Evading Fingerprint Technology


I'm not a forensic scientist, so if I make some forensic assumptions, don't necessarily believe them.

A colleague of mine once said of biometric security devices "it's only bits". That one statement has completely changed the way I look at biometric devices.

The Mythbusters in one episode were able to fool fingerprint security devices using a few of the more obvious and less dramatic (no need to review Season 1 of "24" here) means of fooling them - including using a photocopy of a thumbprint against a system that also checks for heat and pulse. And those are the more obvious methods of fooling the reader (to fool the reader, fool the reader itself).

But I've always been concerned about the systems even if the reader itself is foolproof:

  • The way your fingerprint is registered in a database is by using a combination of attributes of the way your fingerprint is constructed. Yes, your fingerprint (assuming you have them - some people don't even have them) is unique, but the number of attributes that are measured is finite. And to reduce false-negative rates, I would assume that finite number is somewhat small. The more prints that are in the database, the more chance that there is a collision between two sets of prints when using pure arithmetic to determine a print. This can result in false-identification. Because the attributes the system measures are common between me and some other guy, some other guy sometimes registers as me (even if he's not in the system).
  • Even if the reader itself is secure, is the channel between the reader and the database secure? Can I get in between and either alter my bits to resemble somebody else's, or can I just send a new transaction with somebody else's bits? Of course, that depends on me understanding the algorithm in order to determine what somebody else's bits are, but:
  • We all know that secrets don't last. The algorithm that biometric security devices use to generate the bits is proprietary. Why do open security algorithms work? Because millions of eyes have looked at the algorithms - and some of those eyes are really smart. A basic premise of keeping secrets is that the algorithm should be open, but the keys should be secure.
  • And lastly, I have personally seen many instances where biometric devices are assumed to be sufficient. Consider a really big data center without man traps that uses biometric devices. Since the data center is sufficiently large, nobody knows all the people who work there, so if you refuse to let somebody in, you're being perfectly rude. An attacker just has to wait for somebody on the inside to approach the door to go get coffee, and the attacker approaches the reader just as the door opens. Of course, the guy on the inside holds the door open for him - he's legitimate just by virtue of trying to use the biometric device.
  • And of course, there's the rubber hose method. Hold a gun to my back, and I'll probably use my fingerprint to let you in. If the mantrap is small enough, it's a good measure against rubber hose, even, but still not effective against:
  • More extreme measures. Now it's time to review Season 1 of "24" or a Dan Brown book.
Now, I didn't say all this to scare you out of using biometric devices. But biometric devices are only suitable as one means of authentication. You still have to make identification, and you should require more than one means of authentication (depending on the sensitivity of whatever it is you're trying to protect). And lastly, you need sufficient other controls that you can't just walk around the security device (a la the tollgate in Blazing Saddles).

1 comment:

  1. Also, don't forget that once someone has your prints, they have them forever. There's no way of changing your authentication token if it has been compromised, you're stuck with it, and an attack could be made any time then, it could be in the same week, or it could be 3 years down the line when your prints can be used to gain access to some high security facilities you didn't have access to when someone got your prints.

    And frankly, that's the biggest reason I'd never want to use biometric identification - your authentication data could have been stolen at any time, and would continue to be valid indefinitely.