Tuesday, March 15, 2016

So much for fingerprint security devices

If you have a smartphone or computer equipped with a biometric security device, particularly one using fingerprints, it just got less secure.

Researchers at Michigan State University want you to know that it doesn't take fancy equipment or a lot of time to create fingerprint replicas that can trick scanners and unlock mobile devices. All they needed was an inkjet printer, conductive ink, and regular paper.

Kai Cao and Anil Jain from the Biometrics Research Group made a video showing how easy it is to print conductive fingerprints from scans. "The worry is that hackers could use similar methods to steal personal identities and other vital information," they wrote.

There's more at the link.

This is of particular concern to almost anyone holding a US government security clearance.  Last year the Office of Personnel Management admitted that 5.6 million sets of digitized fingerprints had been compromised by hackers.  My own were among them, according to a warning letter I received from OPM a few months ago.  Basically, if you've had a law enforcement or military security background check, your fingerprints were probably part of that;  and the majority of those digitized records were stolen by hackers, allegedly acting on behalf of the Chinese government.

This may derail the use of fingerprints as biometric identifiers for electronic devices.  A fingerprint is forever - it doesn't change with age.  That means a 20-something CIA or NSA employee whose fingerprints were compromised as part of this OPM hack will be at risk of them being used against his or her electronic devices up to and even after retirement.  If they log in to a computer network using fingerprint authentication, anyone else who can gain access to a terminal of that network can use their fingerprints to impersonate them.  If they travel overseas, taking a smartphone or portable computer with them, anyone who can get their hands on that device will be able to use those 'hacked' fingerprints to bypass its biometric identification system - unless that system abandons the use of fingerprints, and moves to something like iris recognition, which is much more complex and expensive to implement on a wide scale.

I don't understand why more heads haven't rolled over the OPM data leak.  It's going to be a long-term security headache for this country, in more ways than just fingerprint recognition.



C. G. R. said...

That's pretty old news - attack methods against biometric devices, especially fingerprinting devices were published as early as 2008. A much more interesting approach was the demo performed at the 31st Chaos Communications Congress, in December 2014 in Hamburg, Germany. One of the demos has proven how to get the fingerprint of Germany's Minister of Defence, Ursula von der Leyen from one of her press photos. The method shown that someone can take pictures of your finger using a hi-res camera which may render enough information to copy your fingerprints.

MadMcAl said...

The sad part is that there is a technology that is as easy to use as a fingerprint-scanner and as secure as an iris reader (or even more so).

Fingervein-scanners (https://en.wikipedia.org/wiki/Finger_vein_recognition) work nearly everywhere (they are a bit more cumbersome than a touch screen but on installations or computers they work fine). They are virtually impossible to fool with anything but a full model of the fingers vein system and the finger has to be alive (and pumped through with blood) to work.

Tal Hartsfeld said...

So... in the future "the eyes have it".
All those in favor of "iris recognition" say "I".
...or "Eye" ...

Alligosh said...

Fingerprints used on a smartphone are for convenience only; I would not assume much security involved at all. The only basic authentication model that should be used for anything you care about is two factor authentication, where to use two of: something you have, something you are, and something you know. In this case, a fingerprint followed by a pin or passphrase is something you are and something you know, and would be a lot more secure.
Also? In this day and age, any government (or even private) network that only requires one factor (like fingerprint) is just waiting to be compromised.

Mike said...

I'm sure that as soon as the government starts moving to iris scans or other biometric markers, they will manage to have those compromised as well, so no biometric data will render your data safe without another factor. I too was caught up in the OPM hack.

raven said...

The OPM hack (s) is probably the single worst intelligence/security failure in history. The implications are staggering.

We will regret this one day, to the extent we are alive to do so.

Borepatch said...

Why hasn't someone been fired over the OPM hack? You could substitute "the VA hospital scandal". The Organs of the State do not self-correct.

And yes, you should never use biometrics because you can't change them if they are ever compromised. And they will get compromised, because the Organs of the State do not self-correct.

David Lang said...

Mythbusters demonstrated spoofing fingerprint scanners a long time ago

switching to Iris scanners doesn't solve the problem, it's not any easier to change out your Eye than your finger.

Tal Hartsfeld said...

On my March 15 comment: "All those in favor of 'iris recognition' say 'I'."
It should read: "All those in favor of 'iris recognition' say 'Aye'".
The "Grammar Captain" ordered me to make this correction
...to which I replied: "Aye! Aye! Sir!!"