Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
A month ago, a Forbes journalist demonstrated the (un)reliability of biometric protection in consumer-class devices. For the test, he ordered a plaster 3D copy of his head, after which he tried to unlock five smartphone models using this model: LG G7 ThinQ, Samsung S9, Samsung Note 8, OnePlus 6 and iPhone X.
The plaster copy was enough to unlock four of the five models tested. Although the iPhone did not fall for the trick (it scans in the IR range), the experiment showed that facial recognition is not the most reliable method of protecting confidential information. In general, like many other biometric methods.
In a comment, representatives of the "victims" said that facial recognition makes unlocking phones "convenient", but for the "highest level of biometric authentication" it is recommended to use a fingerprint or iris scanner.
The experiment also showed that for a real hack, a couple of photos of the victim are not enough, because they will not allow you to create a full 3D copy of the skull. To make an acceptable prototype, you need to shoot from several angles in good lighting. On the other hand, thanks to social networks, it is now possible to get a large amount of such photo and video material, and the resolution of cameras increases every year.
Other methods of biometric protection are also not without vulnerabilities.
Fingerprint scanning systems became widespread in the 90s — and were immediately attacked.
In the early 2000s, hackers perfected the mechanism for making artificial silicone copies based on an existing pattern. If you stick a thin film on your own finger, you can fool almost any system, even with other sensors, that checks the temperature of the human body and makes sure that the finger of a living person is applied to the scanner, and not a printout.
The classic guide to making artificial prints is considered to be the guide by Tsutomu Matsumoto from 2002. It explains in detail how to process the victim's fingerprint using graphite powder or cyanoacrylate vapors (superglue), how to then process the photograph before making a mold, and, finally, how to make a convex mask using gelatin, latex milk or wood glue.
Making a gelatin film with a fingerprint pattern using a contour mold with a fingerprint. Source: instructions by Tsutomu Matsumoto
The biggest challenge in this procedure is copying a real fingerprint. They say that the highest quality fingerprints are left on glass surfaces and door handles. But in our time, another way has appeared: the resolution of some photographs allows you to restore the pattern directly from the photograph.
In 2017, a project by researchers from the National Institute of Informatics of Japan was reported. They proved the possibility of recreating a fingerprint pattern from photographs taken with a digital camera from a distance of three meters . Back in 2014, at the hacker conference Chaos Communication Congress, fingerprints of the German Minister of Defense were demonstrated, recreated from official high-resolution photographs from open sources.
Apart from fingerprint scanning and facial recognition, modern smartphones do not yet use other biometric security methods on a large scale, although they are theoretically possible. Some of these methods have been tested experimentally, while others have been commercially implemented in various applications, including retina scanning, voice verification, and palm vein verification.
But all biometric security methods have one fundamental vulnerability: unlike a password, your biometric characteristics are almost impossible to replace . If your fingerprints are leaked to the public, you will not be able to change them. This is, so to speak, a lifelong vulnerability.
No biometric security method provides a 100% guarantee. When testing each system, the following parameters are specified, among others:
No system demonstrates 100% accuracy with zero false positives and zero false negatives, even under optimal laboratory conditions.
These parameters depend on each other. By adjusting the system settings, you can, for example, increase the recognition accuracy to 100% - but then the number of false positives will also increase. Conversely, you can reduce the number of false positives to zero - but then the accuracy will suffer.
Obviously, many protection methods are now easily hacked because manufacturers primarily think about ease of use, not reliability. In other words, they prioritize the minimum number of false positives.
As in economics, there is also a concept of economic feasibility in information security. Let's say that 100% protection does not exist. But protective measures are related to the value of the information itself. In general, the principle is approximately that the cost of hacking efforts for a hacker should exceed the value of the information he wants to obtain. The higher the ratio, the stronger the protection.
If we take the example of a plaster copy of a head to fool a system like Face ID, it cost a Forbes journalist about $380. Accordingly, it makes sense to use such a technology to protect information worth less than $380. For protecting penny information, this is an excellent protection technology, but for corporate trade secrets, it is a lousy technology, so everything is relative. It turns out that in each specific case, it is necessary to evaluate the minimum acceptable level of protection. For example, facial recognition in combination with a password - like two-factor authentication - already increases the level of protection by an order of magnitude, compared to facial recognition alone or just one password.
In general, any protection can be hacked. The question is in the cost of effort.
Source
The plaster copy was enough to unlock four of the five models tested. Although the iPhone did not fall for the trick (it scans in the IR range), the experiment showed that facial recognition is not the most reliable method of protecting confidential information. In general, like many other biometric methods.
In a comment, representatives of the "victims" said that facial recognition makes unlocking phones "convenient", but for the "highest level of biometric authentication" it is recommended to use a fingerprint or iris scanner.
The experiment also showed that for a real hack, a couple of photos of the victim are not enough, because they will not allow you to create a full 3D copy of the skull. To make an acceptable prototype, you need to shoot from several angles in good lighting. On the other hand, thanks to social networks, it is now possible to get a large amount of such photo and video material, and the resolution of cameras increases every year.
Other methods of biometric protection are also not without vulnerabilities.
Fingerprints
Fingerprint scanning systems became widespread in the 90s — and were immediately attacked.
In the early 2000s, hackers perfected the mechanism for making artificial silicone copies based on an existing pattern. If you stick a thin film on your own finger, you can fool almost any system, even with other sensors, that checks the temperature of the human body and makes sure that the finger of a living person is applied to the scanner, and not a printout.
The classic guide to making artificial prints is considered to be the guide by Tsutomu Matsumoto from 2002. It explains in detail how to process the victim's fingerprint using graphite powder or cyanoacrylate vapors (superglue), how to then process the photograph before making a mold, and, finally, how to make a convex mask using gelatin, latex milk or wood glue.
Making a gelatin film with a fingerprint pattern using a contour mold with a fingerprint. Source: instructions by Tsutomu Matsumoto
The biggest challenge in this procedure is copying a real fingerprint. They say that the highest quality fingerprints are left on glass surfaces and door handles. But in our time, another way has appeared: the resolution of some photographs allows you to restore the pattern directly from the photograph.
In 2017, a project by researchers from the National Institute of Informatics of Japan was reported. They proved the possibility of recreating a fingerprint pattern from photographs taken with a digital camera from a distance of three meters . Back in 2014, at the hacker conference Chaos Communication Congress, fingerprints of the German Minister of Defense were demonstrated, recreated from official high-resolution photographs from open sources.
Other biometrics
Apart from fingerprint scanning and facial recognition, modern smartphones do not yet use other biometric security methods on a large scale, although they are theoretically possible. Some of these methods have been tested experimentally, while others have been commercially implemented in various applications, including retina scanning, voice verification, and palm vein verification.
But all biometric security methods have one fundamental vulnerability: unlike a password, your biometric characteristics are almost impossible to replace . If your fingerprints are leaked to the public, you will not be able to change them. This is, so to speak, a lifelong vulnerability.
No biometric security method provides a 100% guarantee. When testing each system, the following parameters are specified, among others:
- accuracy (several types);
- percentage of false positives (false alarms);
- percentage of false negatives (missed events).
No system demonstrates 100% accuracy with zero false positives and zero false negatives, even under optimal laboratory conditions.
These parameters depend on each other. By adjusting the system settings, you can, for example, increase the recognition accuracy to 100% - but then the number of false positives will also increase. Conversely, you can reduce the number of false positives to zero - but then the accuracy will suffer.
Obviously, many protection methods are now easily hacked because manufacturers primarily think about ease of use, not reliability. In other words, they prioritize the minimum number of false positives.
The Economy of Hacking
As in economics, there is also a concept of economic feasibility in information security. Let's say that 100% protection does not exist. But protective measures are related to the value of the information itself. In general, the principle is approximately that the cost of hacking efforts for a hacker should exceed the value of the information he wants to obtain. The higher the ratio, the stronger the protection.
If we take the example of a plaster copy of a head to fool a system like Face ID, it cost a Forbes journalist about $380. Accordingly, it makes sense to use such a technology to protect information worth less than $380. For protecting penny information, this is an excellent protection technology, but for corporate trade secrets, it is a lousy technology, so everything is relative. It turns out that in each specific case, it is necessary to evaluate the minimum acceptable level of protection. For example, facial recognition in combination with a password - like two-factor authentication - already increases the level of protection by an order of magnitude, compared to facial recognition alone or just one password.
In general, any protection can be hacked. The question is in the cost of effort.
Source
