Spoofing fingerprints

Fingerprints are not fit for secure device unlocking

Fingerprint sensors have sought to replace password- and PIN-based authentication for years. The sensors are widely found in laptops, sometimes in payment terminals, and recently in several smartphones. The latest entrance to the field is Apple’s iPhone 5s. The sensors continue to fail their marketing claim of secure device unlocking.

Security level.

Using fingerprints as credentials for local user authentication has two shortcomings when compared to passwords:

A. Limited revocation. Once a fingerprint gets stolen, there is no way to change it. To offset this high compromise penalty, fingerprints would need to be very hard to steal. However:

B. Credential spread. Users leave copies of their fingerprints everywhere; including on the devices they protect. Fingerprints are not fit for secure local user authentication as long as spoofs (“fake fingers”) can be produced from these pervasive copies.

Fingerprint spoofs.

Spoofs have been produced time and time again from images of latent prints – even while camping – and most recently by Starbug from the CCC to overcome the protection of an iPhone 5s.

Other current devices with touch and swipe sensors are equally duped by spoofs. This video shows how an iPhone 4s-taken photo results in a fingerprint-spoof that unlocks a Thinkpad laptop, a Fujitsu smartphone, and an iPhone 5s:

ID theft risk.

The iPhone 5s’s fingerprint sensor does not only appear to provide no additional protection, its use even undermines other security mechanisms. This video demonstrates how other flaws in iOS and iCloud are exposed that – when combined with Touch ID’s vulnerability to fingerprint spoofing – allow for online identity theft:

Remote authentication.

Fingerprint sensors still have a strong protection proposition: To provide a second (and third) authentication factor in remotely-executed transactions, such as authorizing money transfers. Modern fingerprint sensors can compare templates and scans on-chip – that is: protected from malware on the device – and conduct a strong cryptographic authentication to a web service. Industry seems to be determined to standardize such transactions.

An attacker would need to get access to three credentials: the banking password, the fingerprint sensor that stores an authentication certificate, and a spoof of the fingerprint that activates this certificate. For the most common miscreant, remote attackers, the latter two should be out of reach.

Evolution path.

Defeating local attackers is still of value even when the fingerprint only provides an additional authentication factor.

The iPhone 5s already moved slightly beyond the capabilities of earlier touch sensors: It provides a higher resolution image and – as far as initial experiments can tell – uses this higher resolution to match based on finer structures:

Low resolution fingerprint image

Low resolution fingerprint image, sufficient to create spoofs for older sensors

High resolution fingerprint image

High resolution fingerprint image with clear features along the ridges, which newer sensors detect

Even these finer structures can be spoofed, for example based on an equally high resolution smartphone camera image, showing that some defense strategies only improve at the pace of the corresponding attack technique.

Fingerprint spoof prevention would better be based on intrinsic errors in the spoof-creation process or on fingerprint features not present in latent prints (and become much harder to steal). Examples of such spoof-detection features are air bubbles contained in the glue often used for spoofs (white dots in left image) and minute details that are visible through a fingerprint sensor but not in a latent print (black dots in right image).

Sensor read of spoof finger with white air bubbles, but no sweat pores

Sensor read of spoof finger with white air bubbles, but fewer minute details

Sensor read of real finger with black sweat pores but no air bubbles

Sensor read of real finger with minute details but no air bubbles

Even by just comparing the density of white vs. black dots, sensors would challenge hackers to improve their spoofing techniques. The iPhone 5s, on the other hand, was defeated by techniques widely published years ago.

FlightGear v2.12.1 Released

November 25, 2013

Update: FlightGear v2.12.1 (a bug fix release) is now available for download!

September 21, 2013 – FlightGear v2.12 is Released!

The FlightGear development team is happy to announce the v2.12 release of FlightGear, the free, open-source flight simulator. This new version contains many exciting new features, enhancements and bug fixes. Highlights in this release include improved usability, continued development of the Canvas rendering toolkit, and improved scenery rendering.

A list of major changes can be found at: http://wiki.flightgear.org/Changelog_2.12.

Founded in 1997, FlightGear is developed by a worldwide group of volunteers, brought together by a shared ambition …
Read the rest… >>

November 25, 2013

Update: FlightGear v2.12.1 (a bug fix release) is now available for download!

September 21, 2013 – FlightGear v2.12 is Released!

The FlightGear development team is happy to announce the v2.12 release of FlightGear, the free, open-source flight simulator. This new version contains many exciting new features, enhancements and bug fixes. Highlights in this release include improved usability, continued development of the Canvas rendering toolkit, and improved scenery rendering.

A list of major changes can be found at: http://wiki.flightgear.org/Changelog_2.12.

Founded in 1997, FlightGear is developed by a worldwide group of volunteers, brought together by a shared ambition to create the most realistic flight simulator possible that is free to use, modify and distribute. FlightGear is used all over the world by desktop flight simulator enthusiasts, for research in universities and for interactive exhibits in museums.

FlightGear features more than 400 aircraft, a worldwide scenery database, a multi-player environment, detailed sky modelling, a flexible and open aircraft modelling system, varied networking options, multiple display support, a powerful scripting language and an open architecture. Best of all, being open-source, the simulator is owned by the community and everyone is encouraged to contribute.

Download FlightGear v2.12 for free from FlightGear.org.

FlightGear – Fly Free!

Solar Cricket – finally, I get to build something…

It’s been a busy year so far – lots of stuff going on, and precious little time to build anything. A couple of months ago however I was asked by my buddies at MAKE magazine to put together an interesting little project. A solar powered chirping cricket – that uses solar energy to maintain the […]

(Visited 773 times, 1 visits today)

Solar Cricket, from MAKE magazine

It’s been a busy year so far – lots of stuff going on, and precious little time to build anything.

A couple of months ago however I was asked by my buddies at MAKE magazine to put together an interesting little project. A solar powered chirping cricket – that uses solar energy to maintain the charge on a 9v battery, and then starts “chirping” once night falls.

As well as using the solar panels to keep the 9v Lithium Ion battery charged, they are also used for the light detection routine. The project also features the excellent JeeLib library to manage the low power sleep routines.

More details here:

http://makezine.com/projects/solar-cricket/

Share

(Visited 773 times, 1 visits today)