Until recently I thought we had a lot of time ahead of us to be secure in using biometrics to authenticate who I am and what I should have access to. But then this morning I came across a story about GoldPickaxe, a app-based exploit aimed at gathering facial and other personal data that threat actors have used to create highly realistic deepfake videos. Just like personal data such as social security numbers and date of birth, biometrics are increasingly being scraped, stored, and analyzed by threat actors. And similar to these other authentication mechanisms that malicious hackers have breached, biometrics alone as a method of authentication will fade away (and likely be replaced with new forms of multi-factor authentication).
What is disturbing about GoldPickaxe is that it is part of a trend that is growing at the speed of AI:
- Mother receives a late night ransom call, with her 15 year old daughter pleading and screaming at the other end of the line. It wasn’t her daughter, it was an AI-generated call based off of her daughters voice print that was so accurate even her mother couldn’t tell the difference.
- A biometrics database with over 27M records including fingerprints and facial recognition database was stolen in 2019, adding to other hacks with biometrics on millions of people.
- IoT security is known to be weak, with IP cameras in particular being vulnerable to being exploited. Not to hard to imagine video databases being mined for iris, fingerprint, and facial recognition data; think of a typical office environment where the subject of interest may pass a high resolution camera multiple times a day for several months. A bit of the iris here, a partial fingerprint there…with enough repetition, compute power, and time threat actors can likely “crack” a person’s full biometrics (not to mention capture their passwords if the cameras can be tilted to see the keyboard being types on).
- The speed of AI and potential for quantum computing will soon be able to break biometrics, strong encryption, and passwords.
The solution to the end of biometrics and strong encryption will be found through more extensive use of AI by defenders at all levels, and more specifically in using AI to drive more rapid expansion of zero trust approaches, threat detection mechanisms, very early eradication of bots and malware, and use of digital authentication methods such as certificates.
Until we get there, organizations need to increase their focus on cyber hygiene and specifically around IoT devices like cameras. The start of many AI-based threats will come from breaching existing systems to leverage their data as a starting point, and IoT application and device systems are ideal for that. Having IoT-capable application-based discovery, remediation automation for managing patches, certificates, and passwords, and reporting infrastructure to prove IoT security compliance is going to be the primary way to fight against the upcoming AI-driven threats that are starting to emerge.
