AI, Biometric Security and the Threat to FIORI

Jan 31, '19 by Joerg Schneider-Simon

Another year, another listing of the top 25 most popular passwords, with the top two spots being taken, yet again, by “123456” and “password.”

People are notoriously terrible at choosing secure passwords. That is why when biometric-based credentials came to the forefront, it seemed like the answer to the cybersecurity world’s prayers. After all, what could be more secure than a fingerprint?

As it turns out, the jubilation was short-lived.

Artificial Prints, Real Threats

In November, it was reported that the University of Michigan research department had developed an artificial intelligence (AI) called DeepMasterPrints. The researchers fed the AI the real fingerprints from over 6,000 individuals. From there, it used machine learning to generate fake fingerprints that can fool smartphone fingerprint sensors. These prints can even successfully masquerade as prints from multiple people.

How? As it turns out, while each fingerprint is unique, not every part of a fingerprint is unique. One section of a person’s fingerprint may be identical to someone else’s, even if the rest of the print is completely different.

Combine that with the fact that smartphone fingerprint sensors only scan part of the fingerprint, and it’s easy to see how it works: The AI uses neural networks to generate and test 2D images of fingerprints, adapting and re-testing millions of times until they find one that works, adding it to their set of “master prints”.

These master prints can then be used to break into any system — like smartphones — that uses fingerprints as a biometric security measure.

The Secondary Threat: Biometric Data Theft

For now, this AI has not been replicated by cyberattackers. However, it’s safe to say that it is only a matter of time before this experiment is duplicated by someone with nefarious purposes.

The question is: Where will they find the real fingerprints that they can use to inform their own AI? The answer adds a new factor to data hacking: the theft of biometric data.

Before people use biometric logins, they first have to register those biometrics. Right now, there exist databases containing fingerprints (as well as facial/iris images). And like all other data out there, it runs the risk of being stolen. 

Consider how difficult and time-consuming it is to replace stolen identification like a driver’s license or passport. But what if it’s your fingerprints that have been stolen? 

To sum it up, the threat of cyberattackers creating master fingerprints, and the threat of them stealing real fingerprint data to do so, are presenting daunting new challenges to the cybersecurity community.

Biometric Security and FIORI

So what does all of this have to do with SAP? Increasingly, companies are doing business outside of their four walls. Field staff, remote staff, suppliers and more are all enjoying the convenience of being able to access SAP applications through their mobile devices by way of SAP FIORI.

How many of these mobile devices can be unlocked via fingerprint?

Because SAP contains a rich trove of mission-critical data and processes, it is a tempting target for cyberattackers. However, it may not always be the easiest target, especially if the company is diligent in keeping their security notes up to date.

However, that same diligence may not be shared by staff or suppliers using FIORI. Unattended smartphones are an easy theft. Use a master print to gain access to the phone’s applications and voilà — a cyberattacker has a direct and unguarded line straight into a company’s SAP system, where they can merrily steal data or upload malware.

The bottom line: for every layer of security, there is someone (or several someones) looking to defeat it. Companies cannot rely solely on passwords and biometrics to keep their SAP systems secure from attack. Instead, an anti-virus and content security solution made specifically for SAP needs to be a fundamental part in securing SAP systems and their critical business applications.

New Call-to-action