The world of IoT has not had the best reputation for security. There has been a multitude of data leaks and privacy threats affecting the world of smart devices. Unfortunately, it’s proven that the days of insecure IoT are far from over.
Researchers at the University of Liverpool have discovered a new way for hackers to get their hands on your data. As it turns out, IoT isn’t storing biometric data as well as we might have hoped.
What Did the Study Discover?
The report on the study discusses what the researchers found. The researchers’ goal was to analyze the threat of a cyber-attacker pairing a device with the biometrics used to unlock it. After all, devices can leak biometric data, so it’s important to see if a hacker could then use it on the correct device.
The researchers gathered 30,000 pieces of biometric data from 50 users. They also had 100,000 device IDs on record. They tried to create a profile of who-uses-what using this data.
Using the samples, the researchers could identify who belonged to each device. 70 percent of the devices could be identified by using the samples alone. They could also harvest the biometric data to create a profile of information (such as voice and face data) with 94 percent accuracy.
Dr Chris Xiaoxuan Lu, who led the study, said the following:
This is an important new study which confirms the concern presented by numerous IoT devices and unveils a compound identity leak from the combined side channels between human biometrics and device identities.
Technically, we present a data-driven attack vector that robustly associates physical biometrics with device IDs under substantial sensing noise and observation disturbances.
He went on to say that the state of current IoT security is not designed to withstand this method of attack and that they will be talking to lawmakers to ensure developers add protection to future devices.
The Effects of this Method of Attack
Why is this attack so bad? The main problem is that it allows a cybercriminal to pair up biometric data with devices they can unlock.
Biometric scanners can be a pain for hackers. They may get control of a device but have no idea who it belongs to. Likewise, they can harvest someone’s biometric data but have no idea what devices those scans unlock.
It’s similar to a hacker knowing the location of a locked door but having no idea where the key is or the hacker having a key but having no idea what door it unlocks. The pairing of the door and the key is the important part, as this is what allows hackers to do damage.
With this study, it shows that a cybercriminal can profile a user by matching the devices they use to the data that unlocks them. This makes a particularly dangerous scenario where a hacker can target an important official, create a profile for them, then use that profile to bypass their biometric security.
With IoT devices using biometric data to identify users, a copied fingerprint could potentially do a lot of damage. With recent research, we can see that it’s possible to accurately pair a device with its biometric data.
Learn how biohackers implanted Raspberry Pis under the skin in their legs. If you want to see what else happened recently in the cybersecurity world, be sure to check out these three home hubs with security flaws.