Biometric Security Circumvention Methods

Biometric Security Circumvention Methods

A month ago, a Forbes journalist demonstrated the (un)reliability of biometric security on consumer-grade devices. For the test, he ordered a 3D plaster replica of his head and then tried to use it to unlock five smartphones: LG G7 ThinQ, Samsung S9, Samsung Note 8, OnePlus 6 and iPhone X.

The plaster copy was enough to unlock four of the five models tested. Although the iPhone did not succumb to the trick (it scans in the infrared range), but the experiment showed that face recognition is not the most reliable method of protecting confidential information. In general, like many other biometric methods.

In comments, representatives of the “affected” companies said that facial recognition makes unlocking phones “convenient,” but for “the highest level of biometric authentication,” a fingerprint or iris scanner is recommended.

The experiment also showed that a couple of photos of the victim are not enough for a real hack, because they would not allow the creation of a full 3D copy of the skull. To make an acceptable prototype requires shooting from several angles with good lighting. On the other hand, thanks to social media, it is now possible to obtain large quantities of such photo and video footage, and the resolution of cameras is increasing every year.

Other methods of biometric protection are not without vulnerabilities either.

Fingerprints

Fingerprint scanning systems became widespread in the 1990s – and immediately came under attack.

In the early 2000s, hackers perfected a mechanism for making artificial silicon copies from an existing pattern. If you stick a thin film on your own finger, you can fool almost any system, even with other sensors that check the temperature of the human body and verify that the scanner is attached to a living person’s finger and not a printout.

Tsutomu Matsumoto’s manual from 2002 is considered a classic guide to making artificial fingerprints. It explains in detail how to process the victim’s fingerprint with graphite powder or cyanoacrylate vapor (superglue), how to then process the photo before making the mold, and finally how to make a convex mask using gelatin, latex milk or wood glue.

The biggest challenge in this procedure is copying a real fingerprint. They say the best quality prints remain on glass surfaces and doorknobs. But nowadays there is another way: the resolution of some photos allows you to reconstruct the pattern directly from the photo.

In 2017, a project by researchers from Japan’s National Institute of Informatics was reported. They proved that it is possible to reconstruct the pattern of a fingerprint from photos taken with a digital camera from a distance of three meters. Back in 2014, at the Chaos Communication Congress hacking conference, they demonstrated the fingerprints of the German defense minister reconstructed from official high-resolution photos from open sources.

Other Biometrics

Apart from fingerprint and facial recognition, other methods of biometric protection have not yet been massively used in modern smartphones, although it is theoretically possible. Some of these methods have been experimentally tested, while others have been commercially implemented in various applications, including retinal scanning, verification by voice and the pattern of veins in the palm.

But all methods of biometric protection have one fundamental vulnerability: Unlike a password, your biometric characteristics are virtually impossible to replace. If your fingerprints are leaked to the public, you can’t change them. It’s, you might say, a lifelong vulnerability.

“As camera resolution becomes higher, it becomes possible to view smaller objects, such as a fingerprint or iris. […] Once you share them on social media, you can say goodbye. Unlike a password, you can’t change your fingers. So it’s information you have to protect.” – Isao Echizen, professor at the National Institute of Informatics of Japan

No method of biometric protection gives a one hundred percent guarantee. When each system is tested, the following parameters are specified, among others:

  • accuracy (several types);
  • Percentage of false positives (false alarms);
  • percentage of false negatives (missing events).

No system demonstrates 100% accuracy with zero false positives and false negatives, even under optimal laboratory conditions.

These parameters depend on each other. For example, you can increase the detection accuracy to 100% by adjusting the system settings, but then the number of false positives will also increase. And vice versa, you can reduce the number of false positives to zero – but then the accuracy will suffer.

Obviously, many security methods are easy to break nowadays, because manufacturers put usability, not reliability, at the forefront of their minds. In other words, they prioritize a minimum number of false positives.

Economics of hacking

Just like in economics, in information security there is also a concept of economic expediency. Even if a hundred percent protection doesn’t exist. But the protective measures are correlated with the value of the information itself. In general, the principle is that the value of the hacker’s efforts should exceed the value of the information that he wishes to obtain. The greater the ratio, the stronger the protection.

If we take the example of the plaster replica of the head to fool the Face ID system, it cost the Forbes journalist about $380. Accordingly, it makes sense to use such technology to protect information worth less than $380. It’s a great protection technology for protecting penny-store information, but it’s a worthless technology for corporate trade secrets, so it’s all relative. It turns out that in each case you need to evaluate the minimum acceptable degree of protection. For example, face recognition combined with a password – as a two-factor authentication – already increases the degree of protection by an order of magnitude compared to face recognition alone or a single password.

In general, any protection can be cracked. The question is the cost of the effort.

About the Author

You may also like these