Founded in April 1996, Antheus Tecnologia develops and distributes Automated Fingerprint Identification Systems [AFIS], automated fingerprinting, and other systems such as iris recognition devices. Antheus Tecnologia also claims that it is the first Brazilian company to be certified by the US Federal Bureau of Investigation [FBI] and develops biometric solutions for domestic and overseas clients.

In March 2020, the security research team at SafetyDetectives discovered a significant data leak in addition to other security flaws [such as lack of password protection] relating to fingerprint data on an Antheus log server in Brazil. The research team discovered almost 2.3 million data points in total and estimated that 76,000 unique fingerprints were found on the database. Approximately 16 gigabytes of data were found on the Elasticsearch server, including highly sensitive information related to identification and biometric details.

The Antheus server investigated by the security team is an identity server, which means it gives users access to the system or the ability to register as a new user. It also had fingerprint information in at least two “indices” from a total of 91. The Antheus server stored server and API access logs but also contained fingerprint data comprising of Ridge Bifurcation and Ridge ending – essential components for identifying and verifying fingerprints. In addition to fingerprint information, there were also instances of biometric data vulnerabilities, such as face recognition data being accessible and retrievable from the database.

In parallel to the biometric data breach, Antheus Tecnologia also had another related vulnerability which was noticed during the investigation. The company provides services to a national Civil Identification System in Brazil used to issue driving licenses, although the access portal used for on-boarding new users was also not secure because of the lack of password protection. Furthermore, user data, administrator login information, several employee email addresses and phone numbers were also found.

According to the SafetyDetectives research team, the practice of allowing access to server data in such a way is rather unusual. This methodology generally leaves the server exposed, but this could have been done purposefully. If so, it’s a rather strange option to take when it comes to ensuring security.

SafetyDetectives security team found two indices, potentially referring to two different companies using the Antheus server to store personal information, including fingerprint data. Moreover, the investigation team found data logs relating to precise fingerprint scans that could be reconstructed from the index numbers stored on the Antheus server. Moreover, it could be possible to recreate [or reverse-engineer] a biometric image map for a particular fingerprint from strings of data found on the server. According to the research findings of the SafetyDetectives security team, nefarious users can access the Antheus server and, after extracting the available data, use the data stream of ones and zeros to recreate the full biometric image of someone's fingerprint.

[Source: https://www.safetydetectives.com/blog/antheus-leak-report/ Accessed May 2021]

 

1. Q) Identify and discuss the vulnerability associated with fingerprint data stored on the Antheus Tecnologia server. Recommend a possible solution to patch this vulnerability.