Biometric verification is any means by which a person can be uniquely identified by evaluating one or more distinguishing biological traits. These traits include fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA and signatures.
Biometric devices are promoted as the successor to password authentication and, according to the industry group IBIA, this year’s worldwide sales of the technology and software will exceed €500 million.
German technology magazine c’t tested some biometric access protection devices.
Similar work by Japanese engineering professor Tsutomu Matsumoto recently hit the IT headlines. Matsumoto revealed how 9 out of 10 commercial fingerprint scanners could be tricked by fake fingers. C't's research goes further.
First of all, c't tested Cognitec’s FaceVACS-Logon system, which uses a webcam to recognise the user’s facial features. It references the data against stored facial patterns and, in the event of a match, grants access to the PC.
C’t found that the reference data is not encrypted – which allows it to be read or manipulated once access to the PC has been acquired. C’t sent the files to a notebook computer and simply held the notebook – now displaying an image of a face - in front of the secure PC. Access was granted at the first attempt.
To test the system when the data files were not available, c’t simply took digital photos of an authorised person in a variety of lighting conditions and again presented them to the webcam from a notebook. Access was granted on the second image presented.
Siemens’ ID Mouse is the best known fingerprint scanner in Germany. C’t found that the scanner could be tricked by simply breathing upon traces of fat left by fingerprints on the sensor’s surface. The screen of the protected PC displayed the contours of the old fingerprint and granted access. C’t also tried lifting an authorised user’s fingerprint from a glass, securing it to adhesive film and placing it on the scanner. Again, c't's success rate was high.
Fingerprint scanners incorporating thermal recognition systems were also defeated. These scanners measure the minimal temperature differences between the "hills" and "valleys" that the sensor registers on the fingertip’s surface.
One such product, IdentAlink’s Sweeping Fingerprint Scanner was defeated by c’t by using silicon copies of authentic fingerprints. The authentic finger was pressed into the hot wax of a common tea-warming candle from which the wick had been removed. Commercially available silicon was used to fill the trough and the artificial finger was presented to the scanner. C't does not explain how this evaded the thermal detector.
C’t acknowledged that tricking a thermal fingerprint scanner with artificial data was much more difficult than tricking other technologies and it did require access to the authentic finger.
Iris scanning technology from Panasonic was also beaten. This was done by the non-authorised person holding an inkjet print-out over his eye. The page was an image of the authentic iris with a small hole cut into the page through which the pupil of the impostor was visible to the camera. Access was granted.
C’t concludes that “the technology suitable for mass consumption for identifying and authenticating the identity of persons on the basis of their physical features is obviously still in its infancy.” It described all the tested products as being “more of the nature of toys than serious security measures.”
C’t recommends that, until the security of these products improves, their should always be coupled with additional PINs or password security.