Archive

Archive for January, 2015

Biometry is broken

January 28, 2015 Leave a comment

From what we’ve seen during 31C3, biometry is broken. It’s not just broken if we do try to get the fingerprints of a potential victim by extracting them from whatever our victim might have touched before using forensic methods. With what we’ve seen during the talk given by starbug (http://media.ccc.de/browse/congress/2014/31c3_-_6450_-_de_-_saal_1_-_201412272030_-_ich_sehe_also_bin_ich_du_-_starbug.html#video – attention: the talk was given in german), the physical barrier is broken. There is no more need to save a glass that was touched by our victim. The fingerprint can be restored using a photograph of the fingertips of our victim that has a certain quality.

During his talk, starbug already gave some insight on what might be next: 4K video. I’m curious about what he might come up for the next congress. Maybe he’s already working on extracting fingerprints from 4K videos.

So you might wanna say fingerprints are broken, what about other biometric factors. Let’s try to run them through:

  • fingerprints – broken
  • retina scans – broken (at least if the quality of the picture is good enough)
  • face scans – broken (as shown in the video)
  • heart beat – not broken yet
    So let’s keep up with what’s left on the list: heart beat. There was a startup showing up with the idea of a wristband using your unique heart beat signature as a identification token. Sounds pretty cool so far. But here it comes: I’ve been talking to different people about two different approaches that might break this as well.
    The first approach (although is much more theoretical and does have a moral and ethical impact) I’ve been discussing with a doctor. In the end she told me, that it would be possible to use a pacemaker to re-program a individuals heart beat. It has not been done before, but it’s possible.

The second approach I was talking to a guy working in device security for quite a while. From his expertise, it shouldn’t be the biggest deal to set up the specific electric signal that will look like a valid heart beat to the device.

So from where we are right now, there are only two conclusions:

  1. Don’t trust in biometrics as a single source of identification. They might be used in combination with other forms of authentication, but never ever alone.
  2. Biometric devices need to get better. The need to be able to determine if they are scanning a print version of the fingerprint, face or retina or if the are scanning a real human being. This will raise prices for devices.
Categories: IAM, Identity, Privacy, Security