{"id":243,"date":"2015-03-14T17:43:05","date_gmt":"2015-03-14T17:43:05","guid":{"rendered":"http:\/\/joeuchill.org\/?p=243"},"modified":"2015-03-14T17:43:05","modified_gmt":"2015-03-14T17:43:05","slug":"biometrics-researchers-race-to-stay-one-step-ahead-of-hackers-passcode-january-13-2015","status":"publish","type":"post","link":"https:\/\/joeuchill.org\/?p=243","title":{"rendered":"Biometrics researchers race to stay one step ahead of hackers \/ Passcode, January 13, 2015"},"content":{"rendered":"<p><em>As hackers find new ways to break into devices that use retina scans or fingerprints as passwords, researchers are quickly improving biometrics technology. They say the trick is teaching machines to become better at recognizing life.<\/em><\/p>\n<hr \/>\n<p>It wasn&#8217;t the first time the <a href=\"http:\/\/www.ccc.de\/en\/\" target=\"_blank\">Chaos Computer Club<\/a> exposed vulnerabilities in fingerprints as passwords. But it was the first time since <a class=\"inform_link\" title=\"Title: Apple Inc.\" href=\"http:\/\/www.csmonitor.com\/csmlists\/topic\/Apple+Inc.\" target=\"_self\" rel=\"nofollow\">Apple Inc.<\/a> released its increasingly popular pay-by-fingerprint Apple Pay system.<\/p>\n<p>At the club&#8217;s annual conference late last month, CCC member Jan &#8220;Starbug&#8221; Krissler <a href=\"https:\/\/www.youtube.com\/watch?v=vVivA0eoNGM\" target=\"_blank\">showed<\/a> how to reconstruct convincing enough prints from surreptitiously taken\u00a0photographs to dupe fingerprint scanners. The club, known for cutting-edge research, promoted Mr. Krissler&#8217;s talk on their German-language site in a way that would strike fear into the heart of anyone working on \u2013 or promoting \u2013 fingerprint security: &#8220;Fingerprint biometrics [are] finally only a safety placebo.&#8221;<\/p>\n<p>Biometric security is the use of human attributes such as fingerprints, iris scans, and facial features to verify identity. The field of biometrics is wider \u2013 the Fitbit relies on biometrics \u2013 but in common parlance, \u201cbiometrics\u201d is mostly used for authentication. It&#8217;s often touted as the eventual replacement for passwords by a group who see Apple Pay as the first nail in the password&#8217;s coffin.<\/p>\n<p>The cybersecurity coordinator for the White House, Michael Daniel, even declared he was on a mission to &#8220;<a href=\"https:\/\/www.youtube.com\/watch?v=5yclXwQC9aY\" target=\"_self\">kill the password dead<\/a>.&#8221; He&#8217;s not alone: Passwords are clumsy, forgettable, typo-prone, unloved, and unlovable. Biometrics is the opposite. Using physical attributes is impossibly convenient \u2013 just try forgetting a password when your finger is the password.<\/p>\n<div id=\"story-embed-column\" class=\"pull_right p402_hide\"><\/div>\n<p>Krissler effectively muted the excitement. After his talk, a Los Angeles CBS affiliate proclaimed: &#8220;<a href=\"http:\/\/losangeles.cbslocal.com\/2015\/01\/06\/experts-warn-fingerprints-easier-to-hack-than-old-fashioned-passwords\/\" target=\"_self\">Experts Warn Fingerprints Easier To Hack Than Old-Fashioned Passwords<\/a>.&#8221;<\/p>\n<p>But fingerprints, faces, retinas, and all kinds of biometric indicators have been easy to forge as long as there have been methods to use them as identification. Go back 20 years to the movie &#8220;Sneakers,&#8221; and the big heist hinged on a tape recorder beating voice identification. People leave fingerprints all over the place. We show our faces in public. There&#8217;s plenty of opportunities for physical identity to be replicated.<\/p>\n<p>\u201cMy password is in my head, and if I&#8217;m careful when I\u2019m typing, I\u2019ll stay the only one who knows it,\u201d said Krissler, during a 2013 <a href=\"http:\/\/www.zeit.de\/digital\/datenschutz\/2013-09\/iphone-fingerabdruck-hack-starbug\" target=\"_self\">German-language interview<\/a> discussing how the CCC had cracked the <a class=\"inform_link\" title=\"Title: Apple iPhone\" href=\"http:\/\/www.csmonitor.com\/csmlists\/topic\/Apple+iPhone\" target=\"_self\" rel=\"nofollow\">iPhone<\/a>&#8216;s fingerprint security.<\/p>\n<div class=\"storyEmbed htmlEmbed \">\n<div class=\"newsletter_signup_box newsletter_signup_600\">\n<p class=\"newsletter-signup-msg\">Get Monitor cybersecurity news and analysis delivered straight to your inbox.<\/p>\n<\/div>\n<\/div>\n<p>But a critical component of Krissler&#8217;s ruse (known as a spoof) had been thwarted by researchers years before \u2013 the materials used to make the fingerprint. Many popular fingerprint scanners have been slow to adopt a fix. And while manufacturers lag in picking up the last generation of attacks, attackers have beaten \u2013 and been defeated by \u2013 generations of cutting edge anti-spoofing technology.<\/p>\n<p>It&#8217;s a cat and mouse game. And you are the mouse.<\/p>\n<p>\u201cPeople need to realize: biometrics is not secret,\u201d says Clarkson University Prof. Stephanie Schuckers, director the multiuniversity, federally funded biometrics project Center for Identity Technology Research. \u201cYour fingerprints are not a secret. Your face is obviously not a secret.\u201d<\/p>\n<p>The success of biometrics, says Dr. Shuckers and slew of other researchers in the field, depends on meeting an unending supply of new threats with better and better forms of \u201cliveness detection,\u201d determining whether or not the thing that looks like a fingerprint is connected to you.<\/p>\n<p>\u201cLiveness detection means taking advantage of fakes being fake,\u201d she says.<\/p>\n<h2>Companies slow to learn from vulnerabilities<\/h2>\n<p>In 2002, cryptographer Tsutomu Matsumoto first demonstrated how anyone who could make a dessert could beat a fingerprint scanner. His team at Yokohama National University replicated fingerprints using gelatin.<\/p>\n<p>Fingerprint scanners detect fingerprints the same way a cellphone knows a finger is touching the screen \u2013 the ability of human skin to hold a tiny electric charge. But gelatin, the basic substance of Jell-O and Gummy Bears, has similar properties. Mr. Matsumoto etched molds of fingerprints he lifted off of glass using the type of circuit board kit anyone could buy at Radio Shack and the \u201cgummy fingerprint\u201d was born.<\/p>\n<p>Gummy fingerprints brought to the forefront the problem Krissler continues to exploit, creating a new focus on liveness detection research. Fingerprint scanners can now be designed to analyze pores, sweat, heartbeat, vein placement, and many other mechanisms of determining whether or not their looking at gelatin or any other not-living print.<\/p>\n<p>But much of that advanced research and science isn&#8217;t found in the most widely used fingerprint scanners on the market. After Apple released its fingerprint scanning iPhone 5s in late 2013, the Chaos Computer Club beat the technology using the decade-old gummy fingerprint attack. The same attack still works on the iPhone 6.<\/p>\n<p>\u201cWhat\u2019s frustrating on the part of insiders is the reluctance to publicly discuss the problems,\u201d says Mark Cornet, chief operating officer of NexID Biometrics, a fingerprint-based identification company cofounded and healmed by Shuckers. \u201cWe don\u2019t have 100 percent security, but we have huge advances that don\u2019t get used unless we admit the need.\u201d<\/p>\n<p>Until that happens, companies such as Apple that promote biometrics and its many detractors will appear to be having two different conversations.<\/p>\n<p>Some security consultants refuse to recommend biometrics to clients. Dave Aitel, chief executive officer of Immunity Inc., wrote <a href=\"http:\/\/www.usatoday.com\/story\/cybertruth\/2013\/09\/12\/why-biometrics-dont-work\/2802095\/\" target=\"_self\">piece for USA Today<\/a>entitled \u201cWhy biometrics don&#8217;t work\u201d (the answer, he said, was that biometric passwords could never be reset if stolen). Nima Dezhkam, a consultant at Compass Security, is equally against a biometric-only world, worrying that \u201cas a primary authentication method, weaknesses are more exposed.\u201d<\/p>\n<p>Meanwhile, Apple&#8217;s website raves: &#8220;Your fingerprint is one of the best passcodes in the world.&#8221;<\/p>\n<p>This is not to harp on Apple, which declined to comment on this story. Gummy prints have fooled Samsung phones, too. In 2013, a Brazilian doctor was caught using silicone fingerprints to sign his friends in to work. In 2009, a $45 million dollar fingerprint scanning system at the Tokyo airport used to prevent blacklisted passengers from reentry was defeated by a South Korean woman who put clear tape over her fingers. In 2005, a Malaysian car thief successfully circumvented a cars\u2019 fingerprint-based security system by chopping off its owners&#8217; finger.<\/p>\n<p>Nor is this to harp on fingerprint scanning. A team of scientists from Universidad Autonoma de Madrid and West Virginia University successfully reconstructed irises in 2012.\u00a0Nguyen Minh Duc of the Hanoi University of Technology bypassed facial recognition programs on Lenovo, Asus, and Toshiba laptops using photographs in 2009. Researchers adapted to that new threat with techniques like requiring blinking, and this year Nesli Erdogmus and Sebastien Marcel of the Idiap Research Institute bypassed those methods with 3D-printed masks.<\/p>\n<p>This is to harp on the promise of invulnerability when there is money at stake.<\/p>\n<p>\u201cWe know large banks are currently being attacked [by hackers] 20,000 times a day,\u201d says Mr. Dezhkam. \u201cIf there is money in attacking biometrics, people will attack biometrics.&#8221;<\/p>\n<h2>To catch a spoof<\/h2>\n<p>\u201cGelatin is great \u2013 its only drawback is shelf life,\u201d says NexID COO Cornet. \u201cBut when I really want to scare potential clients, I\u2019ll take out an iPhone and spoof a fingerprint using latex paint.\u201d<\/p>\n<p>Wood glue will also work \u2013 Krissler of the Chaos Computer Club is a fan. Or Silly Putty. Or certain waxes.<\/p>\n<p>None of these attacks will work on the liveness detection software NexID develops to work with other companies&#8217; scanners. NexID uses machine learning to detect the difference between fake prints and real ones. But being able to thwart a wide array of threats only happens through continuously training their program each time a new vulnerability arises.<\/p>\n<p>It takes six to eight weeks for the company to adapt to new threats, most of which is impossible to speed up. The brunt of the work comes from wrangling test subjects to donate fingerprints and manufacturing the false ones the computer will be trained to differentiate the authentic prints from. It takes 1,000 sets of fingerprints \u2013 half that will work, half to simulate attackers trying to break the system \u2013 for their program to learn the difference.<\/p>\n<p>The most recent advances in fingerprint spoofing, says Cornet, the NexID chief operating officer, have come in improvements to the molds that set fake fingerprints. Today, inexpensive 3D scanning technology can create detailed molds quickly and accurately.<\/p>\n<p>\u201cIn fact, we can imagine 3D printed digits infused with liquid to mimic the composition of human skin,\u201d he says.<\/p>\n<p>But even though NexID can adapt more quickly to spoofs, getting those solutions to consumer devices can take longer. Manufacturers have taken more than a decade to adapt to gummy prints.<\/p>\n<p>\u201cA hardware solution for gummy fingerprints, when you\u2019re talking about a smartphone, might require different components, a thicker case and more cost,\u201d says Dr. Ross of <a class=\"inform_link\" title=\"Title: Michigan State University\" href=\"http:\/\/www.csmonitor.com\/csmlists\/topic\/Michigan+State+University\" target=\"_self\" rel=\"nofollow\">Michigan State<\/a>.<\/p>\n<p>Occasionally, says Cornet, the delay is an advanced case of manufacturers ignoring problems until something big, such as the Chaos Computer Club, forces them to deal with the consequences.<\/p>\n<p>They are starting to take notice, he says. &#8220;The sensor manufacturers that wouldn\u2019t take our phone calls two years ago are calling us now.&#8221;<\/p>\n<h2>Are you even worth spoofing?<\/h2>\n<p>Passwords are strong when they are difficult to guess. By that standard, biometrics are amazing \u2013 no one can guess your password.\u00a0That doesn&#8217;t mean they don&#8217;t know where to find it.<\/p>\n<p>\u201cWhen people use passwords, attackers try to steal passwords to get access,\u201d says Dezhkam. \u201cWhen they use biometrics, the focus turns to you.\u201d<\/p>\n<p>Hacking a person takes a lot more effort than cutting and pasting a password from a compromised database. Successful attacks require some amount of direct contact (even if it&#8217;s just through Krissler&#8217;s photo lens tailing you). Are you even worth spoofing?<\/p>\n<p>For high value targets, biometrics alone may never be enough. They&#8217;ll need many layers of security. And the same may be true for people who worry about the ever-changing landscape of threats. For others, especially the third of cellphone users who don&#8217;t <a href=\"http:\/\/www.consumerreports.org\/cro\/news\/2014\/04\/smart-phone-thefts-rose-to-3-1-million-last-year\/index.htm\" target=\"_blank\">employ any kind of security<\/a>, Apple&#8217;s fingerprint technology may strike the\u00a0right balance of security and\u00a0convenience.<\/p>\n<p>\u201cThe notion of security isn&#8217;t scientifically precise,\u201d says Arun Ross, a current Michigan State professor and member of the West Virginia team that first demonstrated how reverse engineer a fake iris. &#8220;We could have a method that was entirely secure, and people would still prefer what was most convenient.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As hackers find new ways to break into devices that use retina scans or fingerprints as passwords, researchers are quickly improving biometrics technology. They say the trick is teaching machines to become better at recognizing life. It wasn&#8217;t the first time the Chaos Computer Club exposed vulnerabilities in fingerprints as passwords. But it was the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/joeuchill.org\/index.php?rest_route=\/wp\/v2\/posts\/243"}],"collection":[{"href":"https:\/\/joeuchill.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joeuchill.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joeuchill.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/joeuchill.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=243"}],"version-history":[{"count":1,"href":"https:\/\/joeuchill.org\/index.php?rest_route=\/wp\/v2\/posts\/243\/revisions"}],"predecessor-version":[{"id":244,"href":"https:\/\/joeuchill.org\/index.php?rest_route=\/wp\/v2\/posts\/243\/revisions\/244"}],"wp:attachment":[{"href":"https:\/\/joeuchill.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joeuchill.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joeuchill.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}