A German technology magazine has exposed weaknesses in biometric
products intended for securing access to PCs by using a variety of
tricks as basic as blowing on fingerprint scanners. The findings go
further than similar work in Japan.
Biometric verification is any means by which a person can be
uniquely identified by evaluating one or more distinguishing
biological traits. These traits include fingerprints, hand
geometry, earlobe geometry, retina and iris patterns, voice waves,
DNA and signatures.
Biometric devices are promoted as the successor to password
authentication and, according to the industry group IBIA, this
year’s worldwide sales of the technology and software will exceed
€500 million.
German technology magazine c’t tested some biometric access
protection devices.
Similar work by Japanese engineering professor Tsutomu Matsumoto
recently hit the IT headlines. Matsumoto revealed how 9 out of 10
commercial fingerprint scanners could be tricked by fake fingers.
C't's research goes further.
First of all, c't tested Cognitec’s FaceVACS-Logon system, which
uses a webcam to recognise the user’s facial features. It
references the data against stored facial patterns and, in the
event of a match, grants access to the PC.
C’t found that the reference data is not encrypted – which
allows it to be read or manipulated once access to the PC has been
acquired. C’t sent the files to a notebook computer and simply held
the notebook – now displaying an image of a face - in front of the
secure PC. Access was granted at the first attempt.
To test the system when the data files were not available, c’t
simply took digital photos of an authorised person in a variety of
lighting conditions and again presented them to the webcam from a
notebook. Access was granted on the second image presented.
Siemens’ ID Mouse is the best known fingerprint scanner in
Germany. C’t found that the scanner could be tricked by simply
breathing upon traces of fat left by fingerprints on the sensor’s
surface. The screen of the protected PC displayed the contours of
the old fingerprint and granted access. C’t also tried lifting an
authorised user’s fingerprint from a glass, securing it to adhesive
film and placing it on the scanner. Again, c't's success rate was
high.
Fingerprint scanners incorporating thermal recognition systems
were also defeated. These scanners measure the minimal temperature
differences between the "hills" and "valleys" that the sensor
registers on the fingertip’s surface.
One such product, IdentAlink’s Sweeping Fingerprint Scanner was
defeated by c’t by using silicon copies of authentic fingerprints.
The authentic finger was pressed into the hot wax of a common
tea-warming candle from which the wick had been removed.
Commercially available silicon was used to fill the trough and the
artificial finger was presented to the scanner. C't does not
explain how this evaded the thermal detector.
C’t acknowledged that tricking a thermal fingerprint scanner
with artificial data was much more difficult than tricking other
technologies and it did require access to the authentic finger.
Iris scanning technology from Panasonic was also beaten. This
was done by the non-authorised person holding an inkjet print-out
over his eye. The page was an image of the authentic iris with a
small hole cut into the page through which the pupil of the
impostor was visible to the camera. Access was granted.
C’t concludes that “the technology suitable for mass consumption
for identifying and authenticating the identity of persons on the
basis of their physical features is obviously still in its
infancy.” It described all the tested products as being “more of
the nature of toys than serious security measures.”
C’t recommends that, until the security of these products
improves, their should always be coupled with additional PINs or
password security.
