Cybersecurity – Identity and access management: creating identification machines based on biometrics
For the past two weeks, our Cybersecurity – Identity and Access Management series has looked at cybersecurity threats to manufacturers, why they should take them seriously, and how they can counter them. For the final entry, we’ll hear from a manufacturer responsible for other people’s security and access management, and how they go about protecting highly sensitive and highly personal data.
AerVision Technologies was formed by researchers from a disbanded NICTA Brisbane lab (now part of CSIRO) in Brisbane, who worked on a safeguarding Australia theme focused on national security.
Founded in 2013, the company has worked on a variety of security-related projects, applying artificial intelligence and machine learning to biometrics, crowd analysis and other challenges.
In 2020, she launched a project supported by the Advanced Manufacturing Growth Center to commercialize palm-vein scanning machines for building access. The project – in collaboration with Design + Industry, Circuitwise Electronics Manufacturing and Deakin University – quickly pivoted due to the pandemic, incorporating temperature scanning and contactless functionality. It currently offers palm, face, iris and card vein identification for users.
@AuManufacturing spoke to Dr. Abbas Bigdeli, CEO and Co-Founder of AerVision, about developing products that work based on a user’s stored biometric data, the sensitivity of their processing, and the different layers of security used to ensure their security.
@AuManufacturing: Please tell us about the progress of your AerAccess product (pictured below) since our last conversation about a year ago.
Abbas Bigdeli: We’ve gone through seven iterations of this device. The AMGC grant helped us with the design and prototyping and we made seven different prototypes. In the end, we opted for a design that met all our requirements. And we installed a machine on the site of our first customer.
They talk about reproducing it on all their sites. They have a location in Melbourne, but overall they have around 400 gateways at different locations. That hasn’t happened yet, and that’s with management. Since then we have worked with a number of other potential clients.
Another main company is a logistics company, so they can have their drivers verified and connected. Because one of the key issues isn’t just temperature or ID, but one issue they have is drivers switching on their roster days. And this is one of the main causes of accidents, because of fatigue.
So the only way for companies to monitor and avoid this is through biometrics. Currently, a PIN or card can be forged.
At the same time, we launched a major call for tenders with Queensland Corrective Services, again using our AerAccess machine. We’ll see what happens. As an Australian manufacturer we feel we have put together a very strong case as everything else is made overseas and lacks our collection of features.
Apart from that, we find a lot of customers who, due to Covid, do not have the certainty to invest and upgrade their systems. On the other hand, we have supply chain issues with electronics, which affect everyone. We have a delivery from mainland China that was supposed to arrive in October but is not there yet, for example and we have just been told that it is due in March.
@AuManufacturing: You mentioned the seventh version of AerAccess. Is it more or less over?
Abbas Bigdeli: Yes, more or less finished. With manufacturing, we wanted it to be as modular as possible, to customize it for users – whether it’s form factor, shape, color, etc. – which is basically a key advantage over our competitors. But also profitable.
What information security considerations do you work with when designing a product like this?
We have three layers of information security to manage for any biometric access control system.
One is the integrity of what we call the biometric template. Because you need to capture a user model. The integrity of this information is therefore very important – where it is stored, how it is stored and how it is linked to the person, because it is personal information.
The other is communications security. Because these devices deal with a back-end. So any data transaction with the device, player, and backend is a consideration.
And then the third thing is the security of the device itself.
The way we approached those three layers is that with the device, what we did by design is to include a tamper switch. So we have an electromechanical mechanism inside where it will detect any tampering – if someone wants to take it off the wall or open it up, plug in a USB drive or cable, any type of tampering, basically – it will destroy any information it contains. It basically self-destructs.
The other thing is that for communications, we follow all available standards to ensure that the data is secure.
And regarding biometric templates, what we use is blockchain, so we never store a biometric template of a person in one place. It is always distributed over the network. If someone manages to hack it or whatever, you will only be able to get a small unusable part of someone’s model. It cannot be reverse engineered.
@AuManufacturing: You deal with many customers in sensitive areas with very sensitive access requirements. Do you just assume that biometrics data is a target for cybercriminals?
Abbas Bigdeli: I think it’s kind of a given. The biggest problem with biometrics is that once something is compromised – with a passport, with a key fob or a card or whatever, or an RSA card, you can always replace or reset. With biometrics, if it’s compromised, you can’t change your face to create a new biometrics template. Or you can’t change your fingerprint or iris. The security of the biometric template must therefore be number one when it comes to these systems.
And that’s for all customers. Right now we have a system in prison that allows inmates to use their biometrics to buy, say, a packet of chips or a can of soda from a vending machine. It might sound benign, but even in an example like that – if someone’s biometric identity is stolen and the food can be taken by someone else from a vending machine – it’s still a big problem. For a simple example, if someone takes a picture and puts it in front of a vending machine.
What we have in this example is something that allows us to detect that there is a living person in front of this machine and, above all, that it is only one person. So we have another camera.
If someone steals biometric data, there is no way to recover. And so we think it can be a target for cyber attacks.
Another part of that is deep fakes and augmented reality. If you had someone’s biometric template, you could create a face that would match them. So basically we believe that technology must and will progress on both sides – for security and for imposters. And so everything we do has to be airtight, like using blockchain and making sure we never store things in the same place in case there’s an attempt to compromise what we’re doing.
@AuManufacturing: Is it difficult for a company like yours to find the talent needed to manufacture high-tech access systems?
Abbas Bigdeli: We’re probably at the forefront globally, but at the end of the day, scale matters too. So perhaps the biggest issue – and this is true for many other things – is scale. We might have the talent to do something small, but on a global scale, we probably don’t have a lot of depth to grow and compete with some of these big players. From an Australian industry perspective, we might struggle to do that.
Featured image via imageware.io. Two other images provided by Aervision.
@AuManufacturing’s Cybersecurity – Identity and Access Management the series is brought to you through the support of Thales Cloud protection and licenses (CPL).
Subscribe for free to our @AuManufacturing newsletter here.