The Dark Side Of Biometrics: 9 Million Israelis' Hacked Info Hits The Web

Biometrics are the next big thing in government and homeland security. But the recent theft of the personal information of 9 million Israelis living and dead—including the birth parents of adoptees and sensitive health information—could have big ramifications for foreign governments.

Every time a foreigner comes to the United States, their biometric data—fingerprints and photographs—are processed into a massive database called US-VISIT. The service prevents identity fraud and helps find criminals, and countries all over the world have adopted similar systems. Now Israel's has been hacked, leading to the leak of personal information of nearly every single citizen there (even some dead ones) onto the Internet.

Authorities in the Middle Eastern country announced the arrest on Monday of a suspect responsible for the massive data theft. He's a contract worker at the Israeli Welfare Ministry who was allegedly engaged in small-scale white collar crimes after-hours and who is accused of stealing Israel's primary national biometric database in 2006. He had access to the database, which is part of the country's population registry, through his office.

The stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis—including children—and detailed health information on individual citizens.

Shortly after being fired from his job for unrelated offenses, the unnamed suspect began passing the database around to members of Israel's surprisingly numerous Hasidic Jewish criminal underworld. According to the ultra-Orthodox Jewish Yeshiva World News, the stolen biometric database was passed around by six separate suspects, who made copies of the records in exchange for cash.

Identity theft and petty Internet crimes being what they are, the stolen biometric information quickly made its way online. One of the secondary suspects uploaded the whole of Israel's biometric records database to the Internet under the name “Agron 2006.” A quick Google search reveals numerous torrents and uploaded copies of the database easily available for download.

According to Yoram Cohen of the Israeli Justice Ministry, “Any person who handles personal information and any citizen should lose sleep over the chain of information from the now exposed theft of the Population Registry information.”

There's only one problem: Biometric databases are the future. The Indian government is building the world's largest biometric database, which will handle the personal information of nearly 1 billion citizens and give millions easy access to health care and education. Many European Union members such as Germany and the Netherlands automatically include biometric information on passport RFID chips. Here in the United States, the FBI is building a billion-dollar biometric database that will give every single police department and sheriff's office in the country instant access to millions of mugshots and fingerprints. While they might be scary and big brother-ish, biometric databases save massive amounts of taxpayer money and help streamline lumbering bureaucracies.

In the Israeli case, a valuable database was stolen through an inside job. Although the information was stolen by a white-collar criminal with an identity theft jones rather than by a hostile intelligence service or an enemy hacker, the end effect was the same.

The Federal Bureau of Investigation and the Department of Homeland Security have been less than forthcoming about efforts to secure the data contained in their respective biometric databases. However, a DHS privacy impact assessment conducted for the Coast Guard's “Biometrics at Sea” program found numerous privacy concerns and weak spots that required additional security. Both the FBI and Homeland Security's databases will retain decades' worth of personal information, photographs, and fingerprints.

In the end, the government—and taxpayers—have chosen the efficiency and cost savings of biometric databases over the privacy and civil liberties concerns that experts have raised. But as the Israeli example shows, today's biometric database could easily become tomorrow's warez download.

[Image: Flickr user Bob AuBuchon]

For more stories like this, follow @fastcompany on Twitter. Email Neal Ungerleider, the author of this article, here or find him on Twitter and Google+.

Add New Comment

8 Comments

  • Andrew Polcha

    I absolutely agree with Karl that it is very possible and easy to recreate the original image from an encrypted biometric template. It is also true that once a person's biometric is stolen from a database - that person's stolen biometric i.e. eye, finger etc. can never be trusted again. Merely re-enrolling that person will not re-enroll the trust factor. The best way to thwart biometric theft is to make the market value of the biometric worthless and security through obscurity like Karl says is not secure. I've been working on this problem for a long time because nobody is protecting (really) the biometric. We've been experimenting with distortion elements (distortion prior to transmission) for both eyes and fingers. For authentication, the few positives are: the protocol of capture_compare_confirm remains intact and we can re-enroll a new biometric if ever tampered. I am not selling anything here, but listed are a few graphics of the approach ~ http://www.recoverablebiometri... Best, Andrew 

  • e a

    Neal,

    Actually, the leaked DB did not contain any biometrics, and was leaked back in 2006. It has been used for many nefarious activities since, and as an example why Israel should NOT have a biometric national registry. This has become news in Israel again because the person who initially leaked this to the internet has been finally caught by the police who followed a bragging comment to a broadcast on Israeli TV a few years ago. This led police to all the additional intermediaries (he was 4 or 5 degrees removed from the original thief of data from government databases). All of them will be tried for trading and using PII.

    I fully agree with the arguments that a biometric database will be very hard to protect, and would require very careful consideration of the security measures for accessing it. Even common PII (National ID, DOB, Full Name, Address) databases that are held by many government and commercial bodies today should be much better protected than they currently are, and we should probably postpone the next step until we can prove the current DBs are protected. The potential damage from such a DB in the wild probably outweighs its undeniable contribution to law enforcement and international travel.

    Best, E

  • Stephen Wilson - Lockstep

    Tellingly, John Trader's agitation about the article is not matched with any rigor or accuracy in his 'rebuttal'.  His three points vary from wildly optimistic to downright wrong.  In reverse order:

    3. "It is also irrelevant that these databases were uploaded
    online from a biometric technology perspective ... they are
    useless to anyone".

    That's a big big call if he doesn't know what sort of biometrics in the database.

    2.
    "The software is proprietary which means the information is exclusive to
    the system it is stolen from and is irrelevant to any other proprietary
    system".

    This is pretty funny.  For all the talk of interoperability in biometrics, it turns out that this vendor's expectation is that biometrics just won't interoperate, ever.

    1. "These templates are not images and are nearly impossible to be reverse engineered to create an image"

    But this is almost a lie.  There are well publicised academic papers that show reverse engineering of facial and fingerprint templates by successive approximation methods. 

    Meanwhile, the unanswered and fatal question is: What would biometrics vendors have us do in the event of a compromise, when no commercial biometric is capable or cancellation and re-issuance? 

    If the database in question contained passwords or keys or any normal security secrets, then the first thing we'd do is cancel them and re-issue the users with new ones, along with abject apologies for the inconvenience.  But with biometrics, that's not an option.  Instead we get biometrics advocates like John Trader arguing vehemently, desperately (without even knowing the details of the case!) that there is no problem, don't worry about templates being stolen, they're no use to anyone, promise.

  • M2SYS Technology

    I'm a little lost. What biometric information was stolen from the database? If the software is like 99.9% of any other proprietary biometric software then there were NO images stored in the database, only a series of data points that are used for search purposes by an algorithm that determines the similarity of the template and the end user when they use a biometric hardware device to be identified. Simply saying that 9 million biometric records were stolen, without explaining that:

    1. These templates are not images and are nearly impossible to be reverse engineered to create an image.
    2. The software is proprietary which means the information is exclusive to the system it is stolen from and is irrelevant to any other proprietary system.
    3. It is also irrelevant that these databases were uploaded online from a biometric technology perspective. Once again, they are useless to anyone.

    is very misleading.

    I think this article is poorly written and works to perpetuate continuous and growing misperceptions about biometric technology by inferring that because this happened in Israel and the US government is currently assembling a biometric database and the efforts to create a Aadahar identity in India somehow stealing a database here in the US automatically translates into a catastrophic problem. It is nice however that the author points out the tremendous cost savings that a biometric system can bring to governments and "streamline lumbering democracies." That is definitely true.

    I think that if you are going to report in this fashion about biometric technology, you may want to fact check what stealing biometric templates really means and the science behind the technology so we don't propel fear, mistrust and misinformation.

  • Karl Martin

    John,

    Unfortunately, you're repeating many of the falsehoods perpetuated by vendors of biometric systems that do not want you to know about the weaknesses in their systems.

    1. It is absolutely possible to recreate the original image from a biometric template. Do a search on the hill-climbing attack.

    2. Security through obscurity (i.e., via proprietary technology) is extremely weak. Making something proprietary might just make it slightly more difficult for an attacker to breach.

    3. Biometrics are personally identifiable information that can never be changed. There's a lot of value in that.

    A typical biometric system does little or nothing to protect the biometric data. Only a small number of vendors that utilize biometric cryptography technologies address this issue.

  • nealu

    Hi John,

    Article author here. Just to be clear, the database that was stolen did contain biometric information and also contained personal information -- names, birthdates, ID numbers, etc. -- for millions of people. More detailed information can be found at the numerous overseas papers I linked to in the piece.

    While the software may have been proprietary and the templates difficult to reverse engineer, the more conventional data sets handled by Aadhar (and other similar projects) are considerably easier to exploit... as this example from Israel shows.

    In the end, a database is only as secure as its weakest link. Here's hoping that the FBI and DHS projects will remain more secure than their overseas cousins.

  • Foteini Agrafioti

    John,

    Quick note on how to use a stolen biometric template. Hill-climbing to reverse is only one option. With the template handy, one can do a replay attack just by bypassing the sensor - you only need to know that the same individual is enrolled in the second system too. Biometric templates can be cross-matched along different databases. 

    Foteini 

  • M2SYS Technology

    I appreciate your clarification and I did take away that the database stolen contained biometric information. I can understand concern from a citizen's point of view that because their personal information was displayed along with their biometric information but my point from a biometric technology perspective is, what use is the biometric information? I still don't draw a conclusion between a biometric profile being stolen and a criminal using it for another purpose. This is not a fair assumption and perhaps I am underestimating the intelligence of your community, but to the lay person, this is exactly what they would believe after reading this article.

    I agree with you 100% that a database is only as secure as its weakest link. My point is, if you are going to write an article like this that refers to the exploitation of biometric information from the perspective of a criminal or a hacker stealing a database and then making it available to the public it's important to note, explain or refer to other sources that the technology behind biometric systems is designed to make it not difficult, but nearly impossible to recreate an image in order to use that for criminal purposes. It is widely believed that mass quantities of biometric information can be captured at once from hacking into a private industry biometrics system with the fear that compromised biometric information may lead to permanent loss of identity that cannot be changed like a social security or bank account number. It’s a valid point, and one that’s difficult to refute.

    Thanks for the feedback.