PC manufacturers have been introducing biometric technologies into their products over the past several years; the implication being that such technologies are inherently more secure than the traditional password, especially given the lack of attention given to password creation by the majority of users.
Several years ago, MythBusters proved that the fingerprint security system is seriously flawed and can be easily broken, and just last week at the Black Hat Conference, Duc Nguyen, senior researcher at Bkis, proved just how easy it was to circumvent facial recognition technology on laptops using a simple low-quality photograph.
MythBusters Fools Fingerprint Scanner
In 2006, the popular MythBusters program showed how easy it was to fool a fingerprint reader; even though the reader was supposed to pick up on pulse, body heat and sweat.
Using three methods, a copy of a fingerprint etched in latex, a ballistics gel copy of a fingerprint and a photocopy of a fingerprint, MythBusters successfully beat the system. How? By licking the samples to simulate sweat. Although it took three days to prepare, once they’d worked it out, it only took seconds to fool the system. If you missed the episode, we’ve embedded it at the end of this post.
Mold Fools Hand Geometry Scanner
Last year at defcon 16, Zac Franken said that physical access control systems are shockingly vulnerable, and went on to demonstrate how to bypass a hand geometry scanner by making a mold of his hand using not much more than chromatic dental alginate and vinyl polysiloxane.
As Hack a Day points out, this solution “may not be a completely practical attack, but it does defeat the overall idea of biometrics; biometrics are built on the assumption that every person is unique and can’t have their features reproduced.”
While the MythBusters and defcon examples clearly show that replicating conditions and bypassing biometric technology is possible, Nguyen’s demonstration is by far the easiest to pull off.
Printout Fools Facial Recognition Technology
According to a recent report in the Internet News, although the laptops used in the test (Lenovo, Asus and Toshiba) all have unique algorithms, the basic idea for creating a legitimate biometric login is the same for all three: “A user sits in front of their notebook while its built-in Webcam scans their face to create an image used for future identification.”
If you think getting a user’s picture is difficult – think again. Nguyen pointed out that with all the user generated and sharing sites like Flickr, Facebook, Twitter and the various chat programs (Skype, MSN etc), finding or simply taking a snapshot of a user is almost effortless.
According to the demonstration, the image size and quality make little difference, as Nguyen proved when he bypassed the security on the Lenovo laptop using a grayscale image. In an e-mail to Internet News, a Lenovo spokesperson pointed out that “the technology looks for eye movement to distinguish between a still photograph and a real person.” Nguyen got past that by moving the picture around in front of the camera.
Best Security? A Secret
From a user point of view, the best security is a strong password, something only the user knows. The accepted wisdom at the moment is that a password that uses alphabetical (upper and lower case), numeric and non-alphanumeric characters and has a minimum of eight characters is considered strong. However, this works on the assumption that the system itself has been configured securely, with account lockout after a certain number of failed attempts, and retry delays that get progressively longer with each failed attempt to prevent brute force attacks.
Unfortunately, as we know, this is not always the case. Will biometrics help? Maybe. But clearly not today.
Myth Busters Finger Print Lock
Myth Busters-Finger Print Lock – More free videos are here
Image Credit: Flickr Flick
