Are biometrics the backbone of personal security in smart cities?


By: Alexander Migutsky, Advanced Technologies Specialist, Positive Technologies
Alexandra Murzina, Head of Advanced Technologies Department, Positive Technologies

What makes smart cities so fascinating is the level of personalization the ecosystem promises across essential daily staples including work, transport, payments, and complete control over applications at home.

With immeasurable IoT applications and effective use of big data analytics, smart cities will emerge a phenomenon that seeks to make us question how we ever managed to operate any other way.

Achieving this level of personalization won’t be easy though. A larger interconnected network requires paths to identify users so they can tailor their experiences to themselves. Whether it be biometric ID cards or authentication portals, users should be able to authenticate themselves and connect to networks using their personal information.

Biometrics are widely used in enterprise security, access control, and banking operations, with facial recognition and fingerprint authentication systems now commonplace in companies, subways, stores, and restaurants.

The demand for biometric technologies is being driven, among other things, by the increasing adoption of biometric systems in the automotive and consumer electronics industries.

But are biometrics geared to provide comprehensive support to smart city infrastructure?

According to Fortune Business Insights, the global biometric system market size is projected to reach USD 76.70 billion by 2029.

However, there are still safety concerns about how these systems operate and make decisions; questions arise – Exactly how safe are these systems? How do they work under the hood, how do they make decisions?

Positive Technologies’ in-house team of cybersecurity experts conducted a white hat investigation focusing on physical and cyber threats to machine learning systems, including attacks that aim to compromise system confidentiality and obtain data.

The goal of the investigation was to discover gaps within biometric security systems leading up to their inevitable integration into smart infrastructure. We hope that our findings can shed some much needed light upon how the industry can collectively ensure seamless connectivity and functionality within biometric authentication systems supporting smart infrastructure.

During our investigation, we took apart two biometric devices and examined their internal electronics.

Device 1

The first device is expensive and uses advanced technology with the latest biometric algorithms. It has a depth camera, two conventional cameras, and an IR dot projector. A depth camera uses a combination of technologies to obtain depth information, increasing the reliability of the biometric system, which means attackers would need to know the user’s face geometry and have the ability to recreate it. Naturally, a device with such technology is used in access control systems at airports worldwide. Such a device is bound to be a staple of central transportation hubs in smart cities. So, how reliable is the device really?

During testing, we discovered that the device has liveness detection to identify whether the biometric source is real. The cameras capture the image, which is then received by deep neural networks for processing.

We found vulnerabilities in the system, particularly through remote code execution (RCE) attacks, which allowed us to extract machine learning models and user vectors to recreate the biometric authentication algorithm. We attempted to restore a user’s face from the representation hidden in the database.

Although we had a shot at carrying out a successful attack, there was probably a lot of optical distortion in real conditions, due to which we lost some points.

Security analysis:

  1. Developers did not use depth camera data for authentication which allowed us to circumvent the authorization algorithm.
  2. The algorithmic assessment failed when we attempted to generate an artificial face matching a real person’s biometric pattern, but attackers could potentially succeed with more time.

Device 2

The second device we studied was a biometric terminal for tracking employees’ work hours – crucial to supporting enterprise workforces within smart cities. It wasn’t as advanced as the first device as it lacked CUDA cores for complex neural networks. However, it used machine learning algorithms from the 2010s and had two cameras: one conventional and one infrared for biometric authentication.

The infrared camera is the key feature of the terminal. It captures invisible details, making it difficult to trick the system. The terminal uses a cascade classifier, 15 Gabor filters, and an algorithm for local binary patterns in the infrared range to detect and analyze facial features. Although it has some vulnerabilities, such as recognizing the same user with and without glasses as different people, the combination of technologies provides decent defense against attacks.

Security analysis: The biometric terminal is less flexible than the first device because it uses only the infrared range and classic algorithms. Nonetheless, this design makes it more resistant to attacks.


Having studied biometric access control terminals that use different algorithms, we discovered that the terminal with neural networks is flexible and can authenticate users wearing masks, helmets, or makeup, but it can be hacked through considerably antiquated mirroring tactics.

The terminal using classic machine learning algorithms is more resistant to illegal authentication attempts. However, both terminals are vulnerable to remote code execution attacks.

Our recommendations for developers looking to strengthen biometric device security include:

  1. Using data from the depth sensor to distinguish between individuals.
  2. Conducting independent device audits.
  3. Collaborating with security researchers and be open to receiving help.

Developing devices for smart city infrastructure is a complex process that requires experts conducting diligent trial and error routines to ensure frictionless operational capacity across the grid.

Even highly skilled teams can make mistakes, leading to vulnerabilities in the final product. Being open to feedback from real users and experts are key to optimizing biometric applications within smart infrastructure.

By eliminating passwords and PINs, biometric authentication provides a disruptive step in the field of cybersecurity and alleviates concerns around the security of copious amounts of data needed in a hyper-connected ecosystem.

While designing IoT applications for smart cities, biometrics are the ideal solution to achieving personalization and privacy backed by seamless authentication, provided the machinery involved is treated with a pristine level of care and pressure testing.