Probably not. It seems they never will!

So what this research basically says is that you have a poorly designed and implemented solution, and you're able to get physical access to the cables, then you can log data and maybe do something with it. What a shocker!

If the reader & access control are designed properly they'll be hardened to prevent investigation of the hardware - the hardening techniques are well known and proven.

Encrypting the data (with optional time coding) is trivial too, which makes capture pointless and replay/injection non-functional.

Plus you can install everything in a way that restricts physical access which stops anyone attaching a logger/peplay system. You can't eliminate physical access as someone needs to get in to maintain things, but you have to trust someone otherwise the system is already worthless.

Of course the value of the actual biometric as a robust access control method is dubious - there's not much point attacking/protecting the system when it's perfectly practical to just provide a fake input to the system that will get you straight in.

So the whole 'keylogging' thing is not only easily defeated but in any case not exactly the best method to use anyway.

...schools in New South Wales seem keen to fingerprint as many kids as possible, with or without parental permision:

http://www.abc.net.au/news/stories/2008/04/03/2206666.htm

Let's pretend it's a little way into the future and we all have our pass cards, sorry ID, and we have just entered our fiftieth door or police check or credit card payment: just how many people have had a chance to copy that fingerprint? With keyloggers maybe, or even sticky tape for that matter?

This is all well and good but the fact of the matter is that the systems AREN'T implemented as you suggest, there is no encryption, the "hardening" of the system essentially breaks down to making it "vandal resistant".

You are essentially using the same line as a couple of RFID manufacturers are using of late, "Yes it's there but it's not a problem there's better systems now" (ignoring the already wide deployment of these systems and the incredibly low likelihood that anybody is going to completely replace their existing system)

Hardening the hardware doesn't make a lot of difference when you have 500m or more of cable running from the access panel to the backend system which runs through your building and no doubt provides say an electrical contractor ample opportunities to place a logger /somewhere/ along the line, one can fairly easily convert wiegand to something else and send it over the air so the actual logging system need not even be IN the building, not to mention that if you DO discover somebody's tapped your access control system you then need to FIND the device in question along the 500m cable run.

This is a real attack, it has real consequences, and being able to reconstruct images of fingerprints passing through the system is a good way along the path to creating an analogue of that fingerprint.

People need to realise that Biometrics are not suitable for AUTHENTICATION or AUTHORISATION, they are suitable to some point for IDENTIFICATION but the access control should not be based solely on them.

The biggest issue with biometrics is that of revoking them if they get stolen...

It's the only way to be sure!

Just tried this and it works.

Put some cling-film over a finger-print reader. It looks pretty much invisible.

Press finger to reader. It recognises me and allows access.

Carefully peel cling film off reader.

Voila! A perfect finger-print that I know will allow me access. Only need to make a gummy-bear model and I'm in.

OK. This was done on my own system using a crappy USB reader but I'll bet it works with other systems as well.

Cheers

. . . running around with fists in their ears shouting "lalalalalalala" after reading this. Their wet dream on the final solution has been challenged with a haxing condom.

Actually, they might just ship old USSR documents to Brussels and start reading on how to really oppress people.

Haxer is the human gift to the IT world

All the extra measures to make the solution tamper-proof make the solution more expensive and/or complex too. This doesn't encourage adoption of the "de luxe" version by budget-conscious managers. So lowest-cost systems will be the rule and remain vulnerable, and yet retain the miasma of infallibility.

It appears to me that biometric ID techniques haven't been attack tested yet. The fingerprints is an obvious example, the technology to capture and plastic-print fingerprints has been around a long time, yet only now has Computer Chaos Club done an attack to show how easily copied they are.

What about DNA, it's only markers they're measuring not the full DNA, how difficult is it to chemically synthasize those markers so that you take someones DNA profile and make that marker?

Then there's retina, if we can get a retina scan I don't see what stops us reproducing it. It's just imaged isn't it? It just needs an image to work from.

All these half assed biometrics things haven't passed attacks like the encryption and security protocols have. Perhaps it's time they did.

"Fauxnger" perhaps? "Fauxball" for fake eyeballs? "Fauxtalia" for systems that need both balls and finger?

"People need to realise that Biometrics are not suitable for AUTHENTICATION or AUTHORISATION, they are suitable to some point for IDENTIFICATION but the access control should not be based solely on them."

Wrong.

Biometrics are near hopeless for IDENTIFICATION, which relies on the system searching a database of everything for a match, especially if the biometrics on record were not taken with consistent quality and attributes.

Biometrics are suitable for AUTHENTICATION only when compared against a known good reference data obtained previously, and associated with a given ID.

AUTHORISATION is a system decision following correct IDENTIFICATION & AUTHENTICATION, nothing what so ever with the biometric or the reader.

"The biggest issue with biometrics is that of revoking them if they get stolen..."

Correct.

"If the reader & access control are designed properly they'll be hardened to prevent investigation of the hardware - the hardening techniques are well known and proven."

ahahahaHaHaHaHAHAHAHAHAHAA.

No they won't. Security is always an afterthought, and an additional expense. Lots of people will want magical biometric sauce in their security setup, but I rather suspect that a significant percentage will choose based on price rather than resilience to attack.

Give it a few years, and no doubt this sort of research will become illegal anyway, or publishing these sorts of results wil result in a hefty suing.

Why wait for a security firm to release a flimsy report on breaking fingerprint scanning when you can simply get the info you need on TV much quicker.

http://www.youtube.com/watch?v=LA4Xx5Noxyo

Mythbusters break fingerprint scanning with a variety of methods.....including a photocopy of a fingerprint!

Seems to me what we REALLY need is a biometrics scanner that can tell the difference between a real finger and a photocopy of a fingerprint (see mythbusters, they defeated several fingerprint scanners with a photocopy) then it doesn't matter how much data people intercept.

Seriously, how hard can it be to tell the difference between a real finger and a photocopy? all you need is a colour sensor ffs!

Ok, so the 3d gummi bear molds of fingers are harder to detect, but still. come on people!

</rant>

I've said it time and again, PIN numbers and passwords can easily be changed if compromised, but what the frick do you do if your biometric is likewise lifted??!!

I wonder if there will develop a market for rubber finger ends (think of something like a thimble), each one with a unique 'fingerprint' pattern imprinted onto it, which you can use instead of your own, to be binned and replaced by another if it ever gets copied?

There was a suggestion some years back that the pattern of blood vessels on the back of the hand is unique enough to use for some identification. There were a number of pluses to this (linked to ATM's at the time) including:

scan while entering pin - non intrusive

only works on a live hand ie if cut off the pattern changes enough to fail.

can put enough "fuzzy" in to allow for temperature/condition

So we now have a slightly variable ID so if it's the same as previous could reject, if remains constant can reject, if too different can reject.

or Minority report for that matter. Whats to stop a mugger taking my eyeball instead of just my wallet? Fingerprints? DNA? just cut someones finger/hand off.

Having your wallet stolen is upsettting, I'm thinking this new biometric world is going to make muggings really unpleasant.

they've been cracked wide open... must have... saw it being done in Charlies Angels the movie, so it must be true...

I find the whole digital biometrics thing very scary...the government already has enough problems storing data securely, and the idea of handing over retina, fingerprint and possibly DNA samples to be held in this way for "security"....

Theoretically, is it possible that once all of this information was stored in a giant gov DB that:

1) This system can be hacked or the data lost in the post...

2) Your fingerprints/DNA etc can be copied and synthesied in some way.

3) This "flawless" evidence could be used to incriminate you...? Or pass security checks for identity theft? And eventually lead to major problems in securing convictions using DNA evidence etc?

Seems to me this entire plan is fatally flawed and only likely to increase security concerns...

Evil looking Bill cos it's all his fault really...

I'd say MrMan has got it right.

Surely it's:

Biometrics are suitable for IDENTIFICATION when compared against known good reference data obtained previously and associated with a given ID.

Biometrics are not suitable for AUTHENTICATION because they cannot be revoked and are carried in the open (as Wolfgang Schauble just found out).

So you could securely replace a username with a fingerprint say, but not the username / password combination.

Or am I missing something?

It wasn't that long ago that some Russian (I think) perps stole a fingerprint-access Merc by the simple expedient of removing separating the Merc owner from his digit.

Nice.

Revoking an authentication token shouldn't involve a trip to A&E.

Mine's the one with the sewn-up sleeve.

With "old-fashioned" locks (where all the keys are identical), if a key goes astray you have to change all the lock cylinders and issue new keys. It's a pain, for sure, but at least lock cylinders are designed to be changeable for this reason.

With more sophisticated electronic access control systems (where each "key" is unique and some black box containing proprietary electronics about which you know precious little determines which ones are valid), if a key goes astray you can program the system not to allow that key to open the locks.

But with biometric security systems, where the user *is* the key, once somebody manages to bypass the system then the whole thing is undermined. Short of denying the impersonatee access to the facility, you can only introduce additional security layers.

Even using encryption between the fingerprint reader and the controller doesn't necessarily make the system any more secure. If the encryption key never changes, then a previously-intercepted, encrypted message will always decrypt correctly. (Which is why the encryption schemes used on read-only optical discs such as DVDs are no barrier. A bit-by-bit copy can still be correctly decrypted by a player.)

If the encryption key is changed, then there is still a possibility that keys could be intercepted by means of a classical man-in-the-middle attack. Out-of-band key exchange systems (e.g. flash PROMs programmed alike at time of manufacture, one each end of the link, keys chosen at fixed times) are still vulnerable to denial-of-service attacks; and the recovery from such an attack requires placing the system into a known state, which must be assumed vulnerable.

Then there's the Law of Diminishing Returns to consider. At some point, the cost of "access control systems" will begin to outweigh the value of whatever they are supposed to be protecting.

Of course, what with Sophistication being the name of the horse on which Failure rides into town and people always being the weak link, it wouldn't surprise me if someone managed to get into a "secure" facility by means of a simple denial-of-service attack -- crudely lock everyone out of the building so that a fire exit has to get pressed into service as a temporary main entrance, and follow someone in there. Believe it or not, fire exit doors are only rated for a limited number of opening and closing cycles (how many times do you expect a building to go on fire?) after which they are designed to fail safe -- i.e., not shut properly.

And if the fingerprint readers ever become hard to bypass with an actual copy of a genuine print (any good clear print lifted from anywhere inside the controlled area ought to do the necessary), would-be miscreants will simply have to turn their attention elsewhere -- such as the solenoid in the door frame which releases the lock when fed with a suitable voltage from the electronic controller or a portable battery pack; or that old standby, the hinge pins. Or if the doors really are too robust then they might even resort to removing a few bricks, or tunnelling in from below! Nobody has used such methods for years, so hardly any modern security expert is expecting anyone to try them.

The government already has that sorted - you are already guilty and they will bring in hanging to neatly revoke the biometric.

"The biggest issue with biometrics is that of revoking them if they get stolen..."

There are several ways to steal fingerprints. The most obvious must be a fingerprint scanner. "Scan here please"

There is a good way of revoking a fingerprint, cut the finger off. Theves may also cut off your thumb if it's needed to steal your car.

In the film Minority Report the rogue police officer had his eyeballs surgically replaced with different eyeballs. It helpled when he traveled on the Tube. He kept his original eyeballs to re-enter the pre-crime facility. Lack of proper security meant that they had not revoked his right to enter the building. (The same movie where he steals a car by climbing onto the car production line and it is built around him, then drives off)

I think RFID implants are the way to go. You can have these surgically removed and replaced with different ones. Heck I expect you could re-flash the ID number with a handheld device.

The glaring point everyone seems to be missing is that the weak link in every security configuration is… us! (i.e. us human beans!)

It doesn't matter what level of secure sophistication you implement there will always be the vulnerable human flaw in the system whether it's an unscrupulous contractor stealing confidential information or an absent minded manager letting the wrong person know his password.

Until we nail down our own biological security ethics every secure system in the world is flawed to varying degrees of ease of access - so in other words nothing will ever been totally secure ... !

The biometric keylogger comes as no surprise. As the X9F4 working group chair that develped the American National Standard X9.84 Biometric Information Management and Security, published in 2001 and revised in 2003, and coordinated its ISO 19092 counterpart published in 2008, we have been advocating digital signatures for authentication and encryption for privacy of biometric data for years. These standards have been promoted at numerous security and technology events, but the vendors and most of the buyers just don't seem to understand the importance of securing the biometric data. In the news recently, there's a certain large company who was awarded a $1B contract (yep, that's a "B") by a 3-letter agency to develop a national biometric database. If security isn't built into this system, I shudder to think about the consequences and the impact to national security.

They say new systems will only work with a 'live' finger/eye/penis/etc inserted, but will your average thug think it through, or find out *after* he has removed your appendage and failed to gain whatever he was after?

Or maybe just kidnap and/or torture a family member and/or friend until you cooperate?

TIA may be science fiction now, but so were mobile phones and the 500MHz cpu....

Sorry got to go there are people in black breaking my door down as I type this messfdgsdgfge

Vein prints? Did you think before you wrote that???

Think about how such a system would work.... it will be a special colour lamp to highlight the veins and a camera (possibly with a special filter)...

Pretty much anything that relies on using a camera can be fooled with a visual replication (eg photo - which can be made vagualy 3d by wrapping it around an object of roughly the same shape and size if necessary) of the original item.

Fingerprint scanners, Iris Scanners, Vein Prints Scanners, Facial Recognition.. they all rely on cameras. Even systems that check for correct temperature can be fooled as anything can be warmed to roughly the right temp and the scanners must have leeway of a few degrees variation anyway.

The whole concept is flawed.

1. http://biolab.csr.unibo.it/ResearchPages/SFinGe_Download.asp

2. http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en

(steps 6. and on)