Biometric Security isn't All it's Cracked Up to Be

3/11/2014 Unknown 0 Comments

For the past few years, talk of fingerprint scanners on smartphones has been all the rage, especially after the launch of the Apple iPhone 5s, and now the Samsung Galaxy S5, both of which sport fingerprint scanners for security.  Facial scanning has been in use for some time on Android phones as well, and iris scanning is beginning to become a new buzz word in mobility, but all of these concepts are very short sighted and biometric security is not as secure as a solid password.

Maybe it stems from James Bond or other spy movies, where some form of biometric security is always portrayed as the most uncrackable system, but there are actually quite a few flaws with current biometric security systems.  Not only due to technical capabilities, but also on fundamental and conceptual level.

I realize there are more advanced versions of the technology, but I'm going to be referencing the most consumer oriented versions, such as the one used by Apple.

At the end of the day, a fingerprint scanner is just an image sensor that captures a high enough resolution image of a users' fingerprint to effectively compare to the reference image.  This made it extremely easy to crack.  Immediately after the iPhone 5s was launched, the German Chaos Computer Club was able to cheat the system.

This is referred to as a "hack," but unfortunately that's not the case.  No hack was necessary, because they logged in to the iPhone using "legitimate" means after reproducing a captured finger print using a printer, transparent paper, and wood glue.  It would be one thing if they actually "hacked" their way around the implemented security, but that was unnecessary as it is possible to fool the sensor.

Aside from the ability to cheat the scanner, there are other things that can prevent legitimate users from properly logging in.  If the sensor gets damaged in any way, your fingerprint gets injured (remember, each finger has a unique print), or if it is not possible to get a print reading from due to gloves, water, or any other circumstances rendering the ability to capture a matching print impossible.

So not only is it possible to cheat easily, but in some circumstances it may be easier to cheat than it is to log in legitimately.  If you burn your finger or develop a callous from playing guitar, your finger print will be nearly impossible to capture, whereas a forgery will still be a positive match.

Besides the technical issues, there are other major flaws with the concept of biometric security (specifically of the fingerprint variety).

There are 5 rules most of us have heard hundreds of times regarding password security.  Fingerprint passwords violate all 5 of these rules.

1. Change your password every 60-90 days

This is obviously impossible to accomplish with you fingerprint.  I suppose you could cycle which finger you use, which makes for 20-30 months worth of non-repeating passwords, but that's still no where near the level of security this rule intends on achieving.

2. Don't ever write down your password

This is pretty obvious.  If you have a post-it note on your desk that says "Password123", then you're basically asking to be compromised.  When it comes to your fingerprint, you literally "write down" your password nearly every time you touch something. Especially smartphones.  Look at your phone right now.  I wipe my phone down about every 30 minutes, but I have several clear fingerprints on my screen anyway.  This makes it especially easy, considering the device with the finger print scanner has your fingerprints all over it.  Some more than others.

3. Don’t share your password

Again, you leave your fingerprints everywhere you touch.

4. Don't use the same password for more than one login

As I said under rule 1, I suppose technically you have 10 different fingerprints, but still, if your password is your fingerprint, then there's a 10% chance of getting in with the capture of one print.  Add another 10% for every print they have.

5. Change passwords ASAP once compromised

This is the biggest one.  You use your print as a password.  Someone captures your print.  What are you going to do?  You could try disfiguring your finger tip, but that will be painful and unreliable in the future.  With fingerprint security, you are born with 10 passwords and you can never change them once someone has a copy.

Every rule you ever hear about creating a password, compare that to fingerprints and you'll quickly realize just how bad of an idea it is to use your print for any type of security.  The same thing goes for your eyeballs.

That's not even accounting for any privacy concerns about where your prints being shared once they're captured.

I'm still holding out.  I haven't recorded my fingerprint on a single device and I will avoid doing so for as long as possible.  If you want to ensure you stay secure, I recommend you do the same.

0 disqus:

Sound off