How Can this Biometric be Spoofed?

The risk of using any new technology needs to be evaluated. The risks to a company using a biometric device are an improvement over just the simple password used today. The risk model used needs to be one of balance. That is, one should bear in mind the tradeoff between increased security and decreased user convenience, and consider the converse as well. If you decrease security, user convenience will increase. This password paradox can be negated by the fact that a biometric device will provide increased user convenience as a result of being able to use something the user has. As a consequence, the user no longer needs to remember his/her network password. Since that password is replaced by something the user always has or the password is proxied on the user's behalf , this in essence increases the security of the system.

Attacks on a finger biometric system fall into the following categories:

• Attacking the physical finger

• Using artifacts

• Attacking the communications

• Compromising the template

• Attacking the fallback system

For each type of attack, a recourse is offered .

Attacking the Physical Finger

This is the type of attack that gets the most press. We have all seen this in the movies, where the hero or villain fakes someone's fingerprints . This is normally done through the lifting of a latent print or, if the movie is more edgy, the removal of the finger itself.

Until recently, it was believed that the biggest threat in this area came from the compromise of a user's print through the user's own complicity. It was felt that to get a sufficiently detailed "fake finger," the user having his/her finger faked needed to be present and complicit. That is, he/she would need to voluntarily offer a finger for faking. This could be done through a malleable material that would conform and stick to the conspirator's finger. Thus, this attack was generally categorized in the same way as the sharing of passwords.

This view on the making of fake fingers from willing accomplishes changed on January 24, 2002. At the conference for The International Society of Optical Engineering (SPIE), Tsutomu Matsumoto et al. presented a paper showing not only the creation of a fake finger from a willing participant, but also the possible clandestine duplication from a lifted print.

While the procedure used by Tsutomu to make a fake finger from a willing participant was very similar to the classic technique described above, he introduced a new element for producing a fake finger from a latent print.

For the creation of a fake finger from a lifted print, Tsutomu needed a high-quality latent image. In his experiment, he retrieved his print from a flat sheet of glass that a full impression was left on. The sheet of glass was then fumed using a cyanoacrylate compound. Cyanoacrylate is better known to the rest of us as the active adhesive agent found in glues and, if applied to the skin, will cause the skin to stick to itself. The fact that cyanoacrylate will cause skin to adhere to just about anything makes it ideal for finding and imaging latent prints. A residual fingerprint is initially made up of water and other biological compounds . As the water evaporates, the print that is left behind is composed of amino acids, glucose , lactic acid, and other sundry biological agents. What cyanoacrylate fuming does is bond the molecules of cyanoacrylate to the residual biological agents . This new enhanced print is now easier to handle and image.

To get a very clear image of the print, Tsutomu used a high-end microscope to image the print, and then enhanced it using image software. Once the print was digitized and enhanced, he then printed it onto a transparency. Once the print was on a transparency, he then cut out the print and applied the transparency with the print on it as a mask for an ultraviolet- (UV-) etchable Printed Circuit Board (PCB). Once the board was exposed to UV light with the fingerprint mask attached, the PCB board was left with an image of the finger, with the ridges and valleys inverted. That is, where there should have been a ridge, there was a valley, and where there should have been a valley, there was a ridge. Once the gummy mixture was sufficiently soft, it was applied to the PCB and a proper fingerprint shape was created. When Tsutomu had his finger, he was then able to fool a number of capacitance and optical scanners . It is interesting to note that he did not try an RF-based scanner. It is my hypothesis that the RF scanner would have been unable to image since there was no underlying ridge and valley structure to reflect the waves that would penetrate the gummy finger.

Mitigating this attack

While it is clear from the example that Tsutomu showed great ingenuity in creating a new type of fake finger that could fool a number of sensors, it also proves the adage that given enough time, money, and energy, any system can be defeated. What the adage does not tell us is what we need to interpret. That is, how easy in the real world would it be to accomplish this? Consider the following:

• Most latent prints are partial When you leave a latent print behind, it is normally smudged or incomplete. Just ask any forensic team member at your local police department. This partial print will make it harder to get a workable fake. The partial that is left behind may not be the parts of the fingerprint enrolled in the template.

• Most surfaces that could be used for latent prints are not that easy to work with If you look at the items that you spend most of your time touching or using in a day, they are generally covered in plastic, and as such, not the easiest things to get latent prints from. Very rarely in a day do we touch a flat piece of glass in such a way as to leave a full print. One such flat piece of glass could be a computer monitor. Routinely, we touch a monitor when referencing an item on the screen or demonstrating to a colleague. If a monitor was used as the source of a latent image, we would probably notice either the fume hood over the monitor or the cyanoacrylate print on the screen. It should be noted that cyanoacrylate fuming is a destructive methodology that leaves the latent print permanently affixed to the host of the print.

• The use of cyanoacrylate is not exactly a "rinse-lather-repeat" procedure If the host item containing the latent print is fumed too little or too much, the print either becomes under-developed or over-developed. Secondly, once visual through cyano-acrylate fuming, latent images need to be digitized with a high-resolution device. While digital photography continues its advance on resolution, it will be awhile before it can match the resolution and power of the microscope used by Tsutomu. This is not an item you will find at a local high school. Common items that one would have around the office do not work well either. In my own experiments, CD jewel cases, telephones, keyboards, and most mice provided poor surfaces for imaging.

• Use a sensor with " alive -and-well" detection Alive-and-well detection refers to a device's ability to determine if the presented finger is alive and well. Techniques used have included pulse detection, temperature, capacitance, and blood oxygen level. Of all the countermeasures listed above, Tsutomu would probably be able to defeat pulse by squeezing the gummy finger, temperature by sufficiently heating the gummy finger, and capacitance either by blowing on the sensor or lightly dampening the fake finger. The hardest one to fake would be blood oxygen. Since the sensor measures the dilution of oxygen in the blood in the finger, there would need to be an introduction of a liquid that could make this happen. Additionally, all the countermeasures rely on physiological traits that can vary widely from one individual to another. The tolerances on any of these countermeasures could be so loose as to make them meaningless The only reason for implementing them in a scanner would be to increase the time, money, and effort that an attacker would need to expend to defeat the system. There is also a money tradeoff for the user of the scanner. Implementing these countermeasures would increase the cost of the unit. When deploying 10,000 devices, additional cost increases are less tolerated.

• Random finger authentication In this countermeasure, the user of the system would register up to 10 multiple fingers. When the user came to authenticate, he/she would be challenged to present the proper finger. This would pose an issue for an attacker using a fake finger, as the attacker would need to know what finger the lifted print matches. In addition, the system could also prompt for a sequence of fingerprints.

• Use multi-factor authentication Biometrics used in conjunction with a token for authentication would make any fake finger meaningless without the token. Now, not only does the attacker have to get your prints and know what fingers they are from, but he/she also needs your token. The time and effort to mount a successful attack have just increased since another factor of authentication would also need to be compromised.

As you can see, this attack is novel and has raised the bar in terms of creativity. It is also clear that the general fear, uncertainty, and doubt (FUD) around this vulnerability was truly a tempest in a teapot. The use of additional factors of authentication, alive-and-well detection, or finger challenge and response can adequately deal with this threat.

Using Artifacts

As we saw in the attack on the physical finger, the latent prints or artifacts we leave behind can be exploited. This particular attack focuses on artifacts left on the scanning device itself. It is only logical to assume that if we touch a device, we will leave some trace of us behind. This trace could then be exploited in some way to trick the biometric system into authenticating us. For this to work, the sensor would need to be fooled into thinking a new finger placement has taken place and image the artifact. From the previous discussions on the types of imagers used, we know that RF devices require an image of the live skin below the external layer of skin on the finger. Therefore, it is very unlikely that artifacts can be used on an RF scanner. For optical and capacitance devices, it may be possible.

Artifact use on capacitance scanners normally involves tricking the scanner into thinking a finger is present. The sensor images are based on a sufficient change in capacitance. This change in capacitance is normally accomplished in the finger through its moisture content. To duplicate this with an artifact, an attacker could breathe or blow across the surface of the imager, or use a thin-walled plastic bag with water in it laid on the imager .

For an optical device to be tricked into using an artifact, it needs to have a frame snapped by the camera. Most optical systems detect the presence of a fingerprint from a change in luminance. This can be accomplished by shining bright lights into the camera system, or by covering the platen with a hand, darkening it sufficiently to simulate a finger placement.

Mitigating this attack

What is clear from the outline of this attack is that just the presence of an artifact allows the attacker to attempt an attack. Secondly, the attacker is generally not changing the latent print. To mitigate such an attack, the following could be done:

• Remove the artifact There are a number of ways to accomplish this. The first is through software. The firmware of a device could remember the last finger imaged. If the next finger imaged is a very close or exact match, it can discard that image. This works since the human placement of a finger on a scanner has sufficient entropy to prevent an exact placement as the last time. Additionally, the imager could use a swipe-style image placement. That is, for a finger to be imaged , it is dragged across the platen. This has the effect of erasing the print as it is read. Also, the artifact could be removed through some mechanical means such as a door closure on the platen or some other wiping mechanisms.

• Use alive-and-well detection, as previously described.

• Require that the biometric system not accept the same print twice in a row By having more than one print enrolled, the biometric system could force the user to authenticate with a print different from the one used before. This way, the latent image becomes useless, as it would be from the previous attempt.

Like physical finger attacks, artifact attacks can be easily mitigated.

Attacking the Communication Channels

If an attacker cannot compromise a system at the point of collection, the next logical spot to compromise is the communication path . If the information being transmitted could be changed so that a false positive or a false rejection occurs, the attacker has succeeded. To do this, the attacker may physically tap the line between the device and the PC. He/she could install software on the PC (Trojan software) to intercept the template before local or remote comparison. Lastly, the attacker may try to replay a previously successful authentication attempt.

Mitigating this attack

While the general principles of securing a biometric transaction are covered later in this book, for our purposes here, the following will mitigate the above risks:

• Real-time line monitoring With the advent of USB, it is now possible for a device or host to monitor the quality of any connection between the host and a peripheral. This includes voltage and lost packets. If the voltage drops unexpectedly or the lost packets increase in number, this could signal to the host or peripheral that the physical communication link has been compromised.

• Trojan software If there was Trojan software on the host, many security products could possibly detect the Trojan and alert the user. The biometric system on the host could implement a secure memory model. In a secure memory model, named pipes are used and, when memory is transferred between processes, it is done using a Diffie-Hellman key exchange with a station-to-station protocol. The biometric system could also be implemented as a trusted device. See Chapter 11 for more details.

• Prevent replay attacks Like preventing an artifact attack, biometric software could reject an exact image playback. It could also sign each frame so that the timestamp could be verified . If the timestamp was from the past, the template could be discarded. The device and host could set up session keys that would keep transactions aligned and not allow any out-of-sequence transaction to be used.

The prevention of replay attacks can be accomplished through the application of some programming fundamentals and by using standard encryption schemes.

Compromising the Template

Moving up the attack food chain, if the capture and communications of the comparison template prove to be impossible , then a compromise of the stored reference template might be attempted.

To modify the reference template, an attacker could attack the medium on which the template is stored, the machine providing the template, or the template itself while in transit to the comparison host.

Mitigating this attack

This attack is very similar to attacking the communications. To guard against this type of attack, some simple network security procedures can help:

• Protect the storage medium Where the reference template is stored is just as important as how the template was protected in its trip for storage. Whether the template is stored in an LDAP directory, a normalized database, or a proprietary format database, proper security precautions should be taken. This includes patching the storage location with the latest releases and making sure passwords are set, strong, frequently changed, and are not the default value.

• Protect the storage host The medium on which the template is stored needs to be protected as well. This includes patching the storage location with the latest releases and making sure passwords are set, strong, frequently changed, and are not the default value. Also, unnecessary services and other input/output (I/O) should be stopped and discouraged. Additional services or programs running on a machine may provide an entry point for an intruder to exploit. Also, physical access to the machine itself should be restricted. If a machine can be reached physically, it can be compromised.

• Protect the template in transit Like preventing a replay attack, the information being communicated between the storage medium and comparison host needs protection. This could involve using secure socket layers (SSL) or other secure protocols, encrypting, and signing the contents.

Once again, some simple networking and security common sense can provide adequate protection against this type of attack.

Attacking the Fallback System

In any biometric system, there will never be 100% coverage of the user base. Additionally, some users will have biometric failings from time to time that will require them to use a different factor of authentication. These fallback systems are also open to attack. If the strongest point of a system is the biometric aspect, then an attacker will focus on the weaker parts. In general, this is the fallback system.

Mitigating this attack

Because this type of attack is very fluid and changes from biometric system to system, the best policy to adopt is to make the fallback as strong as possible. If the fallback for your users is a user ID and password, then make the password sufficiently strong to prevent easy password attacks. Also, if the user falling back is normally using biometrics, then make his/her password expire within a short period of time. That way, the chances of a successful compromise are lower. If possible, assign a token and password for fallback so that the attacker would need both of them for a fallback attack.