Sunday, 18 January 2015


Hackers Give Touch ID the Finger:
It's possible to bypass fingerprint authentication using only photos of a subject's fingers and fingerprint identification software.
People leave traces of their fingerprints everywhere, and "previously the concern was for things we touch," said Neohapsis security consultant Catherine Pearce, "but now it's anyone to photograph us that can become a threat -- even many years later."
Hacker Jan Krissler, aka "Starbug," this few weeks earlier told attendees at the 31st Chaos Computer Club convention in Hamburg, Germany, that he had replicated the fingerprints of German Defense Minister Ursula von der Leven using a standard photo camera and commercially available software from VeriFinger.

Krissler used a close-up of a photo of the minister's thumb and other pictures taken at different angles during a press event in October.

"This is a result of the proliferation of high-resolution digital cameras, which can now capture the needed details to fool scanners," said Rob Enderle, principal analyst at the Enderle Group.
"It showcases a vulnerability that the industry will need to address," he told.  "Typically this involves adding a sensor that can read live tissue or looks for a heartbeat."

The Threat of VeriFinger:
VeriFinger is tolerant to fingerprint translation, rotation and deformation, meaning that it can get around the limitations of partial shots of a finger among other things.
It matches flat-to-rolled, flat-to-flat, or rolled-to-rolled fingerprints reliably and accurately.
VeriFinger's algorithm can identify fingerprints even if they are rotated, translated, deformed or have only 5-7 similar minutiae, as compared to the 20-40 similar minutiae shown by each finger.
The software's adaptive image filtration algorithm eliminates noises, ridge ruptures and stuck ridges, even from poor-quality fingerprints.
VeriFinger is available as an SDK for developing standalone and Web-based solutions for the Windows, Linux, OS X and Android platforms.

Observations About the Hack:
Biometrics relies on many assumptions, but the key ones, said Neohapsis security consultant Catherine Pearce, are these: that the thing being measured cannot be changed; that what's being measured is a genuine attribute; and, in more secure systems, that the thing being measured is alive.
Krissler's attack "relies on the fact that fingerprints are fixed, and breaks the last two measurements," she told.
People leave traces of their fingerprints everywhere in the course of each day, and "previously the concern was for things we touch," Pearce observed, "but now it's anyone to photograph us that can become a threat -- even many years later."
Attacks can build composite fingerprint images from a series of partial ones over a long time, Pearce pointed out. "The fact that this attack can be done with no direct contact and without [the attacker] necessarily having to seek out the fingerprint personally makes it scarier."

Biometric Security Overhyped:
This is not the first time hackers have defeated fingerprint authentication, at least in mobile phones.
Members of the Chaos Club hacked the iPhone 6's Touch ID fingerprint scanner shortly after the device's September launch.
Researchers at Security Research Labs in April bypassed the fingerprint authentication on the Samsung Galaxy S5.
In both cases, a physical copy of the user's fingerprint was made using glue and other materials.
These concerns aren't new. The United States National Research Council in 2010 issued a warning that biometric systems needed more work.
Krissler's attack "highlights a key thing about biometrics -- to a computer, everything is data," Neohapsis' Pearce remarked. "Those who control the data going into the machine will control how it perceives the world."

The Gentle Art of Biometric Self-Defense:
Biometric authentication systems typically are part of a multifactor approach that may include smartcards, passwords, personal identification numbers (PINs), RSA tokens, or cellphones in combination with a biometric scanner.
Organizations using fingerprint scanning need to ensure the multifactor approach and rotate the fingers used for identification to make it more difficult for hackers, Enderle suggested.

"Also, make sure failed scans are reported," he said, "so a hack in progress can be identified and the fingerprint invalidated."

Stay tuned more tech news.

For any queries do ask in the comments section below, we would surely answer.

Please do tell us What's your thought on this type of vulnerabilities around us.

For more tech news follow us on facebookgoogle & twitter.

No comments:

Post a Comment