Appeared to be safe
29 March 2004
Former admiration about biometric techniques seems to be fading now. It’s hard to
see systems proclaimed as “the safest” to guide the access to….anything, and for sure not to critical informatics
systems. Technical wash-out, too expensive toy or maybe lack of understanding?
Author: Tomasz Grabowski
Translation: Aleksandra Malak
Configuration
of face and hands, texture of dermatoglyphics, the shape and color of iris, the sound of voice, characteristic features of
hand writing or even the way of writing on keyboard-those are the unique features of every man. This natural uniqueness is
used by biometrics- the sphere of science based on adaptation of unique man’s features in personal identification systems,
and wide conception of controlled access systems.
The possibility of identification, based on the features
that can not be forged, and in the same time are being “always together”, seems to be the ultimately solution
of all problems that are appearing while using conventional techniques of identification and authentication: passwords, PIN
numbers, microprocessor cards, tokens and their countless combinations. So, if it’s so good, then why it’s so
bad? Why, in spite of many advantages, the biometric techniques are still not commonly used? What disturbs to customize them
as the users authentication standard?
Orwell still terrifies
Conventional
techniques of identification permits only to prove that given person knows the password, PIN number or posses the proper card.
If this person is legal user of protected resources, is a mystery. The next problem is combined with durability of “authentication
factors”. In case of passwords and PIN numbers-especially when there are few or dozen of them- memory often fails. From
the other hand if we consider the physical factors, for example cards-we can consider theft or lost. In both situations
access to protected resources is impossible.
Biometry is free from this defects-it identifies the person itself,
moreover the fingerprint is rather hard to lose or forget.
We can find receivers of new technology in almost every
domain of life. We can easily imagine the benefits flowing, for example from situation, when we don’t have to wear any
documents or remember passwords, and even though we can travel all over the world, have access to our ready money and we can
use a public phone because it’ll recognize our voice, and automatically debit our account with a proper amount of money.
When we happen to have an accident, a proper service can easily, for example by scanning iris, get total information about
our health, blood type and all necessary facts needed for a proper treatment. Identification won’t be a problem any
more. Even if we injury ourselves in a finger, a public camera can enable a proper service our identification.
That’s
how we got to a serious problem on the way to customize biometrical systems. Paradoxically, because main advantages of biometrics
are in the same times their disadvantages. As the main problem, we can see the Orwell’s image of society totally controlled
by a government. Determination of every citizens identity only with a fingerprint, and unequivocal identification by using
hidden systems scanning face or iris, generate a common protest from all movements defending citizens liberty, and also they
argue with our privacy.
What would of happen, if to get a bank account, we need to give our fingerprints? That
awakes unequivocally bad associations, which in consequence cause reluctance for this kind of security. Moreover, why only
bank should know our fingerprints? In the end, in the world dominated by biometrical devices authenticating us in every situation,
a fingerprint can be used not only for access to a bank account but also to a cell phone, a car, an apartment etc.
Considering the situation in witch more institutions would have our fingerprints, this form of authentication will gradually
lose it’s value. If for example somebody steals from bank this information, and then somehow create an artificial finger,
matched exactly to original, he can get access not only to our money, but also to all our goods and services secured in the
same way.
Consequences of discovery an effective way to deceive biometrical systems-if world would decide to relay
on them-seems to be catastrophic. Fear is a major force. Without fighting it, common use of biometrical techniques wouldn’t
be possible. In this case, we can only persuade, without any guarantee, that biometrics methods provides higher than existing
methods, authorization level of security.
Best in their class
In all materials from producers, concerning efficiency of specific solutions in biometry, two definitions appearing: False
Rejection Rates (FRR) and False Acceptance Rates (FAR). The first one - FRR – is an indicator of false rejections, which
defines what percent of tested samples would be rejected, even though they are correct. For example, FRR equal 10% means that
for a hundred tested persons, ten of them won’t get the authorization, even if they are legal users of the system.
FAR is an indicator of false acceptations. It determines, what percent of testes samples would be accepted, even if they are
incorrect.
Biometrical branch likes to use FRR and FAR indicators. The system is less arduous for users (it doesn’t
require few legalizations tests ), if FRR indicator is lesser. Whereas the system is harder to break for a burglar, when FAR
indicator is lesser. In ideal conditions both indicators should be equal to zero. And usually they “are”, because
they don’t consist any information about the real level of security, which is provided by a system. Result we get, depends
only on the way the test is ran. For example, when we consider face recognition system, we can try to “fool “
it, by using a simple photo or else’s face. This face can be more or less similar to original. Delicately speaking,
producers can freely form FRR and FAR values.
In this situation, the best way to check the real security level
of biometrical systems, would be without any hesitation, a general test, which would allow to examine specific devices
in the same conditions. Unfortunately, all developments consider at most few random selections of systems. In practice, creation
of reliable image of security on this base, for all cases, or maybe just for the majority biometric solutions, verge on impossibility.
Tracking the burglar
Intuition prompts, that if tests can be
“strained”, there must be a way to false the biometric system. We’ll try to look at biometrical solutions
the same way the burglar does.
First method is based on taking control over the database, in which biometrical
indicators are stored: fingerprints or iris images of people authorized. By taking control over that base, the burglar can
load his own data. Even the most efficient biometrical devices won’t be enough, if the database the device is using,
is kept in a wrong way, for example, on a connected to biometrical device PC computer, with improperly protection of the operating
system.
The second category of attacks considers loading incorrect data, on the way between the biometrical device
and it’s database. For devices that are protecting access to PC computer, connected to it by USB connector, it would
be a trial to load to USB port burglars own signal, imitating behavior of biometrical device. From technical point of view,
making that attack is not really so hard to accomplish. This case can be even simpler, if the transmission between biometrical
device and it’s database is through radio waves. Lack of strong algorithm encoding communication – and the best
of all when it’s separate in each OSI layer – is almost an invitation for a burglary.
Third category
of attacks consist in a trial to cheat biometrical device. Burglar can cheat system, using artificially made objects, like
artificial finger made from left fingerprints, or an iris photo of person authorized to use the system. As the most of attacks
from first two categories can be relatively easily prevented, methods of protection against third kinds of attacks are rather
not well known.
Visiting ophthalmologist
One of more interesting
elaborates concerning this subject, is a document “Body Check”, authorship Lisa Thailheim, Jan Krissler and Peter-Michael
Ziegler. Authors put to the test devices, which are nowadays most popular. Among systems used to recognize fingerprints you
could find products from: Biocentric Solution, Cherry, Eutron, Siemens, Veridicom, Identix and IdentAlink. Also system Authenticam
from Panasonic, assign for iris scanning has been tested, and the solution of authentication, based on face look FaceVACS-Logon
created by Dresner Cognitec AG. The last software is using a simple internet camera connected to PC computer. Producer recommends
ToUcam PCV 740K camera from Philips, that is why all tests were ran using that kind of equipment.
The authentication
process is totally automatic. FaceVACS-Logon currently analyzes view from camera, and when it finds a persons face in it’s
visual field, it is automatically recognized. First software tries to localize eyes of tested person, and then basing on this
information, tries to define where the rest of face is. After that, selected parts of image from camera are compared with
the one kept in database. If both fits together, authentication is finished successfully.
However it turns out,
that images in database of FaceVACS-Logon system are kept as simple .PPM and .FVI files. They are not even encode. First trial
to cheat the system consist in making a copy of those files on laptop, and then using them instead of real man’s face.
It appeared, that after setting a proper distance between laptop screen and camera, system granted authorization every single
time. Of course, if the data base is properly secured, gaining images used by system is much harder. So next trial was based
on taking three different pictures of the person who has access to system, with a simple digital camera. Following, those
pictures were shown to the system on laptop. It turned out, that system granted access to secured files after second picture…..
To prevent cheating system by using images in it’s database, company Cognitec added to FaceVACS extra function
called Live-Check. After it is activated, all described trials of attack appeared to be ineffective. Unfortunately software
ability to recognize real users changed considerably for the worse. Trial to cheat this system consist in making a short .AVI
movie, in which, a person authorized for using system, slightly moved head left and right. After showing that movie on laptop,
system again granted access to protected resources. How can we make that movie? With a camera behind a see-through mirror
in a “victims” own bathroom, or record a close-up with an industrial camera. There are many possibilities.
Iris examination, for most of the people, associates with science-fiction movies. But those kind of systems are existing
and functioning right here and right now. One of these systems is Authenticam by Panasonic. Simple methods of cheating the
system, by using iris images shown at the laptop screen, failed. The same thing happened with a photos printed on a common
paper. However more tests shown, that algorithm used during authorization process can be fooled, if we show a real human iris
together with it’s printed picture.
To cheat the system, we must then print iris on a sheet of paper, cut
the hole in the middle, and give this hybrid for scanning. Bingo! Of course basic challenge is to get a proper photo of iris.
So, can we consider systems safety, if we know that it is hard to find that kind of photo? Not quite. And if someone
manage to get a faithful photo of iris, for example by stealing it from ophthalmology clinic?
A
finger instead of picklock
Another tested device was ID Mouse made by Siemens. This is a very popular
system, used for users authentication, based on dermatoglyphics patterns. It turns out, that it is susceptible to simple swindle,
like blowing on a fingerprint left on a device. During that process it was shown, how in the monitoring screen of device clearer
dermatoglyphics, left on the reader, were appearing. System could be also fooled with a help of a thin foil filled with water.
Effectiveness of this method appeared to be even higher than the first one.
Now Siemens is protecting his devices
on a different way. System is remembering an exact position of last scanned finger. If in another trial of authentication,
finger is in the same position on the reader, than it was before, system recognize it as a cheating. Method is simple and
effective, and in the same time, is not a problem for users.
Sophisticated methods are still more effective. It
is enough to get dermatoglyphic from different objects, and reproduce them with help of sticky tape and loose graphite. Efficiency-
almost 100%! Next tested device was keyboard G83-14000 from Cherry. Because it turn out that built-in dermatoglyphic reader
was build from the same components as ID Mouse from Siemens, there were no problems with burglary.
A device from
Eutron Magic Secure 3100, was not that easy to fool with a thin foil filled with water, or by blowing. But when sticky tape
and loose graphite were used, there were no problems with getting into protected resources. Bio-Touch USB 200 dermatoglyphic
scanner from Identix, operative on different rules, was not susceptible to any of earlier attacks. But it turned out, that
it can be fooled with help of a fingers copy, made for example from wax and silicone.
This “artificial finger”
allowed, without any further problems, to get access to protected resources.
Good old keys
Conclusions are appearing automatically. Biometrical devices produced nowadays, do not guarantee us satisfactory safety
level. Ingenous burglar is able to cheat them with such high probability, that they should be threaten rather as toys, not
security systems. Not the cheapest toys we must say. Apart from producers enthusiasm, fact is still a fact: there is a long
way ahead biometrical systems, to outdo from our lives passwords, PIN numbers, microprocessor cards, and a set of heavy keys.