This article was originally published on INCIBE security blog.
With the announcement of the new fingerprint sensor in the latest smartphone from Apple, the iPhone 5S, biometric sensors are again under scrutiny among information security professionals.
Especially because the use of these technologies is becoming popular for consumer grade electronics, and its use use could become ubiquitous for something made to protect sensitive data, like information found in any mobile phone nowadays.
Recently, Chaos Computer Club (CCC) has been able to circunvent the sensor on iPhone 5S, just two weeks after the official presentation of the new phone (Source: CCC breaks Apple TouchID).
Using a digital camera, it is possible to obtain a high-resolution (2400 dpi) pciture of a fingerprint on an object (for example, the phone screen itself); manipulate it with a photo editing software, and once the contours are isolated, print them as a negative on a transparent sheet.
Leveraging toner properties of laser printers (it leaves an emboss) is possible to apply a film of a flexible and translucent material similar to the skin (such as latex), getting a physical copy of the original fingerprint able to unlock the device as if it were a finger.
It is not the first time this group calls into question the viability of biometrics as a secure method of authentication, and recommend several years to be dismissed as such.
This simple method is only an indicator of what would be possible to circumvent such devices if advanced technological resources were available.
Biometrics are the study of automated methods for recognizing humans based only on people intrinsic physical or behavioral traits.
Biometric features such as fingerprints, eye iris or retina, voice, or even heartbeat and facial expressions provide benefits in identification systems, both in comfort and usability, as in their unequivocal characteristics for each person.
Many algorithms are used to obtain an unambiguous value from the image, based on recognizable features, such as geometric patterns, distances between points, pressure emboss, etc.
The practical applications of biometrics are diverse and not only applied to the field of security. However, in this field are not as robust as a priori might seem.
We have the preconceived idea that such systems are the future; very advanced and highly secure technology.
We are used to see in films how retinal scanners, voice controls or door openers resting hand on a bright panel are common in the most restricted and trendy places in the world, where only the finest villains are able access.
However, nothing could be further from the truth: Although biometrics are a great support to enhance the security of our information, it are only when used as a second authentication factor along with a password or another mechanism.
If we only were using a single factor, "something you know" (a password) is still safer than 'something you are' (biometrics).
Although advanced biometric systems seem unbeatable, there is no guarantee that after some time remain will remain safe, as technology advances rapidly, and technical resources that would be unthinkable today for a possible attacker, tomorrow could be available for everyone. But our features will remain the same and can be lost forever.
From the point of view of an attacker, the problem of biometric features when used as replacement (and not as a support) to the current passwords, are:
Are Unique, Permanent and Irrevocable
Although one of its initial advantages is that are unique and intrinsic to each person, they can not be replaced, which means that once someone is able to replicate there is no way to revoke them, and generate a new one, unlike with a password or token.
This also generates another problem. If our fingerprint is compromised, it could be used to access any service or device on which it has been used as a credential. That breaks with two of the security rules: use a different password for each service or device (so if someone steals one of them, he will not be able to access the other) and change them regularly.
They are public, and their acquisition is relatively simple
We leave our fingerprint printed everywhere every day (which is equivalent to being writing our password every time we open a door, we take a glass, or we hold the handle of a bus).
Today cameras and camcorders have great resolution and their optical zoom allows long distances, so anyone can have the equipment to photograph our eyes on the street from long distances and with an exceptional level of detail.
With more advanced techniques (for example, Photometric measurements), or even with current ophthalmology technologies it could be possible to measure other parameters such as curvature of the eye, reflectivity, intraocular pressure, ...
The voice of a person can be easily recorded in a bar, via telephone or video conference, and with the right equipment, from long ranges.
Recognition and speech synthesis technology is well advanced, and there is software (initially designed for the music industry) that allows to synthesize new sentences from a few scattered syllables, even emulating different inflections and vocal timbres.
Body movements and facial expressions can be easily captured with technologies used in films (Markerless Mocap: motion capture without markers), or video games (Xbox Kinetic, PlayStation Eye), accessible to anyone nowadays.
These are just a few examples of how easy it is to obtain the biometric features of a person using reallistic techniques.
Are easily replicable
As demonstrated with fingerprints, virtually any physical or motor feature is reproducible because the information obtained is parametric (based on patterns), regardless of their complexity.
Every pattern is replicable if you have the right tools, because there is no random or entropic component as can be found in many mathematical algorithms used in cryptography.
When using memorized passwords, it is very difficult for anyone to force another person to reveal it against their will. Either with an explicit denial, or using plausible deniability (generating a situation where it is impossible to prove otherwise. For example "I have forgotten it").
However, it is possible to be physically forced to use your finger to unlock access, so the use of this kind of authentication adds a threat not only to information security, but to physical integrity for the person, who may be attacked or kidnapped to obtain their credentials.
They can be stolen by means outside the control of the owner
The information extracted from a biometric trait will be stored in a database, regardless of the format used. This opens the door to not only be physically stolen, but also compromising the place where these data are stored, either:
- With reverse engineer the electronic device where it is stored (microchip, memory, ...)
- Compromising the security of a server or database where it could be saved.
It wouldn't be necessary to obtain the "image" of a fingerprint, since the extracted and stored data from it (whether patterns, geometry or hashes) are potentially usable for being injected directly into the system bypassing the sensor, or, after analysis of the generation algorithm, a reconstruction of it.
These systems have a very large attack surface
Compromising a biometric system is not limited to attacks with computer technology. Another potential attack vectors include fields as diverse as:
- Audiovisual: Techniques used in films or radio to fool our senses and create an illusion, can also be used to circumvent an electronic system much easier.
- Medicine: It's possible to alter physiological characteristics, such as pulse, blood pressure, the pupils of the eyes ...
- Mechanics: Technologies such as robotics can emulate human behavior.
- Chemistry: Developing compounds that mimic the skin (such as latex), ocular acuity, ...
- Crafting: It's possible to craft objects realistically simulating human characteristics (such as a face).
- Electronics: The hardware is as vulnerable as the software when you have physical access to it.
- Applied Physics
This means it is difficult to predict what kind of attack could affect a particular biometric system.
The use of biometric mechanisms for consumers are intended to solve a problem of convenience at the expense of security.
Today there are still many people who do not set a password on their phones, tablets or computers for the inconvenience of typing it each time they are used.
Using a fingerprint or other biometric features to solve it, besides it facilitates usability, is not the best way, because in addition to the problems described above, encourages the end user to not be aware of the importance of keeping information safe and they would forget the good practices on privacy, as getting used to memorize good passwords, using a different one for each service, changing them often, or avoiding writing them down and using them in places where they could be "shoulder surfed".
Therefore, is advisable to limit the use of biometric applications where security and privacy are not a priority technologies, and if so, use them only in two-factor authentication systems.