profit centers are in services, not hardware and software sales.”
“So basically we’re cops who are going to break into the mayor’s office so that he keeps putting cops on the city payroll.”
“Or, ideally, hires even more. Anyway, that’s why I wanted to talk to you about the next Red Team attack. Where are we on the PassPrint program?”
Watson was referring to the CloudServe research program Fung was heading up, using AI to create a master “passkey” of AI-generated fingerprints.
In theory, every human fingerprint was unique, and in theory, only the human possessing the unique fingerprint could pass through a biometric screener. The intelligence community had fully embraced biometric security, and their fingerprint scanners were top-drawer.
However, a couple flaws existed in every biometric scanner, even the high-dollar ones favored by the federal government, including the one on Watson’s desk.
Just like computer virus scanners, fingerprint scanners worked by comparing data inputs—a finger placed on a screen now compared against a known database of fingerprints. If the new scan matched the prints on record, entrance was granted.
The problem was that most people didn’t provide complete fingerprint scans for the database for all kinds of reasons, most of them human error, such as oily fingers or dirty recording glass. The same was true on the other end, too: Oily fingers and dirty scanner glass on security machines read only partial prints.
Therefore, all biometric scanners were only able to compare partial prints to partial prints.
It also turned out that while every complete human fingerprint was unique, portions of every fingerprint—arches, tents, whorls—were startlingly similar.
The Red Team decided to try to exploit these flaws by designing an AI-driven program that built millions of fake fingerprints into a single master passkey, not unlike the ones maids used to enter hotel rooms, even though each door lock had a unique passcode. By generating enough digital arches, tents, and whorls, the PassPrint passkey would display enough fingerprint similarities to fool any biometric system.
“I just ran the last of the simulations last night,” Fung said. He smiled. “I think we have a winner on our hands.”
“That’s fantastic. Because I think I know the perfect way to deploy it.”
21
Deploy the PassPrint how?” Fung asked.
“When I was at the Fort Meade conference with Foley, there was an analyst, Steve Hilton. Very quiet, very smart. He’s the IT director at the Department of the Treasury’s Office of Intelligence and Analysis. We struck up a conversation over coffee and he happened to mention his department needed a new printer, but there was some snafu in the paperwork and it wouldn’t arrive for another two weeks.”
Fung shrugged, irritated. Is there a point to your stupid story? “Okay.”
“I want to put a worm on his wireless printer that will jump from there to his computer.”
“How? The Feds have bulletproofed their wireless devices.” Fung frowned. “But you already know that.”
Watson accepted the compliment with her own shy smile.
In her first meetings with Foley and the IC Cloud committee, Watson pointed out the unbelievable fact that throughout the federal government there was no comprehensive program in place to ensure that civilian or military systems didn’t contain integrated circuits with malicious functionality. American combat jets could be firing missiles at Chinese fighters with microchips designed by the PLA—and designed to fail. These malicious integrated circuits, if they existed, could be installed anywhere, including combat systems, medical devices, communication networks, and, of course, the computers used throughout the intelligence community.
As seemingly insurmountable as that problem was, Watson was even more concerned about the fact that there were literally millions of devices throughout federal government offices with the potential for spying applications.
The federal government didn’t manufacture the everyday devices required to run a modern office. Printers, phones, computer monitors, HVAC thermostats, and other commercial off-the-shelf (COTS) devices were manufactured and distributed by thousands of private vendors. Many, if not most, were not only manufactured overseas, but contained software or firmware created without any kind of security protocols.
Worse, most of these machines were created to function wirelessly, not only for automated “machine-to-machine” software and firmware updates, but also for energy and work efficiencies.
Globally, the so-called Internet of Things (IoT) comprised more than twenty billion devices, and that number increased exponentially each year. Millions were already in operation in the United States. Many of these IoT devices might already be compromised by foreign actors with bad intent.
Watson had no solution to the first problem of compromised integrated circuits; she learned later that DARPA was launching the TRUST in integrated circuits program to address