Delivered-To: [EMAIL PROTECTED] Date: Sun, 16 Nov 2003 04:59:18 -0800 From: Thomas Leavitt <[EMAIL PROTECTED]> Subject: From CryptoGram: faking fingerprints trivial To: [EMAIL PROTECTED]
Dave,
Check out this letter to Bruce Schneier on the (non)security of biometric fingerprint identifications... I guess all those movie dramatics where they slam the bloody hand of a dead person down on the biometric ID panel are just that, dramatics - it appears that, in the real world, it's far easier (half an hour and $20, if you don't happen to have the person handy).
Regards, Thomas Leavitt
From: Ton van der Putte <[EMAIL PROTECTED]> Subject: Hacking Fingerprint Readers
Last year in the June issue of CRYPTO-GRAM you made a reference to our article "Don't get your fingers burned". In the article we describe two methods to duplicate fingerprints. One method assumes co-operation (somebody "lends" his finger to make a duplicate), while in the other method a lifted latent fingerprint is duplicated by means of a photo/chemical process. With these dummy fingerprints we have been able to fool all fingerprint sensors we have tested in our lab and on exhibitions (about 20 different brands). I started with these experiments in the early nineties, so more than 10 years ago.
Last week we were invited by the BBC to come to London for in interview about duplicating fingerprints. The reason was that the British Administration intends to add biometrics to the new British identity card, one of the options is fingerprint biometrics. The programme, "Kenyon Confronts" has aired on Wednesday October 29th and is (for a short period of time) available for on-line viewing at the BBC site.
Since my first experiments were dated ten years back, I decided to redo my experiments. I knew it would be easier to duplicate fingerprints with all the materials and equipment available today, but the results even amazed me. To give you an idea, ten years ago to make a duplicate of a fingerprint with co-operation took me 2 to 3 hours and for an optimum result I used materials used by dental technicians. Nowadays I use materials you can buy in a do-it-yourself shop and the total material costs are about $10 (enough for about 20 dummy fingers).
The time it takes to make a perfect duplicate is about 15 minutes (with special material it can be reduced to less than 10 minutes). To make a duplicate of a lifted fingerprint took me several days in 1992 and I had to do a lot of experiments to find the right process/technique. Now it takes me half an hour and the material costs are $20 (also sufficient for about 20 duplicates), the only equipment you need is a digital camera and an UV lamp. Not only do I now make the duplicates in a fraction of the time, but also the quality is better.
The reason for writing you all this is the following. Although, most of the fingerprint manufacturers still ignore that there is a problem or claim to have solved it, some are willing to admit, but use the argument that it is very difficult and expensive to duplicate fingerprints and that it can only be done by highly skilled professionals. In the first place I think this is not a very strong argument, second I admit I am a professional, but now the average do-it-yourselfer is able to achieve perfect results and requires only limited means and skills.
So it is our opinion, that as long as the manufacturers of fingerprint equipment do not solve the live detection problem (i.e. detect the difference between a live finger and a dummy), biometric fingerprint sensors should not be used in combination with identity cards, or in medium to high security applications. In fact, we even believe that identity cards with fingerprint biometrics are in fact weaker than cards without it. The following two examples may illustrate this statement.
1. Suppose, because of the fingerprint check, there is no longer visual identification by an official or a controller. When the fingerprint matches with the template in the card then access is granted if it is a valid card (not on the blacklist). In that case someone who's own card is on the blacklist, can buy a valid identity card with matching dummy fingerprint (only 15 minutes work) and still get access without anyone noticing this.
2. Another example: Suppose there still is visual identification and only in case of doubt--the look-alike problem with identity cards--the fingerprint will be checked. When the photo on the identity card and the person do not really match and the official asks for fingerprint verification, most likely the positive result of the fingerprint scan will prevail. That is, the "OK" from the technical fingerprint system will remove any (legitimate) doubt.
It is our opinion that especially the combination of identity cards and biometric fingerprint sensors results in risks of which not many people are aware.
-- Thomas Leavitt, Sr. Systems Admin For Hire Resume at http://www.thomasleavitt.org/personal/resume/ Phone: 408-591-3342 / Email: [EMAIL PROTECTED] / Fax: 815-371-2804
Wired since 1981. Internet-enabled since 1990. Web-enabled since 1993. Older, wiser, and poorer, post-crash. :)
Join the System/Database/Network Administrators Job Search Community: http://groups.yahoo.com/group/sdnadminjobs/
------------------------------------- You are subscribed as [EMAIL PROTECTED] To manage your subscription, go to http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/