For a few years now, information security specialists have been touting biometrics as the next big thing. Biometrics identify users through physical characteristics that remain constant, such as DNA, earlobe and hand structure, fingerprints, voices and retinal or iris patterns. In clichéd terms, biometrics were the new, better mousetrap that would replace password and PIN protection.
The trouble with building a better mousetrap, as the old saying implies, is that it’s more difficult than it sounds. Biometrics certainly sound secure; after all, your retinal patterns are pretty unique. But along comes German tech publication c’t, which tested some of the most common types of biometrics available for PCs and laptops, discovering they weren’t as secure as you might think.
Fingerprint Shenanigans
In spy stories agents bypass fingerprint scanners by creating silicon forgeries of fingerprints they wear on their own fingers. The villains just chop off the fingers. Deciding the first tactic was too complicated and noticing that office interns got nervous when the second option came up, c’t used the highly complicated, extremely technical trick of breathing on the sensor array. Blowing on the array caused the sensor to detect traces of fat tissue left on the sensor glass, triggering a false positive and access into the system
C’t also proved an old spy film tactic works. They lifted a fingerprint from a drinking glass with a piece of adhesive tape, applied the tape to the sensor (no silicon copy required) and got into the system. Presumably no one was able to catch an intern, because severed fingers weren’t tested.
Fooling Facial Recognition Systems
Facial recognition biometrics use webcams to recognize a user’s facial patterns. C’t took the simple, but effective, approach of taking a variety of digital pictures of the user’s face, displaying the image on a laptop and holding the laptop up to the webcam. The tactic wouldn’t fool most elementary students, but in most cases only a couple of different images were needed to trick the system.
Eyeing the Wrong Eye
Even iris recognition technology proved susceptible to a little low-tech trickery. The person attempting to access the computer made an inkjet printout of the legitimate user’s iris. A small hole was cut in the center of the picture so the computer could detect the intruder’s pupil. Guess what? Access granted yet again.
Granted, snagging a detailed image of someone else’s iris is more difficult than acquiring some images of his face, but with a sophisticated camera (or high definition webcam) it remains possible. C’t proved two things with these experiments. First, they proved biometrics have a long way to go before they replace the password as a computer’s primary security barrier. And second, perhaps more alarmingly, they reveled their staff is comprised of highly-trained secret agents with a talent for electronic espionage. While that last is probably mere fantasy, I’m renewing my subscription … just in case.
Post by guest blogger Carly Fierro, a writer who enjoys blogging about how computer security could affect your business, whether you’re selling rat traps or designer handbags.
