, SecurityFocus 2003-08-13
Two German hackers say they have developed a technique to defeat biometric fingerprint scanners used to authenticate electronic purchasing systems. Unlike an earlier fingerprint attack developed by the pair last year, this system creates latex fingertip patches designed to be used while under observation.The hackers, known as Starbug and Lisa, presented their attack at the Chaos Computer Camp, an open-air event which took place last weekend in East Berlin. "We have developed methods to fake fingerprints on the run," said Lisa.
The past technique used graphite powder and adhesive tape to lift fingerprints off surfaces and fool scanners into accepting them as genuine. This new method involves taking a digital picture of the fingerprint image produced by the graphite powder and adhesive tape. This image is enhanced with graphical software, printed on to foil, and transfered to a photosensitive printed circuit board. The board is exposed and etched to create the three dimensional structure of the fingerprint. It is then transferred to liquid latex which is dried to create a thin material similar to the consistency of a latex glove. This small piece of latex is attached to a person's fingertip prior to using the scanner.
If an entire fingerprint cannot be successfully lifted, Starbug says photo enhancement software can use a portion of the image and look for overlapping portions that can be reassembled. He says the most delicate part of the fingerprint creation process is lifting the dried latex material into a sheet thin enough as to be relatively invisible to an observer.
Lisa and Starbug say they developed their technique after developers of fingerprint scanning equipment claimed that their first attack did not present a credible threat because it could only be carried out under laboratory conditions. The two plan to test their new "field" technique later this week at German computer hardware store which uses fingerprint biometrics in their electronic purchasing system. They said they will use a fabricated version of their own fingerprint to test the attack.
Starbug noted that EU member nations are now being pressured by the U.S. to deploy biometric data in passports by next year. The three biometrics under consideration are fingerprint, face recognition and iris scans, says Starbug. He notes that this new fingerprint attack could also be used at border crossings where the subject is under observation by immigration officials.
In addition to hacking fingerprints, Starbug and Lisa have also developed keystroke analysis and techniques for defeating face recognition, iris scan, and voice print biometrics. Starbug says their research has shown that fingerprint systems should not be used for purchasing, passports or other sensitive identity checks. "Most of the fingerprint systems are attackable and too weak to be used," says Starbug. "This is a very simple and low cost attack and if you have more money and more time, you can find other ways to attack it."
A Japanese researcher reported last year that he could
Starbug says he and his partner wrote to companies that develop fingerprint scanners and requested that they send hardware that could be tested, but received no reply. An Infinion sensor inside a Siemens mouse was later used by the two in the preliminary tests of the latex fingerprint attack.
The most secure biometric systems, says Starbug, use a combination of one biometric and a smart card or two biometrics. He and Lisa say they continue to invite biometric companies to submit systems for testing by contacting their home page www.biometric-systems.org. The two hackers say that they have had long discussions with a reseller of an iris scanning system who was willing to give them hardware to test. But Panasonic, which sells the iris scanner, refused to work with members of the Chaos Computer Club which both Starbug and Lisa belong to.
According to Starbug, the big biometric companies know that their systems are weak, but will only offer this information if tests reveal their vulnerabilities. "It it totally clear that biometrics is a technique that will be used often in the future," said Starbug. "Our intention is to force companies to secure their systems."