This biometric recognition system secures Internet of Things (IoT) devices, safeguarding user’s sensitive biometric data against common attacks. Shortly, billions of devices will be electronically connected to the Internet of Things (IoT). The IoT enables users to connect to the Internet across many devices, such as smart homes, cars, IoT wearables, and mobile devices, allowing them to take full advantage of their services and the data they generate. However, with the growing use of these connected devices, users must maintain and secure the IoT devices.
Internet of Things-enabled devices are especially vulnerable to supplying fraudulent data unless stringent protocols are employed to verify the user's identity. With billions of IoT endpoints, traditional forms of access control, such as passwords, are feasible. However, a strong password is difficult to remember and employ for various devices. Dongles and smart cards have become popular alternatives for strong passwords, but theft and misuse threaten their use. Biometric recognition, a scheme for identifying people based on fingerprints or other specific traits about their physical appearance, is a compelling solution for verifying the users of IoT devices. However, a usable biometric recognition system must incorporate protection from attempts to steal the biometric information previously stored and authorized by the system, as well as attempts to use biometric information stolen from other systems to gain access. There is a need for low-cost access control schemes that allow humans to activate and maintain IoT services and systems.
Researchers at the University of Florida have developed a biometric recognition system, BLOcKeR, safeguarded by two hardware security mechanisms: physically unclonable functions (PUFs) and hardware obfuscation. This system fingerprints each IoT device using PUFs, so authorized biometric information only works to unlock the device it was collected. It also employs hardware obfuscation to turn off the components that process raw biometric data into a mathematical identifier – a template -- and then match it to those in the database of authorized templates, ensuring no access to the sensitive database without the proper biometric information.
Biometric identification for internet-of-things devices, secured from common attacks such as template theft by hardware obfuscation and physically unclonable functions
This biometric identification system incorporates security measures to safeguard its usage. In the context of biometric recognition, the circuits store, retrieve, and process biometric data in its raw form and protect the template of the authorized user. Hardware obfuscation achieves this by restricting the operation of these circuits unless a hardware key is present to unlock them.
In this biometric system, the key is derived from the user's biometric data, eliminating the need for passwords. This results in the system not retrieving or processing authorized templates from the database unless presented with the correct biometric data. Since the retrieval and processing steps are sensitive to attacks, locking these steps with hardware obfuscation enhances the system’s security. It uses physically unclonable functions (PUFs): characteristic defects of an electronic circuit created by subtleties of the manufacturing and impossible to reproduce. These defects allow PUFs to distinguish one device from another, and this system harnesses that distinguishability to irrevocably link authorized biometric data to the device it was collected on, preventing misuse of biometric data across devices.
