack of password protection.
Furthermore, as well as user data, administrator login information, several employee email addresses and phone numbers were also found.
Further server information
The Antheus identity server enables users to login into its system or to register new users.
The practice of allowing access to server data in such a way is rather unusual. This methodology leaves the server exposed, but this could have been done purposefully. If so, it’s a rather strange option to take when it comes to ensuring security.
Our security team found two indices, potentially referring to two different companies using the Antheus server to store personal information including fingerprint data. Moreover, our investigation found data logs relating to precise fingerprint scans that can be reconstructed from the index numbers stored on the Antheus server.
According to our research, it may be possible to recreate (or reverse-engineer) a biometric image map for a particular fingerprint from strings of data found on the server.
From what we discovered, nefarious users can access the Antheus server and after extracting the available data, could use the data stream of ones and zeros to recreate the full biometric image of someone’s fingerprint.
Data Breach Impact
Facial recognition, retina scans, fingerprint information and biometric data are permanent and cannot be changed. Once they are stolen, the perpetrator has a record of someone’s biometric information which enables them to commit repeated criminal offences in future including ID fraud.
Lax security measures for biometric information presents a persistent security risk because even if the data cannot be used today, it can be stored and used at a later date given that its value does not diminish over time.
The unsecured method in which Antheus Tecnologia stores information is rather alarming considering its importance. It’s even more alarming that Antheus Tecnologia was built and deployed by a security company.
Instead of saving a hash of the fingerprint (that cannot be reverse-engineered), Antheus is saving people’s actual fingerprints through rudimentary encoding which can then be replicated for malicious purposes.
By collating all the personal data found in the leak, criminals could use this information for various illegal and dangerous activities including:
- Gaining access to restricted or classified information
- Committing a range of financial crimes
- Phishing attacks
- Blackmail, extortion and ransomware
- Crimes committed under the guise of someone else
The growing importance of fingerprint data
Data breaches relating to fingerprint data is particularly concerning because of the inherent inability for users to refresh their security information.
Given current consumer and professional trends, fingerprints are replacing typed passwords in many consumer goods such as phones and laptops.
Most fingerprint scanners on consumer goods are encrypted, so when a hacker develops technology to replicate your fingerprint, they could gain access to all the private information such as messages, photos and payment methods stored on your device.
Preventing Data Exposure
How can you prevent your personal information from being exposed in a data leak and ensure that you’re not a victim of attacks – cyber or real-world – if it is leaked?
- Be cautious of what information you give out and to whom
- Check that the website you’re on is secure (look for https and/or a closed lock)
- Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
- Create secure passwords by combining letters, numbers, and symbols
- Check out our online scanning tool that checks your devices for known vulnerabilities
- Do not click links in emails unless you are sure that the sender is legitimately who they represent themselves to be
- Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
- Avoid using credit card information and typing out passwords over unsecured WiFi networks
- Find out more about what constitutes cybercrime, the best tips to prevent phishing and ransomware attacks, as well as, stay updated with the latest online cybersecurity developments via our blog.
SafetyDetectives.com is the world’s largest antivirus review website.
The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data.
Published on: Mar 11, 2020