Author Topic: Biometrics  (Read 1409 times)


  • Software Engineer
  • Assistant Leader
  • Senior User
  • Posts: 257
  • Hello world. :)
« on: April 12, 2015, 02:58:36 PM »
I decided a while ago to write some things about security/biometric (hacking), but I've been swamped with work for university. Managed to write a first small part on it though, will add more when I have more spare time :P


In this first post on biometrics Iíll go over a brief history, and delve into two of the most common biometric systems we use today namely ďfingerprintĒ scanners and ďirisĒ scanners. First of all, however, what is biometrics and how is it relevant to security?

Put very simply, a biometric device is a device capable of identifying someone based on characteristics of this individualís body. As weíll see, not every device can offer the same certainty that a person is who he claims to be, and can be cheated into thinking you are someone else with clever tricks. TV shows have popularized the idea that once you have someoneís fingerprint, you are 100% sure who did it. This is an exaggeration, but it can give you a pretty decent accuracy (some offer upwards of 97% accuracy, but never 100% yet.)
How did this idea come about?

The use of biometrics to identify people was an invention of Alphonse Bertillon and is often called ďBertillonageĒ. He used physical measurements to identify people in law enforcement, such as their height, size of their skull or length of their fingers. Given enough of these physical parameters, you could safely say that person A is person A, because person B has shorter fingers. You need an index for this, of course, so this was to prevent people using Ďaliasesí whom have commit two different crimes. From this, you should have gathered that this technique is old, and it was in fact developed 125 years ago. We do not use this anymore, thank god, because the odds of two people having exactly those same physical quantities became increasingly likely in larger cities, and in 1903 there was such a case at Fort Leavenworth prison.
Though this might sound like a silly idea to us now back in the late nineteenth century it made sense. Besides, fingerprints were first found to be a good means to identify someone in 1915, because of their uniqueness, and good fingerprint scanners were not invented yet even then.

Though fingerprints are not the only unique part of your body, your iris, DNA and a handful of others are sufficiently unique to be used as method for identification. Fingerprints are an easy way to achieve this identification in a low-tech world, but nowadays iris scanners are on the rise as the power of computers increases.
Iíll get back to iris scanners later, letís first talk a bit about fingerprint scanners. Fingerprint scanners (FPS) have been used since 1915 and have seen an ever-increase in their use. Whilst they did start out in much the same way as Bertillonage, they are now a method of preventing inappropriate facebook status updates, by requiring a fingerprint scan before someone can access your device. 

How do FPS achieve this?
Itís a 5-step program, first they take an image of your fingerprint. Next, they process this image and afterwards figure out the location of distinctive characteristics (these traits are called minutiae). After which they create a template, and template matching. A scanner takes a mathematical snapshot of someoneís traits, and stores this in a database.
The accuracy of this scanner depends on the dots per inch quality of the image. (DPI), and the quality can depend on the circumstances. Cold weather is better for FPS because there is more oil in your fingers, which produces a better print. When itís warmer, you can press harder on the plate as a quanter-measure.

This is a basic explanation of fingerprint scanners, but more interestingly, how can we deceive them?
As Iíve explained earlier, they are not 100% accurate and have a false positive and false negative rate. (False positive is saying itís a match when itís not, false negative is saying itís not a match but it is). The false negatives are quite bad when you want to identify a terrorist, but the false positives are quite bad when you want to keep others out of your computer. But for our purpose, letís say that an accidental false positive or negative is not a way of beating the system, but rather a way for the system to beat itself in the face with a brick.
In this scenario, Eve wants to access Bobís secret vault, which uses a fingerprint scanner for protection. Eve, being a rather violent person cuts of bobís finger and gains access this way. Whilst a legitimate way and one that Hollywood really likes, there is a better way. Or, at least, less messy.

Another way which does work, but more in the earlier FPSís is this lame trick. You exhale on the FPS plate. Assuming Bob has accessed his secret vault before, his fingerprint will still be on the plate, exhaling on this will activate the latent fingerprint and the machine will give you access, thinking you are Bob. This is quite easy, but more sophisticated fingerprint scanners will have prevention mechanisms.
You can also print fingerprints, given a 3D printer and a sample of someoneís fingerprint you could create a fake finger which can be used to access the device. Once again, there are countermeasures for this but they are not so obvious, and would mean measuring more than just the fingerprint. Iíll get to that later.

Do notice that these are hacks that actually 'lie' to the FPS, there are also ways to circumvent fingerprint scanners though they are highly dependent on the system which they are hooked up to. An FPS hooked up to a network inherits many of the issues networks have - and there is a theoretical possibility of shutting it down remotely once you have network access. Or you could fetch the files from the machine and feed back the earlier detections remotely. Though, this would actually involve hacking the network and not the device, which is less of what I'd want to talk about here. One small thing to say about it though, is that any biometric device that gains network access (IP address) significantly increases the vulnerabilities of this device. Imagine trying to access a house which has one room - you'd need to find a vulnerability in one room. Now imagine you have a villa with multiple rooms, each room connected to one another but with different outside features, now you can try to break in using a variety of ways. Does the front door work? Nope - Okay we'll try the .. backdoor [spoiler] I had to use backdoor in a text about security, sorry guys! [/spoiler].

I hope this explains a thing or two about  biometrics. If you have questions, just comment on this and I'll try to reply asap. =)

Your IP:

Me at work: