Adapting CVSS for Biometric Systems

Addressing Unique Vulnerabilities in Biometric Technologies

Dr Ted Dunstone CEO BixeLab

ted@bixelab.com

Introduction

  • Biometric Systems: complex and probabilistic systems. Dependant on acquisition device, quality, environment, demographics 
  • Unique Vulnerabilities:
    • Spoofing attacks
    • Template attacks
    • Demographic biases
  • Traditional Security Frameworks: Often inadequate in addressing these specific challenges. (mostly deterministic)

Common Vulnerability Scoring System (CVSS)

  • Purpose: Provides a standardized method to assess and communicate the severity of software vulnerabilities.
  • Scoring Range: 0 (least severe) to 10 (most severe).

Recent Issues

with CVSS

CVSS impact metrics give equal weight to confidentiality, integrity, and availability, overlooking the unique risk priorities of organizations and the true impact a vulnerability might have,

 

analysis suggests that around 10% of vulnerabilities are potentially being underrated

 

 JPMorganChase

Has CVSS Been Applied to Biometrics?

  • Example: [CVE-2021-3145](https://nvd.nist.gov/vuln/detail/CVE-2021-3145)  - Bypass of biometric authentication in Ionic Identity Vault (Android).
  • CVSS v3.1 Score: 6.7 (Medium Severity)

 

 Thi​s relies on standard metrics that do not fully capture the unique aspects of biometric vulnerabilities, such as spoofing attacks or demographic biases

Refine Existing Metric

  • Attack Vector: Include physical and digital avenues for biometric data acquisition.
  • Impact Metrics: Assess consequences on authentication integrity and privacy breaches.

Incorporate Demographic Bias Assessment

  • Bias Impact: Evaluate vulnerabilities' effects on specific demographic groups, leading to unequal security.

Introduce New Metrics

  • Biometric Specificity: Biometric modality issues
  • Spoofing Resistance: Measures resistance to spoofing (PAD and Liveness) with Presentation Attack Instruments (PAI) .

Proposal

Recommendations

  1. Utilise Biometric-Specific Metrics:

    • Template Security: Assess the robustness of stored biometric templates against extraction or reconstruction attacks.
    • Liveness Detection Effectiveness: Measure the system's capability to distinguish between live and fake biometric samples.

  2. Enhance Environmental Metrics:

    • Deployment Context: Consider the operational environment (e.g., controlled access vs. public spaces) to adjust vulnerability severity.
    • User Population Diversity: Factor in the diversity of the user base to understand the broader impact of demographic biases.

  3. Standardize Reporting of Biometric Vulnerabilities:

    • Unified Framework: Encourage the use of adapted CVSS metrics across the industry for consistent vulnerability assessment.
    • Regular Updates: Continuously refine metrics to address emerging threats and technological advancements in biometrics.

Examples

NIST CVSS Calculator

Example 1: Spoofing Attack on Facial Recognition System

  • Scenario: An attacker uses a high-resolution photograph to spoof a facial recognition system.
  • Assessment Using Adapted CVSS:
    • Attack Vector (AV): Physical
    • Attack Complexity (AC): Low
    • Privileges Required (PR): None
    • User Interaction (UI): Required
    • Spoofing Resistance (SR): Low
    • Impact on Authentication Integrity (IAI): High
    • Bias Impact (BI): Medium
  • Resulting Score: 8.0 (High)

Face Recognition Example

1. Attack Vector (AV): Physical (P)

  • The attacker must physically present a high-resolution photograph to the facial recognition system to execute the spoofing attack.

2. Attack Complexity (AC): Low (L)

  • The attack does not require special conditions or advanced skills; a readily available photograph suffices.

3. Privileges Required (PR): None (N)

  • The attacker does not need any prior access or privileges within the system to perform the attack.

4. User Interaction (UI): Required (R)

  • The attack necessitates interaction with the system, such as presenting the photograph to the camera.

 5. Scope (S): Unchanged (U)

  • The attack impacts the vulnerable component (facial recognition system) without affecting other system components.

6. Confidentiality Impact (C): None (N)

  • The attack does not directly compromise confidential information.

7. Integrity Impact (I): High (H)

  • The attack allows unauthorized access, compromising the integrity of the authentication process.

8. Availability Impact (A): None (N)

  • The attack does not affect the availability of the system.

Integrating Adapted CVSS into Security Strategies

  1. Risk Assessment:

    • Use CVSS scores to prioritize remediation efforts 

  2. System Design:

    • Include spoofing resistance and strong template security in development.

  3. Policy Development:

    • Set guidelines for regular biometric system assessments 

  4. Training and Awareness:

    • Inform stakeholders about biometric vulnerabilities and the need for tailored security assessments.

Conclusion

  • Necessity:  Biometric system are increasing used in both Foundation and Function Identity (e.g. Passkeys).
  • Benefits of Adapted CVSS (BCVSS?):
    • Standardizes the assessment of biometric vulnerabilities.
    • Strengthens authentication and identification technologies.
  • Call to Action: Contact ted@bixelab.com to collaborate

References