Exploit the Leak: Understanding Risks in Biometric Matchers

TL;DR

This paper analyzes how biometric matchers can leak sensitive information through distance computations, highlighting risks and attack scenarios that threaten privacy in biometric systems.

Contribution

It provides a comprehensive catalog of leakage scenarios and quantifies their security impacts, advancing understanding of privacy risks in biometric matchers.

Findings

Leakage can occur through side channel attacks and weak privacy-preserving distances.

Different scenarios pose varying levels of privacy risk and attack complexity.

Quantitative analysis of attack costs enhances security assessment.

Abstract

In a biometric authentication or identification system, the matcher compares a stored and a fresh template to determine whether there is a match. This assessment is based on both a similarity score and a predefined threshold. For better compliance with privacy legislation, the matcher can be built upon a privacy-preserving distance. Beyond the binary output (`yes' or `no'), most schemes may perform more precise computations, e.g., the value of the distance. Such precise information is prone to leakage even when not returned by the system. This can occur due to a malware infection or the use of a weakly privacy-preserving distance, exemplified by side channel attacks or partially obfuscated designs. This paper provides an analysis of information leakage during distance evaluation. We provide a catalog of information leakage scenarios with their impacts on data privacy. Each scenario gives rise to unique attacks with impacts quantified in terms of computational costs, thereby providing a better understanding of the security level.