H acker Jan Krissler, aka "Starbug," this weekend
told attendees at the 31st Chaos Computer Club
convention in Hamburg, Germany, that he had
replicated the fingerprints of German Defense
Minister Ursula von der Leven using a standard
photo camera and commercially available software
from VeriFinger.
Krissler used a close-up of a photo of the
minister's thumb and other pictures taken at
different angles during a press event in October.
"This is a result of the proliferation of high-
resolution digital cameras, which can now capture
the needed details to fool scanners," said Rob
Enderle, principal analyst at the Enderle Group .
"It showcases a vulnerability that the industry will
need to address," he told TechNewsWorld.
"Typically this involves adding a sensor that can
read live tissue or looks for a heartbeat."
The Threat of VeriFinger
VeriFinger is tolerant to fingerprint translation,
rotation and deformation, meaning that it can get
around the limitations of partial shots of a finger
among other things.
It matches flat-to-rolled, flat-to-flat, or rolled-to-
rolled fingerprints reliably and accurately.
VeriFinger's algorithm can identify fingerprints even
if they are rotated, translated, deformed or have
only 5-7 similar minutiae, as compared to the
20-40 similar minutiae shown by each finger.
The software's adaptive image filtration algorithm
eliminates noises, ridge ruptures and stuck ridges,
even from poor-quality fingerprints.
VeriFinger is available as an SDK for developing
standalone and Web-based solutions for the
Windows, Linux, OS X and Android platforms.
Observations About the Hack
Biometrics relies on many assumptions, but the
key ones, said Neohapsis security consultant
Catherine Pearce, are these: that the thing being
measured cannot be changed; that what's being
measured is a genuine attribute; and, in more
secure systems, that the thing being measured is
alive.
Krissler's attack "relies on the fact that fingerprints
are fixed, and breaks the last two measurements,"
she told TechNewsWorld.
People leave traces of their fingerprints everywhere
in the course of each day, and "previously the
concern was for things we touch," Pearce
observed, "but now it's anyone [close enough] to
photograph us that can become a threat -- even
many years later."
Attacks can build composite fingerprint images
from a series of partial ones over a long time,
Pearce pointed out. "The fact that this attack [can]
be done with no direct contact and without [the
attacker] necessarily having to seek out the
fingerprint personally makes it scarier."
Biometric Security Overhyped
This is not the first time hackers have defeated
fingerprint authentication, at least in mobile
phones.
Members of the Chaos Club hacked the iPhone 6's
Touch ID fingerprint scanner shortly after the
device's September launch.
Researchers at Security Research Labs in April
bypassed the fingerprint authentication on the
Samsung Galaxy S5.
In both cases, a physical copy of the user's
fingerprint was made using glue and other
materials.
These concerns aren't new. The United States
National Research Council in 2010 issued a
warning that biometric systems needed more
work.
Krissler's attack "highlights a key thing about
biometrics -- to a computer, everything is data,"
Neohapsis' Pearce remarked. "Those who control
the data going into the machine will control how it
perceives the world."
The Gentle Art of Biometric Self-Defense
Biometric authentication systems typically are part
of a multifactor approach that may include
smartcards, passwords, personal identification
numbers (PINs), RSA tokens, or cellphones in
combination with a biometric scanner.
Organizations using fingerprint scanning need to
ensure the multifactor approach and rotate the
fingers used for identification to make it more
difficult for hackers, Enderle suggested.
"Also, make sure failed scans are reported," he
said, "so a hack in progress can be identified and
the fingerprint invalidated."
No comments:
Post a Comment