Cybersecurity – Identity and Access Management: Building biometric-based ID machines

For the last two weeks, our Cybersecurity – Identity and Access Management series has looked at cybersecurity threats to manufacturers, why they should take them seriously, and how they can thwart them. For the final entry, we will hear from a manufacturer responsible for other people’s security and access management, and the ways it goes about keeping very sensitive, very personal data safe.

AerVision Technologies was formed by researchers from a disbanded Brisbane NICTA (now part of CSIRO) lab in Brisbane, who worked under a national security-oriented Safeguarding Australia theme.

Formed in 2013, the company has worked on a variety of security-related projects, applying artificial intelligence and machine learning to biometrics, crowd analytics and other challenges.

It began an Advanced Manufacturing Growth Centre-supported project in 2020 to commercialise palm vein-based scanning machines for building access. The project – in collaboration with Design + Industry, Circuitwise Electronics Manufacturing and Deakin University – quickly pivoted due to the pandemic, incorporating temperature scan and touchless features. It currently offers palm vein, face, iris and card identification for users.

@AuManufacturing spoke to Dr Abbas Bigdeli, CEO and co-founder of AerVision, about developing products that work based on a user’s stored biometrics data, the sensitivity in handling this, and the different layers of security used to keep it safe.

@AuManufacturing: Please tell us about the progress of your AerAccess product (pictured below) since we last spoke about a year ago.

Abbas Bigdeli: We went through seven iterations of that device. The AMGC grant assisted us with the design and prototyping and we did seven different prototypes. Eventually we decided on a design which met all our requirements. And we installed a machine at our first customer’s site.

They are talking about replicating it at all their sites. They have a location in Melbourne, but globally they have about 400 access doors at different sites. That hasn’t happened yet, and it’s with management. Since then we have worked with a number of other potential customers.

Another main one is a logistics company, so they can have drivers checked and logged on. Because one of the key issues is not just temperature or identity, but an issue they have is drivers filling in for each other on their rostered days. And that’s one of the major causes of accidents, due to fatigue.

So the only way companies can monitor and avoid that is through biometrics. At the moment a PIN or a card can be forged.

In parallel we have entered a major tender with Queensland Corrective Services, again, using our AerAccess machine. We will see what happens. We feel we’ve put in a very strong case, as an Australian manufacturer, because everything else is made overseas and does not have our collection of features.

“The biggest problem with biometrics is that once something is compromised – with a passport, with a fob or card or whatever, or a RSA card you can always replace or reset. With biometrics, if it’s compromised you can’t change your face to create a new biometrics template.”

Other than that we find a lot of customers that due to Covid don’t have the certainty to invest and upgrade their systems. On the other side we have supply chain issues with electronics, which is affecting everyone. We have a delivery from mainland China that was supposed to have arrived in October but is not here yet, for example and we’ve just been told it is due in March.

@AuManufacturing: You mentioned the seventh iteration of AerAccess. Is it more or less finished?

Abbas Bigdeli: Yes, more or less finished. With manufacturing we wanted to have it as modular as we could, to customise it for users – whether it’s the form factor, shape, colour etcetera – which is basically a key advantage over out competition. But also cost-effective.

What are some considerations you work to in terms of information security when designing a product like this?

We have three layers of information security to deal with for any biometrics access control system.

One is the integrity of what we call the biometrics template. Because you have to capture a template of the user. So the integrity of that is very important – where it is kept, how it is kept, and how it is tied to the person, because it is personal information.

The other is the security of communications. Because these devices deal with a back end. So any data transaction with the device, the reader and the back end server is a consideration.

And then the third thing is the security of the actual device itself.

The way we have tackled these three layers is with the device what we have done by design is include a tamper switch. So we have an electro-mechanical mechanism inside where it will detect any tampering – if someone wants to take it off the wall or open it up, plug in a USB or a cable, any type of tampering, basically – it will destroy any information it contains. It self-destroys, basically.

The other thing is for communications we follow all the standards that are available to make sure data is secure.

And in terms of the biometric templates, what we use is blockchain, so we never store a biometric template of a person in a single place. It is always distributed across the network. If somebody manages to hack it or whatever, you could only get a small, unusable part of someone’s template. It can’t be reverse-engineered.

@AuManufacturing: You deal with a lot of clients in sensitive areas with highly-sensitive access requirements. Do you just assume that biometric data is a target for cyber-criminals?

Abbas Bigdeli: I think that’s sort of a given. The biggest problem with biometrics is that once something is compromised – with a passport, with a fob or card or whatever, or a RSA card you can always replace or reset. With biometrics, if it’s compromised you can’t change your face to create a new biometrics template. Or you can’t change your fingerprint or your iris. So the security of the biometric template has to be number one when it comes to these systems.

And that’s for all customers. At the moment we have a system in prison where inmates can use their biometrics to buy, say, a packet of chips or a can of soda from a vending machine. It might sound benign, but even in an example like that – if someone’s biometric identity is stolen and food can be taken by someone else out of a vending machine – that’s still a big deal. For a simple example, if someone took a photo and put that in front of a vending machine.

What we have in that example is something to be able to detect that there’s a live person in front of that machine and, importantly, that it’s only one person. So we have another camera.

If someone steals biometric data, there’s no way to recover from it. And so we believe it can be a target for cyber-attacks.

Another part of this is deep fakes and AR. If you had someone’s biometric template, you could make a face that would match it. So basically we feel that technology has to and will advance on both sides – for security and for imposters. And so everything we do has to be airtight, for example by using blockchain and making sure we never store things in a single place in case there is an attempt to compromise what we make.

@AuManufacturing: Is it hard for a business like yours to find the talent needed for making high-tech access systems?

Abbas Bigdeli: We are probably at the forefront globally, but at the end of the day, scale is also important. So maybe the biggest issue – and it’s true with a lot of other things – is scale. We might have the talent to do something small, but on a global scale we probably don’t have a lot of depth to scale up and compete with some of these larger players. From an Australian industry point of view, we might struggle to do that.

Featured picture via imageware.io. Other two images supplied by Aervision.

@AuManufacturing’s Cybersecurity – Identity and Access Management series is brought to you through the support of Thales Cloud Protection & Licensing (CPL).