FBI Software For Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say

schwit1 shares an exclusive report via BuzzFeed: The fingerprint-analysis software used by the FBI and more than 18,000 other U.S. law enforcement agencies contains code created by a Russian firm with close ties to the Kremlin, according to documents and two whistleblowers. The allegations raise concerns that Russian hackers could gain backdoor access to sensitive biometric information on millions of Americans, or even compromise wider national security and law enforcement computer systems. The Russian code was inserted into the fingerprint-analysis software by a French company, said the two whistleblowers, who are former employees of that company. The firm -- then a subsidiary of the massive Paris-based conglomerate Safran -- deliberately concealed from the FBI the fact that it had purchased the Russian code in a secret deal, they said. The Russian company whose code ended up in the FBI's fingerprint-analysis software has Kremlin connections that should raise similar national security concerns, said the whistleblowers, both French nationals who worked in Russia. The Russian company, Papillon AO, boasts in its own publications about its close cooperation with various Russian ministries as well as the Federal Security Service -- the intelligence agency known as the FSB that is a successor of the Soviet-era KGB and has been implicated in other hacks of U.S. targets.

Cybersecurity experts said the danger of using the Russian-made code couldn't be assessed without examining the code itself. But "the fact that there were connections to the FSB would make me nervous to use this software," said Tim Evans, who worked as director of operational policy for the National Security Agency's elite cyberintelligence unit known as Tailored Access Operations and now helps run the cybersecurity firm Adlumin. The FBI's overhaul of its fingerprint-recognition technology, unveiled in 2011, was part of a larger initiative known as Next Generation Identification to expand the bureau's use of biometrics, including face- and iris-recognition technology. The TSA also relies on the FBI fingerprint database.

This is getting ridiculous

[sgage]

This anti-Russia hysteria is really jumping the shark about now. A Russian company makes biometric software. Naturally, being Russian, they have 'close ties to the Kremlin', and are no doubt putting in nefarious backdoors to purloin the biometric data of unsuspecting Americans. Because, you know, Russia.

This is worse than the Kaspersky stupidity, which is saying something.

Re:This is getting ridiculous

[hcs_$reboot]

Absolutely. They should worry at least as much about all the stuff made in China (and there is a lot).

Re:This is getting ridiculous

[fyzikapan]

Sure, except Russia actually is an autocratic state that crushes free expression within its borders, invades its neighbors, murders political rivals, and actively tries to interfere with and destabilize other countries.

Re:This is getting ridiculous

So exactly like 80% of the countries on the planet?

Re:This is getting ridiculous

[Bert64]

A russian company makes software for analyzing fingerprints...

The FBI have a need to analyze fingerprints, which makes sense given the nature of the organization.
The FSB performs similar roles to the FBI, and thus they have similar requirements.

It makes sense that this company would try to sell their software to as many potential customers as possible. Chances are they are at least trying to sell it to law enforcement and intelligence services in all manner of other countries too.

You just have to do your own sensible due diligence during the procurement process. Insist on buildable sourcecode, thoroughly review what the code does and what else it tries to interact with. If you detect anything nefarious or the company refuses to provide full buildable source, don't do business with them.

Re:This is getting ridiculous

Just like the United States of America ...

Re:This is getting ridiculous

[Gavagai80]

The left wing isn't anti-Russia at all, only the center (Clinton) wing. His pro-Russia agenda was the only thing I liked about Trump, and it stood in clear contrast to Clinton's desire to create a new cold war and portray herself as the next Ronald Reagan. The left wing has always been against ballooning military spending and pointless international antagonism/interference.

Analyze the code...

[Bert64]

Just because code is written by russians with connections to the FSB doesn't mean it's necessarily bad...

The fact that russians wrote or at some point had access to the code doesn't automatically give them access to data that the code is later processing, unless there are backdoor in the code allowing them to gain access and there aren't some other mitigating factors (network filters, airgap etc) which prevent them from accessing the backdoor.

Considering that the code analyzes fingerprints, who would have a need for such code? Chances are the FSB need to analyze fingerprints in much the same way the FBI do. It makes sense to collaborate with others who have similar requirements, as this will decrease your development costs. You just need to check the code thoroughly to ensure it works as you want it to. The russians will be doing their own checks during collaborative development, as they will be equally concerned that some of the code was written by people connected to the FBI.

The key point is understanding what your doing, and understanding what code you're running. Who wrote it doesn't matter, so long as it does the job it's supposed to.

Plus consider this, if the FSB wanted to get malicious code onto an american system they would go to great lengths to disguise the origin of the code, which doesn't seem to be the case here.