Biometric sensors beaten senseless in tests
c't foils fingerprint, iris and face recognition scanners
Have biometric systems developed to the point where theycould be a viable alternative to passwords and PINs?
The answer is a resounding "nein", according to comprehensive tests of 11 consumer-orientated biometric products by German technology magazine c't .
The results are timely - the biometric security (which includes enterprise products outside the scope of the test) market will be worth more than E500 million euro this year, according to industry estimates.
c't looked at a variety of fingerprint scanners and Webcam sensors designed to identify users by either iris scans or facial recognition. Contrary to the marketing claims of developers, c't found that the devices were "more of the nature of toys than of serious security measures".
c't gave biometrics a resounding thumbs down, after fooling a large number of devices with simple tricks and finding some unusable.
In its attempts at outfoxing the protective programs and devices, c't concentrated on deceiving the systems with the aid of simple procedures (such as the reactivation of latent images) and forgeries, such as silicon fingerprints. It also achieved some success in eavesdropping on the communication (via the USB port) between a computer and the sensor and using this information in replay attacks to fool recognition systems. It didn't try to hack into biometric data directly, though this might be another fruitful avenue of attack.
The face doesn't fit
First up, c't looked at facial feature recognition devices and programs.
It found that Cognitec's FaceVACS-Logon, which commercially available Web cams as its sensor, could be outfoxed with a short video clip of a registered person, running on a notebook placed in front of the sensor. Still images taken on a digital camera proved almost as effective in gaining back door access.
To prevent this kind of deception Cognitec has integrated a higher level of security known as Live-Check, but this made it harder for legitimate users to log on straight away, according to the tests. Worse, by shooting a film where a registered user moved his head from side to side it was again possible to fool the device.
Next up c't looked at a range of fingerprint scanners.
It discovered Siemens' ID Mouse, which is equipped with Infineon's capacitive FingerTIP sensor, could be outwitted with simple tricks, including breathing on fat deposits left by fingerprints on the sensor's surface. Or (more easily) by placing a thin-walled water-filled plastic bag on the sensor's surface to the same effect.
More cunningly, c't dusted the fatty residue of the fingerprint on the sensor with commercially available graphite powder (Ravenol), then stretched an adhesive film over the sensor's surface and gently applying pressure on it. This was a far more reliable hack, it discovered.
Siemens told c't that it would "focus even more on the problem of latent image reactivation".
c't went on to use a police fingerprinting kit it had obtained for the tests and graphic powder to dust for fingerprints left on glasses and CDs, lifted them with adhesive film and then placing them on a scanner.
This foxed Siemens' ID Mouse and the Cherry G83-14000 keyboard, even when the security devices were set in extended security mode.
Eutron's fingerprint reader Magic Secure 3100, another capacitive scanner, resisted heavy breathing but gave up access when graphic powder techniques were brought into play, c't reports.
Apart from the additional difficulty of having to hold up its sliding cover, c't was able to foil Veridicom's 5th Sense Combo in "much the same way" as it defeated other fingerprint scanners.
c't tried to test two PDA products from Biocentric Solutions which use a CompactFlash Card with an integrated fingerprint scanner which fits into a Compaq iPAQ. However since it was unable to work during normal usage, the tests didn't get very far.
Systems like Identix's Bio-Touch USB 200 which scans fingerprints, needed a little bit more lateral thinking to fox.
Not to be thwarted, c't still managed to fool these devices by making up a cast of a finger using a warm candle and silicon. This 'artificial finger' worked a treat, c't reports.
More simply, placing an adhesive film with a lifted fingerprint etched in graphite on a scanner and shinning a halogen lamp above it also foxed Identix's Bio-Touch USB 200 in tests.
Although far less common than capacitive or optical systems, some fingerprint scanners based on thermal recognition systems (such as IdentAlink's Sweeping Fingerprint Scanner FPS100U) have come to market.
c't found this device difficult to set up. But it was capable of defeating its previously successful latent image and adhesive film techniques.
Only silicon copies of authentic fingerprints (far more difficult to obtain and requiring more effort) fooled the device. This is comparatively good, but according to c't, still "a long way off from guaranteeing secure access".
The eyes don't have it
If you think iris scanners might have faired better in the tests, think again.
c't looked at Panasonic's Authenticam BM-ET100, which is designed for the home market, and works with a Web cam.
This presented something of a challenge to break, but c't was eventually able to foil the device by using a high-quality printed image (with a hole cut in the middle) of a recognised user's iris, behind which the hidden eyes of a real human being peered. Presenting digital iris images to the system via a notebook display failed to yield access, for technical reasons which we'll leave it to c't to explain.
Panasonic told c't that in "real life conditions it would not be easy to obtain iris images of authorised persons". It said the product designed for the tests was a prototype, which would be redesigned for the German market.
c't concludes by observing that the products it tested were not designed for high security environments.
Andreas Stiller, of c't magazine, said professional systems may be better but the tests also raise questions about their effectiveness too. He added that tests performed by his colleagues, which took more than a month to put together, suggest that fingerprint scanners on notebooks are "worthless", and that reliance on basic biometric systems could be dangerous.
c't advises that as long as adequate security cannot be guaranteed through biometric solutions, their use needs to be coupled with PINs or passwords (which is a standard option with most systems). It also advises that the sensors of fingerprint scanners should be cleaned after every use, and that regular enrolment options in Windows 98 or Windows ME environment should be blocked.
The magazine also looked at recording biometric data sent by USB devices, which it found easy to record (via eavesdropping) and play back at a later time to gain illicit access. This might be foiled by including challenge-response procedures and encryption technology in devices, it suggests.
c't hopes its work, which has provoked questions in the German parliament, will cause governments on both sides of the Atlantic to review its adoption of biometric technologies in identity cards and the like. ®
Gummi bears defeat fingerprint sensors
Marker pens, sticky tape crack music CD protection
Biometric passports for Brits - by 2006
Face recognition useless for crowd surveillance
Iris recognition is best biometric system
PC card gives notebook thieves the finger
Sponsored: RAID: End of an era?