Synergy A FAQ's
SynergyHow many of the proposed finger readers have been deployed by your company and how many are globally deployed? Thousands have been deployed worldwide How does the finger match process is performed? Inside the algorithm. Binary matching What is the algorithm used to identify a finger? Manufacturers own intellectual property. What is it called? Suprema What is the finger acquisition rate over time? (#/x second) Less than 1 second What is the Vendor True Identification Rate? FP Identification < 1 Sec What are the guaranteed error rates? (False non-match rate (FNMR), false match rate (FMR) FAR< 0.001% / < 0.1% Are the error rates applicable with the same error rate (tested this?) for different genders and skin colour? Used worldwide but not tested formally on all skin colours May not work well in other regions. Could it trigger false acceptance? We have not experienced any specific issues globally with regards to this. Designed against GDPR and CCPA requirements? Yes, no image is stored on the unit - instead, an algorithm is stored. The algorithm cannot be turned into an image Does the technology include deep learning, AI or machine learning? If yes, what is the dataset used to train the algorithm? No How does the system handle ageing? Ageing will not influence the performance, but the system has been designed for adults and not children If there is ever an issue with identification then the employee can easily re-enroll their finger on any of the devices across the network. How does the reader protect (encrypts and hashes) the finger signature? Template is a binary data that can be decrypted only by our proprietary algorithm. There is no standard encryption algorithm that is used How is finger signature data stored? It's stored as text (an algorithm) that can't be turned into an image. Stored as Binary data How does the reader protect (encrypts and hashes) the finger picture? No image is stored How does an employee know that when a clock-in is accepted then he/she is recognized and not someone else? The employee name appears on the screen on recognition How can the finger signature data be downloaded from the reader? The templates can be download by an authorised user from USB or back-end software
Synergy Workforce - further details on data protection
Synergy Workforce only hold employee's name, number and their encrypted template, no photos or personal information. An authorized user can download templates say if a device is damaged and needs to be replaced quickly but the templates are still stored encrypted and cannot be used for any other purpose How is mistaken identity i.e. false positives and false negatives are handled? By an authorized administrator on the back-end software How if the error is not recognized in the first place? Retroactive investigation? What is the back-end software that manages the appliance, etc? Logs can only be interpreted by the manufacturers. Error handling is to re-enrol both employees. A false match will give the wrong name to inform the employee, they should inform their HR. What data is sent from the finger reader to the T&A server? Binary data. What are the data elements? Employee number, finger data, admin or employee flag, AC or T&A flag. How is the data stored and encrypted on the server? Finger data is not encrypted while stored in SQL database. It is stored same as binary data received Can logs be forwarded from the finger reader and the T&A server to an external system? If logs mean records then yes, you can export the record to a txt file and transfer it to the external system. What log formats are supported? Text Log formats such as SYSLOG, local CSV, local XML? ASCII How is the finger reader appliance protected against tampering? Only the admin can enter the system setting to modify users. Normally users cannot modify any settings. Also, records can only be deleted. Adding or modifying is not allowed in any way. How is the finger reader appliance communicating with the T&A application server? Through Webservice Https protocol What is the operating system of the finger reader appliance? Linux How frequently the finger reader appliance is updated to address new security vulnerabilities? Around once a year when new FW is released How are the critical updates pushed out? Driven by the new features and bug fixes. Auto download. Synel application is pushing the update. Are there any open source components used in the finger reader appliance? No open source code on Finger recognition How are the finger reader and the T&A application software updated? Device can be upgraded by USB or via network communication Synergy workforce - updates can be pushed by administrator directly from the server to the devices How are you enrolling employees into the finger reader? Administrator with Menu security code can enrol employees on the finger device How frequently data is synched, how transmission is secured, how data conflict is managed, etc? All data is synched to SQL DB. SQL DB is synched back to the slave terminals. Relationships can be defined. Once a day or a few times a day or manually sync. Only stores the latest data. Duplicate enrolment deletes the first data set and uses the second one. Is Multi Factor Authentication available for finger reader and the server access control? Synergy A supports Finger, card, Pin, Id and Finger, Card and finger (dual authentication) What role groups exist in the T&A application and database? Admin, enrolment user (HR), security or log reader, etc.? Software allows creating unlimited software role groups with permissions like deny, read only, and read/write for each screens, menu, and sub menu items within GUI SQL Database defined with various roles such as db_owner, db_securityadmin, db_accessadmin, etc... The only people with access to SQL are the Synel Admin team and we are all DB Admin group, The Services use a DBO account What is the front-end of the T&A application? Web Application called Synergy Workforce How is data stored in the T&A database? On SQL Server, data is stored in data files with .MDF extension and logs stored with .LDF extension. How is data segregated between customers? Separate SQL database per customer on TLW
PEN Testing
Clocks have been through considerable testing. Synergy Clocks use stateful packet inspection firewalls and have been tested with nmap commands to make sure only appropriate ports are open. Both Java and SGA applications communicate through HTTPS and the X509 certificates are stored in root key stores on the device to ensure only valid certificates with proper signing are used to initiate communication from the device. The clock has a service port for SSH access using ECDH 25519 algorithms with AES 256 Bit Symmetric Keys. Device supports SSH access with Username and Password but can also be configured with Multifactor Authentication. (Signed Key, Plus, Username and Password). This is a single function device with limited attack vectors because it is only using 1 primary application talking to a key signed end point application or middleware. The iptables stateful packet inspection firewall prevents unsolicited packets from egressing into the clock thus UDP amplification attacks will not work. Can any Synel device/ terminal enable backdoor access to the network (by proxy) Technically this is feasible as the clock does contain SSH access for troubleshooting purposes, however, this can be mitigated with Multifactor Authentication of SSH connections and good password policies regarding SSH access, and using the iptables to limit the IP Domain of SSH Connections all of which are available on the clock. So long as SSH access credentials and access are controlled this should not be a problem. Further, SSH Access could be disabled by default and only be turned on by middleware or the server when appropriate, thus preventing backdoor access all together. However, in practice this delays troubleshooting activities and can cause conditions where troubleshooting becomes ineffective due to the delays. It is often best practice to utilize access control and SSH credential best practices. What are the security features both physical and digital/cyber designed into Synergy Finger devices? Locking back plate. Digital: Iptables/ stateful inspection firewall. Encrypted EMMC . (See Above) Are the devices PEN tested? Yes, nmap is what is used primarily. If so, what were the results? Passed. The Clock is used by the United States Government, Coast Guard System. Device is FedRAMP Level 1 compliant. FIPS 140-2 compliant. When was the last hardware test executed and can you provide a summary of the risks by severity/subsequent mitigation activity? Feb 2020, we are running a version of QT that includes the ability to play sound files for which there was a port on the device that was open for it. This port was only accessible to LAN connections and only if the stateful firewall were removed. Sometimes customers or end users may disable the firewall for troubleshooting purposes and not turn it back on, normally the firewall will auto engage at the next reboot, but if the clock isn't rebooted and the customer forgets it can be a vector in concept. Our mitigation was to configure the QT library not to allow this feature. We have passed the Pen Test of the United States Coast Guard, Target Stores, Wal-Mart Stores, H&M stores, Coca-Cola bottlers, etc... All sensitive data must be encrypted in transit between components and at rest, whether it's on the physical device or on the Synel cloud solution hosting the data, please can you confirm this is in place? The templates are encrypted when the clock is at rest, The templates and data are also encrypted in transit using SSL. TLS 1.2 support. All template Data is encoded with base64 and encrypted on the device using minimal AES 128 encryption. Template Data is non reversible vector data. It is Hashed Vector Math not actual photos or finger images. These Maths are then encoded with base64 and further encrypted on the device and there is no way to reverse a Math back to the original image. What business continuity controls are implemented to ensure maximum Synel Middleware upkeep? Synel UK is a decentralised organisation with respect to all critical functions. In terms of business continuity Core systems relating to solution, support and commercial are cloud hosted with built in resilience, accessed 24/7 365 by all authorised and appropriate employees. We have operated with decentralised employees already working around the UK, these include, Software support, Implementation, Hardware support and sales functions. This model has been well proven during the recent pandemic. Does Synel have a logging and monitoring capability that traces admin account changes/detect system failures and data breaches ? There are system logs that log access through SSH, Application Detail Logs as well as other system logs that monitor for failure conditions on the clock. Are Synel hosted systems regularly underdoing vulnerability scanning to identify system weakness? Individual clients perform penetration testing on the hosted system. Synel will perform this on an annual basis from 2021 Does the biometric device enforce strong authentication & encryption for wireless traffic? Synel uses WPA2 PSK or WPA2 Enterprise with SSL certificate. 802.1X standard implementations Data flow diagram