Two whistleblowers from French aerospace and defense conglomerate Safran SA have revealed that the company bought computer code from a Russian company with connections to the Kremlin, incorporated the code into their own fingerprint recognition software, and sold their product to the Federal Bureau of Investigation — without disclosing the presence of the Russian-made code to the FBI. Analysts are concerned that the code could provide a backdoor for Kremlin-backed hackers to steal biometric data, a potential problem compounded by the fact that over 18,000 other law enforcement agencies in the US, including the TSA, rely on the FBI’s fingerprint database.
The Russian company in question, Papillon AO, has openly advertised its ties with numerous Russian ministries, as well as Russia’s Federal Security Service (FSB), the intelligence agency that is the successor to the Soviet-era’s KGB. The FSB has also been implicated in recent hacks made against US targets.
In 2011, the FBI unveiled what they called "Next Generation Identification", an initiative being implemented through Lockheed Martin, aimed at expanding the FBI’s use of biometric data, including face and iris-recognition technology. Safran’s subsidiary Sagem Sécurité (later renamed Morpho), obtained a license to use Papillon’s software, and incorporated the code into their own fingerprint-recognition software to boost its performance, in an effort to increase their chances of winning the lucrative FBI contract. In 2009 Morpho won the bid, and Lockheed Martin rolled out the Bureau’s new systems.
Safran’s 3.8 million euro license with Papillon stipulates that to Papillon’s knowledge its software doesn’t contain any "undisclosed ‘back door,’ ‘time bomb,’ ‘drop dead,’ or other software routine designed to disable the software automatically with the passage of time or under the positive control of any person" or any "virus, ‘Trojan horse,’ ‘worm,’ or other software routines or hardware components designed to permit unauthorized access, to disable, erase, or otherwise harm the software, hardware, or data."
The FBI has stated "As is typical for all commercial software that we operate, appropriate security reviews were completed prior to operational deployment." But cybersecurity experts like Timothy Evans, VP of cybersecurity company Adlumin remain skeptical. Evans, a retired colonel formerly in charge of the NSA’s 175th Network Warfare Squadron, says that without being able to analyze the software directly, it is difficult to determine whether or not the Russian-made code presents any danger. "The fact that there were connections to the FSB would make me nervous to use this software," cautions Evans.