Biometric technologies are attracting increasing attention as a means of enhacing security (implying authentication & authorization) for mobile devices and applications. The obvious question that comes up is how secure are these biometric technologies and what is the scope of vulnerabilities in such technologies. Several researchers have published articles and frameworks for over a decade on this topic but I could not find a standardized framework for representing them across fingerprint, face, iris and other recognition technologies or evaluating severity of these vulnerabilities. US-CERT uses the Common Vulnerabilities and Exposure (CVE) listing to standardize descriptions and evaluation of cyber security vulnerabilities and I searched their vulnerabilities database for biometrics vulnerabilities. The resulting search did not provide a single hit, and this indicates the need for a CVE style listing for biometric products and technologies. A biometrics CVE would not only serve as a public resource of known vulnerabilities, but also allow vulnerability assessments to use a common identifier and allow end-users identify patching information. The Common Vulnerability Scoring System (CVSS) is another important component necessary to communicate, in a standardized manner, severity of the vulnerability. An industry accepted framework for generating CVSS would be extremely valuable for organizations as they consider the management and upkeep aspects of large scale biometric systems. A well understood and widely accepted framework for enumerating vulnerabilities and prioritizing them based on severity is critical to widespread adoption of biometric technologies. Over the next few postings I will write about how CVE and CVSS frameworks can be applied to biometric technologies. Comments, suggestions and any inputs on these topics are welcome!
No comments:
Post a Comment