Hackers Give Touch ID the Finger:
It's possible to bypass fingerprint
authentication using only photos of a subject's fingers and fingerprint
identification software.
People leave traces of their fingerprints everywhere, and "previously the concern was for things we touch," said Neohapsis security consultant Catherine Pearce, "but now it's anyone to photograph us that can become a threat -- even many years later."
People leave traces of their fingerprints everywhere, and "previously the concern was for things we touch," said Neohapsis security consultant Catherine Pearce, "but now it's anyone to photograph us that can become a threat -- even many years later."
Hacker Jan Krissler, aka
"Starbug," this few weeks earlier told attendees at the 31st Chaos
Computer Club convention in Hamburg, Germany, that he had replicated the
fingerprints of German Defense Minister Ursula von der Leven using a standard
photo camera and commercially available software from VeriFinger.
Krissler used a close-up of a photo
of the minister's thumb and other pictures taken at different angles during a
press event in October.
"This is a result of the
proliferation of high-resolution digital cameras, which can now capture the
needed details to fool scanners," said Rob Enderle, principal analyst at
the Enderle Group.
"It showcases a vulnerability
that the industry will need to address," he told. "Typically this involves adding a sensor that
can read live tissue or looks for a heartbeat."
The Threat of VeriFinger:
VeriFinger is tolerant to
fingerprint translation, rotation and deformation, meaning that it can get
around the limitations of partial shots of a finger among other things.
It matches flat-to-rolled, flat-to-flat, or rolled-to-rolled
fingerprints reliably and accurately.
VeriFinger's algorithm can identify fingerprints even if they
are rotated, translated, deformed or have only 5-7 similar minutiae, as
compared to the 20-40 similar minutiae shown by each finger.
The software's adaptive image filtration algorithm eliminates
noises, ridge ruptures and stuck ridges, even from poor-quality fingerprints.
VeriFinger is available as an SDK for developing standalone
and Web-based solutions for the Windows, Linux, OS X and Android platforms.
Observations About the Hack:
Biometrics relies on many
assumptions, but the key ones, said Neohapsis security consultant Catherine
Pearce, are these: that the thing being measured cannot be changed; that what's
being measured is a genuine attribute; and, in more secure systems, that the
thing being measured is alive.
Krissler's attack "relies on the fact that fingerprints
are fixed, and breaks the last two measurements," she told.
People leave traces of their fingerprints everywhere in the
course of each day, and "previously the concern was for things we
touch," Pearce observed, "but now it's anyone to photograph us that
can become a threat -- even many years later."
Attacks can build composite fingerprint images from a series
of partial ones over a long time, Pearce pointed out. "The fact that this
attack can be done with no direct contact and without [the attacker]
necessarily having to seek out the fingerprint personally makes it
scarier."
Biometric Security Overhyped:
This is not the first time hackers
have defeated fingerprint authentication, at least in mobile phones.
Members of the Chaos Club hacked the iPhone 6's Touch ID
fingerprint scanner shortly after the device's September launch.
Researchers at Security Research Labs in April bypassed the
fingerprint authentication on the Samsung Galaxy S5.
In both cases, a physical copy of the user's fingerprint was
made using glue and other materials.
These concerns aren't new. The United States National
Research Council in 2010 issued a warning that biometric systems needed more
work.
Krissler's attack "highlights a key thing about
biometrics -- to a computer, everything is data," Neohapsis' Pearce
remarked. "Those who control the data going into the machine will control
how it perceives the world."
The Gentle Art of Biometric Self-Defense:
Biometric authentication systems
typically are part of a multifactor approach that may include smartcards,
passwords, personal identification numbers (PINs), RSA tokens, or cellphones in
combination with a biometric scanner.
Organizations using fingerprint scanning need to ensure the
multifactor approach and rotate the fingers used for identification to make it
more difficult for hackers, Enderle suggested.
"Also, make sure failed scans are reported," he
said, "so a hack in progress can be identified and the fingerprint
invalidated."
For any queries do ask in the comments section below, we would surely answer.
Please do tell us What's your thought on this type of vulnerabilities around us.
Stay tuned more tech news.
For any queries do ask in the comments section below, we would surely answer.
Please do tell us What's your thought on this type of vulnerabilities around us.
No comments:
Post a Comment