Biometrics

Weaknesses in Biometric-based general security

Summary

Biometric security concepts are based on a biological element (fingerprint, retina scan, face recognition, voice recognition etc.) ideally unique to the specific consumer and non-transferable. Biometric security has both security and transactional weaknesses as well as a significant infrastructure expense and social concerns.

Transactional & Security Weakness

The end result of a biological scan is generally a digital data stream that is transmitted to storage on a consumer’s device, a merchant system device, or some large reference repository. Transmission and storage may be encrypted.

Scanner

If the biological scanner is at the merchant facility, then only card-present transactions may be processed. If the biological scanner is part of the consumer’s equipment (i.e. in their smart phone), then someone else’s biological information could be prepared for use, and the biological scan would report someone other than the person presenting themselves, defeating the security concept.

Reference Source

The biological scan requires a reference for comparison. This means that the consumer’s biological element has to be on record someplace.

Reference – At Consumer: If the reference is internal to the consumer device, then a criminal, given someone else’s real biological element, could hack the consumer device to present a false sample and compare it to a prepared reference, thus defeating the security concept.
 

For example: At the store, Joe Criminal scans his own fingerprint using his own smartphone. It has been altered so that any fingerprint scan “confirms” that it belongs to Bill Smith, who is about to be a victim of identity theft.
 

Reference – Merchant: If a consumer-based reference is undesirable, the next step up might be reference at the purchase point. Do you really want your fingerprint (or voice print, retina scan) on file at a merchant? These are the same merchants who have been hacked, compromising the information for hundreds of millions of charge cards. This puts your biological information at risk and relies on the security of the weakest merchant.
 
Also consider that, regardless of someone’s actual biological element, the merchant’s record could be altered to someone else’s biological element. For example, Joe Criminal hacks the merchant database so that Joe’s face appears in Bill’s account. At checkout, Joe presents his face for “authentication”, Joe’s face is scanned, confirmed and the transaction takes place. Then Joe hacks the database again to restore Bill’s face.

Reference – System: Even if merchant security is considered inadequate, storage of biological reference materials at a system level (such as a charge card provider) requires that the scanner be at the merchant. Several major compromises were based on hacks of the scanners themselves, so that when you put your finger on the store scanners a copy goes to the crook as well as the store.

Fingerprint Spoofing

We leave our fingerprints everywhere, could someone get one and use it? A 9/23/2013 CNBC article cited a Reuters report that two prominent iPhone security experts believed that Chaos Computing Club (CCC) from Germany had succeeded in defeating Apple’s Touch ID. Charlie Miller (one of those experts and co-author of iOS Hacker’s Handbook) described the work as “a complete break” of Touch ID security. “It certainly opens up a new possibility for attackers.” The hack was simple and effective.

First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi. Then the image is converted to black & white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi. To create the mold, the mask is then used to expose the fingerprint structure on photo-senistive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use.

Source: the 9/21/2013 CCC report which includes a HowTo guide and 1m 01s video. There is a longer video. Starbug won the challenge. See also arstechnica article titled Defeating Apple’s Touch ID: It’s easier than you may think.

This is not CCC’s first foray into demonstrating fingerprint scanners can be compromised.

Berlin, Germany (presse@ccc.de, November 27, 2007) Biometrics experts of the German Chaos Computer Club (CCC) worked together with German TV magazine “PlusMinus” to demonstrate the ease of counterfeiting fingerprints. In front of running cameras, a fingerprint scanner installed at a supermarket checkout was deceived, charging the transaction to someone else’s account. The journalists of the TV magazine were able to trick the point-of-sale system with forged fingerprints after only a short tutorial from CCC experts, therefore refuting the claim of biometrics proponents and manufacturers that such a forgery scenario is only possible in a controlled environment such as a laboratory. Fingerprinting systems which are used in the new biometric passport and are planned to be deployed in the German ID-card, can be deceived with the most trivial methods and do not provide any mentionable security. Source [ highlighting ours -ed ]

Spoofing Update 5/25/2009

Improvements in fake finger technology using glycerin source from the book Formal to Practical Security: Papers Issued from the 2005-2008 French-Japanese Collaboration (Lecture Notes in Computer Science / Security and Cryptology) Paperback   Powells   Books-A-Million   Amazon

Spoofing Update 9/11/2013

How a little girl compromised the iPhone 5S fingerprint scanner. Here is a full screen image. Humorous, but consider that the fingerprint was successfully obtained without the owner’s knowledge or consent. Thus, it was a successful compromise.

Spoofing Update October 2013

Despite a remote wipe a stolen iPhone (iOS7) can still be hijacked allowing the crook to actually hijack the ownership, set the PIN coded, and access everything the original user thought was wiped. Worse, the original owner is locked out. Video 5m 52s

Spoofing Update April 2014

fingerprint scanner of the Samsung Galaxy S5 spoofed using the same wood glue replica left over from October 2013 when they were cracking the iPhone 5s. Source Here is a 2m 17s video by SRlabs shows how the Galaxy S5 fingerprint scanner was easily spoofed. See article from PCMagazine

Spoofing Update September 2014 iPhone6 TouchID Hacked, but don’t worry.

“With the introduction of Apple Pay, where Apple hopes to turn every smartphone into a credit card protected by Touch ID, criminals now have a huge financial incentive to come up with methods that make hacking the fingerprint sensor faster and easier. … The biggest take-away from this is that I’m disappointed in Apple. The fingerprint sensor problem has been around for a long time. A fingerprint is easy to reproduce. We leave our fingerprints around every time we touch a shiny surface” Marc Rogers, principal security researcher, who hacked the iPhone 6 TouchID. [ highlighting ours – ed ]

“To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just “lift your fingerprint” from the phone’s glossy surface and unlock the device.” Source [ highlighting ours – ed ]

Spoofing Update 12/29/2014

White hat hacker “Starbug” (Jan Krissler of the Chaos Computer Club, one of Europe’s oldest hacker collective) has again demonstrated how to foil biometric fingerprint security, this time using only commercial software and a several high resolution photos of a hand. To prove this hack he recreated the print of Ursula von der Leyen’s thumb. Who? Germany’s federal minister of defense.

Two important points: Crooks no longer need access so something you touched to obtain fingerprints. Second, access to specialized or expensive mold making software is no longer required and commercial-off-the-shelf software (COTS) can do the job without specialized skills.

12/27/2014 CCC notice (in English)  12/29/2014 Article from RT (formerly Russia Today)  12/30/2014 Article from The Guardian

Spoofing Update 12/29/2014

White hat hacker “Starbug” (Jan Krissler of the Chaos Computer Club on of Europe’s oldest hacker collective) has again demonstrated how to foil biometric fingerprint security, this time using only commercial software and a several high resolution photos of a hand. To prove this hack he recreated the print of Ursula von der Leyen’s thumb. Who? Germany’s federal minister of defense.

Two important points: Crooks no longer need access so something you touched to obtain fingerprints. Second, access to specialized or expensive mold making software is no longer required and commercial-off-the-shelf software (COTS) can do the job without specialized skills.

12/27/2014 CCC notice (in English)
12/29/2014 Article from RT (formerly Russia Today)
12/30/2014 Article from The Guardian

Spoofing & Vulnerabilities Update August 2015

A paper Fingerprints On Mobile Devices: Abusing and Leaking (11 page PDF) was presented at Black Hat | USA, August 1-6, 2015 at the Mandalay Bay in Las Vegas, NV. The briefing materials make for interesting reading.

Re Fingerprints: In the original designs the fingerprints are only as secure as the operating system kernel. If the crook can ‘root’ the device then the fingerprint data can be stolen. There are more than a few publicly known kernel vulnerabilities. In a more current schema there is a ‘TrustZone’ that isolates a ‘Secure mode’. Even this design is vulnerable to the Confused Authorization Attack, a Fingerprint Storage Weakness, a Fingerprint Sensor Exposure, or a Pre-embedded Fingerprint Backdoor.

Play-Doh Spoof February 2016

Apple’s biometric security (the fingerprint scanner) has been spoofed starting with Hasbro’s Play-Doh and some dental supplies. See the article at HackRead.

Paper & Ink Spoof March 2016

Fingerprints were supposed to be the key to super biometric security. We pointed many weaknesses and over the years they’ve come to be realized. A new low has been found, paper and ink have defeated the biometric security of multiple cell phones.

Two researchers from the Michigan State University, Department of Computer Science and Engineering, have used a regular color inkjet printer (not a 3d printer) to print fingerprints using conductive ink and AgIC paper. No molds, no glue, no photomagic, just find a copy of a fingerprint (people leave them everywhere), scan it, print it and swipe.

Their report (3 page PDF) describes how easy it is. There is also a video 1:09. As CCC demonstrated almost a decade ago, fingerprint based biometrics are not as secure as advertising might lead you to believe.

Lego Robot + Pay Doh Spoof Gesture Recognition May 2016

The preceding examples have demonstrated how unchanging fingerprints can be spoofed making them unreliable as security devices. Attempts to use gestures have also been spoofed with a Lego robot equipped with a Play-Doh finger. Not exactly high-tech, but it did the job with a success rate of about 90%. More at Naked Security / Sophos

[ The robot creation was funded by DARPA, published Robotic Robbery on the Touch Screen and available for purchase the ACM Transactions on Information and System Security. Considering the taxpayers already paid for it, why do we have to pay again to read it? -ed ]

Can’t Change Your Biometric Signature

Unlike a new password or a new account number, you cannot change your biological information. What if your biological information was compromised, and afterward, that biological element appeared at a crime scene. You’re implicated in the crime!

Update August 3, 2015 Biometric’s Hidden Risks & How to Avoid Them

A paper Hidden Risks of Biometric Identifiers and How to Avoid Them (13 page PDF) was presented at Black Hat | USA, August 1-6, 2015 at the Mandalay Bay in Las Vegas, NV. The conference general briefing materials are a good read.

Re Hidden Risks: Biometrics is being promoted as a kind of magic bullet and the global biometrics market will grow to $15 billion by 2015. The presentation surveys cutting edge biometric technologies and provides a framework for evaluating them from the perspectives of security, reliability, privacy, potential for abuse and “perceived creepiness”. Consider the MISE EEG headset which reads brainwaves! Related slides (53 page PDF) are interesting reading.

Infrastructure

No significant existing infrastructure exists to gather biological samples. There are some company-level standards for employee timekeeping and local security, but none at general merchants. Hence a system that uses existing infrastructure is less expensive, so there is built-in resistance to adding infrastructure costs.

Your face may not be yours to have alone

In Illinois Federal court a plaintiff sued Facebook, alleging that FB’s facial recognition software violates the Illinois Biometric Information Privacy Act. While Facebook has a privacy setting so users can require their permission to “tag” them in photographs, the objection is that Facebook has collected and retained (without permission) sufficient biometric identification to identify someone in the first place. The suit is proposed as a class action and is pending in the Cook County court.

Sources: Chicago Tribune  FaceCrooks (includes resources on protecting yourself)  BizJournals   Law360 (registration required for full article)   NY Times on Jay Edelson, the attorney for the proposed class action.

Biometric Information Privacy Act (740 ILCS 14/) of October 2008  Legal Alert by Ford Harrison Global HR attorneys

[ Opinion: This could be the largest private repository of biometric identification, specifically facial recognition, of which we are aware. Other massively popular image sharing sites could also be a rich ground for the basic information. The existence puts a damper of the “proof” of a biometric solution for charge card processing as a hacked repository provides a rich source of information for criminal use. -ed ]

5/06/2016 Update  A year later

The case was filed in Illinois, but both parties agreed to transfer the case to a California court. 5/5/2016 a San Francisco federal judge refused Facebook’s request to dismiss the lawsuit and the case is moving forward. Illinois Biometric Information Privacy Act (BIPA) bans collecting and storing biometric data without explicit consent, including “faceprints.” The suit contends Facebook violated the law. More at Naked Security / Sophos

Constitutional Conundrum

[ This section has been moved
https://nc3.mobi/references/the-fifth-amendment-to-the-us-constitution/#cc]

Social Concern

[ This section has been moved
https://nc3.mobi/references/the-fifth-amendment-to-the-us-constitution/#sc]

TSA Body Scans

[ This section has been moved
https://nc3.mobi/references/the-fifth-amendment-to-the-us-constitution #tsa]

 
 

Return to References page