A short while ago, I posted an article titled "The Biometric Authentication Conumdrum". In that article, I pointed out that biometrics may have problems that were unanticipated by the security professionals advocating for them. Generally, most security engineers have been pressing forward for biometrics as THE solution to our authentication problems. They hold the belief that biometrics are unique to the individual and therefore can not be broken or guessed by hackers. I refute that argument and point out that biometrics may have some very serious security flaws and that the implications could be very dangerous for information security in general.
Recently, a German hacker made my point in rather dramatic fashion. Jan Krissler was able to replicate the fingerprint of the German Defense Minister, Ursula von der Leyen (the presumed heir apparent to Angela Merkel), from commercial photographs of her. Krissler used high quality commercial photographs and one he took himself at close range to then reverse engineer her fingerprint using VerfiFinger. VerfiFinger is one of the most widely used fingerprint, biometric authentication development systems used throughout the world in all kinds of highly secure environments.
Remember, biometrics for authentication are simply files that represent a fingerprint, iris or retina scan or facial features. If the hacker can steal these files or replicate these files as Krissler did, the person's identity has been compromised for life. Unlike passwords which can be changed, once a biometric authentication has been compromised, you do not have the option to change your retina, iris, fingerprint, etc. (of course, barring future developments in plastic surgery or bionics, but that's still another story).
Krissler seems to be reading my mind regarding biometrics when in 2013 he said "I consider my password safer than my fingerprint… My password is in my head, and if I'm careful when typing, I remain the only one who knows it."
This all may be good news for hackers as many highly secure environments are migrating to biometrics. To break into systems of the future might only require a photograph of the victim's hands, eyes or face, making the hacker's job so much easier.
4 Responses
I find it amazing that you can replicate fingerprints from photos. With this technology, and enough time, you can bypass fingerprint settings on iPhones through spoofing some else's fingerprints. Isn't that awesome.
Anyways, thank you for the post, OTW.
I can't believe that many secure environments are switching over to biometrics since it can be siphoned. Using these tactics it is only becoming easier to hack into things.
Thanks for the post, OTW.
Biometrics can only be considered as secure as the system that converts your individual characteristics to a sequence of ones and zeros, as your article so clearly demonstrates. My own, slow but steady, study of security would suggest that a variation of one-time pads, such as those used by the German spy in Ken Follett's "The Key to Rebecca" may provide the most secure alternative to an unchanging password. Given that digital books are commonplace I'm surprised that wiser
minds than mine have not come up with a solution.
I happen to be writing a research paper for my English class on the impact of biometrics and I have found your articles on the subject very interesting. Thanks for another amazing article; I will be sure to include this in my paper.
Share Your Thoughts