D3.10: Biometrics in identity management

Title: THREATS TO A BIOMETRIC SYSTEM FROM IMPOSTORS

Following up on the work done in FIDIS Deliverable 6.1, and the previous identification of fault sensitive points in a biometric system (see above section ), this section discusses a number of tests regarding security vulnerabilities of biometric devices. As discussed in the Common Criteria (CC) document, a biometric system in general has a variety of locations that are potentially vulnerable to attacks of impostors (see table 9 below). For example, a device could be misled with artificial biometric samples, data transmissions between different biometric system components could be intercepted or modified, and hardware components could be tampered with. Direct effects of such attacks include unauthorised system access, denial of service and unauthorised extraction of biometric data of system users. The main focus of this section is on impostor attacks. The CC model gives a detailed overview of weaknesses and opportunities for an impostor attack in a biometric system.

The CC model structures the attacks into the categories summarised below:

Table 9: Impostor threats to a biometric system according the CC Biometric Evaluation Methodology study (BEM)

Impostor threats in practice

Ideally, all threat locations should be analysed. However, the scope of the investigation in this section is limited to testing of artificial fingerprints (User / Capture threats) and USB port data interception (Capture / Extraction threats). Note that the biometric system Type I government controlled ID model and Type III mixed model tend to have more strictly controlled enrolment and use environments than Type II access control and Type IV convenience models. As User / Capture and Capture / Extraction threats often require some kind of undetected physical or logical access to the biometric system, these threats are relatively more relevant for Type I and III models than for Type II and IV.

User/Capture threat analysis 

For an explanation of most fingerprint scanner technologies, the reader is referred to FIDIS Deliverable 6.1 (although Lumidigm’s multispectral imaging technology is not explained in that deliverable). shows two fingerprint scanners that were tested by the Netherlands Forensic Institute for this deliverable. It entails the capture of nine different fingerprint images in a fraction of a second. For each image, a unique illumination and polarisation combination is used. It is claimed to allow the capture of data from both the surface and beneath the surface of the skin. The Lumidigm scanner is also claimed to be able to detect spoofs by comparing spectral characteristics against those of a wide range of known spoofs. In case of future spoofs, the developers can update the software to include characteristics of those as well. The scanner is much more expensive than most other fingerprint scanners.

Figure : Left side: Lumidigm J110-E1 fingerprint scanner using multispectral imaging technology ; Right side: RiTech BioSlimDisk USB memory stick protected with capacitive fingerprint scanner

The Lumidigm fingerprint scanner J110-E1 has undergone the same testing as the fingerprint scanners in Deliverable 6.1. All spoofs were recognised as such, except, in a limited number of cases, the Super Soft Plastic spoof. The success rate of that spoof was very sensitive to positioning, which diminished the repeatability of the test.

The RiTech 128 MB BioSlimDisk proved to be easier to spoof - using a gelatin spoof worked nearly all the time. Another spoofing method for this device uses the latent fingerprint of the previous user. If such a fingerprint is present and of sufficient quality, the device can easily be spoofed by breathing on the sensor, thereby activating the latent fingerprint. The device does get warm after a short period of use, after which the breathing technique does not work as well anymore. In such a case a can of Airduster (e.g. from Electrolube) held upside down can be used to spray compressed gas on the sensor, which rapidly cools the sensor and activates the latent fingerprint as well (see ).

Figure : Activating a latent fingerprint on the BioSlimDisk with a can of airduster

Table 10 shows a summary of the spoofing test results. Success rates are categorised as None (meaning it did not work at all), Low (meaning it only worked occasionally, and with difficulty), Medium (meaning it works quite often) or High (meaning it nearly always works). 

Table 10: Success rates of fingerprint spoofs with two biometric devices

Capture/Extraction threat analysis 

Another potential threat to the security of biometric systems is that data traffic between the biometric device and a connected PC is intercepted. Such data could be analysed for the presence of user data, from which personal biometric samples may be reconstructed. A step further would be to relay the data through a customised software driver that modifies the data. Thus, previously recorded authorised biometric sample data could be inserted (a so-called ‘replay attack’) to allow access to the system. The success of such attacks depends not only on the programming of the driver and the analysis of the intercepted data, but also on the security of the biometric system infrastructure. The driver should be installed on the system, for instance through a virus or physical or logical access to the system, and it should be hard to detect when active.

The scope of the current research is limited to the analysis of intercepted data. A number of tests have been performed at the Netherlands Forensic Institute, in which data traffic between USB-connected biometric devices and a PC was intercepted, using USB-sniffing software called ‘USB Monitor’. USB-sniffing software essentially displays all data packets in USB data traffic. Table 11 shows the fingerprint scanners that are analysed. The sensor technologies mentioned therein are explained in FIDIS Deliverable 6.1.

Table 11: Tested biometric devices

The general approach taken is to filter out communication protocol data and other overhead data, and analyse the remaining packet payload data. Basically, software was written to display byte values of data packages as pixels in an image, with the value determining the colour of the pixel (see a). By varying the image width and experimenting with byte formatting, images may be extracted from the data (see b and c).

Figure : Intercepted data from the Secugen scanner, visualised using image pixels. a) A pattern is clearly visible. b) The even bytes, with proper image width. c) The odd bytes, with proper image width.

Some of the devices claim to make use of data encryption. For those devices, encryption was confirmed and indeed no intelligible biometric sample data could be found. As breaking the encryption is beyond the scope of the test, further analysis of the devices in questions was abandoned. From all of the devices that have no encryption, fingerprint images could be reconstructed from the data packages with the previously mentioned approach. The test results are summarised in table 12. 

Threat analysis conclusions 

Combining conclusions from Deliverable 6.1 with the results in this section, it is clear that many biometrics devices are still not adequately protected from spoof attacks and data interception attacks. Of the currently tested fingerprint scanners only the Lumidigm device seems to have effective spoof protection, which the manufacturer can upgrade to include future spoofs. The offered protection is however reflected in the device price. The data interception threats to the fingerprint scanners can easily be reduced by implementing some form of data encryption. 

Table 12: Results of USB sniffing attempts

Combined technologies

Biometrics are often combined with other technologies, such as RFID technology, chip cards and other storage devices or databases.  

The RFID chip card is commonly used in access control to buildings and public transportation. Often implementations only require the card. If the card gets stolen, someone else can enter the building or the public transportation with the card. To limit unauthorised access, pin codes and biometric features such as fingerprints are used.

The biometrics can be stored either in a database or on the card. It is important in the implementation to do this in a secure way. An example of biometrics that is stored on a RFID chip is a biometric passport. A different example is an iris scan in the Privium project for entering the border in Schiphol Airport, where a template of the iris is stored on a smart card. If the current security schemes are implemented properly, it becomes nearly impossible to extract the biometric data without having access to the secret keys.

In low cost solutions, it is possible that the encryption is not properly implemented, and that it becomes easy to capture the biometrics, from example from the USB cable. This was demonstrated during the Blackhat conference in 2006 with a consumer fingerprint device.

It is expected that these vulnerabilities will be reduced. The problem was that the time to develop these devices was fast, and so less secure solutions were developed. A known example is the USB stick with fingerprint reader. There are fingerprint USB sticks on the market, where the data is not encrypted on the storage device. This means that someone can circumvent the encryption by going into the hardware of the stick itself, and after the circuit for the biometric comparison, as a result it becomes possible to circumvent this by sending out the right signal. Another possibility is just to ask several persons to try to access the key. In theory, if the Equal Error Rate is 1 percent, which is in some practical devices the case, this means that with 100 different fingerprints, one will gain access to the USB key and with 100 correct fingerprints one person will not get access. In this case, it is trial and error with different people.

For evaluation of the security of these systems, one should look at the separate parts and the whole system before drawing conclusions. It is also necessary to check the claims of the manufacturer by using your own test set to evaluate if the settings are the same as the manufacturer has specified. 

For access to mobile phones, biometric features such as fingerprint and face recognition are implemented in products (such as OKAO Vision Face Recognition Sensor which is software that can be used in mobile phones for face recognition and the Pantech GI100 phone). Although commercial implementations have been available on the market since 2005, the mainstream mobile phone brands have not implemented this widely yet

When combining biometrics with other technologies, additional threats need to be analysed and countered by appropriate security measures. One example for this which has been discussed above is storage of biometric reference data on RFID chips. The confidentiality of these biometric reference data among others strongly depends on control over the biometric system (or system) and effectiveness of access control mechanisms for the biometric data stored on the RFID chip. Development of additional technical security solutions is required before these technologies can be used securely in combination. This applies to all Types as discussed above. Obviously this was not done sufficiently for MRTDs such as the ePassport (Type I c government controlled ID model). As a consequence, Basic Access Control (BAC) as the access control mechanisms applied for today’s MRTDs shows a number of severe weaknesses. The weak part of encryption can be that the secret key has to be shared with widespread use. There are methods available to store a digital feature available which can not easily be computed back to the real biometric feature.

As RFID is developed for wireless and remote readability, tracking of passport holders is a potential additional threat compared to purely paper based passports. To prevent tracking several measures such as Faraday cages, randomly chosen identifiers for the RFID chip and cryptographic access control mechanisms can be used. Unfortunately, the implementation of these measures is insufficient or missing, so that under certain circumstances tracking of passport holders seems to be well possible. An additional threat is tracking using biometric raw data (especially the digital photos) stored on the RFID chip. As the range of readers can be extended up to 50 cm, unrecognised readout of the raw data and abuse for tracking purposes using hidden cameras and biometric matching systems is a possible scenario.  

A possible solution to prevent unauthorised readout of RFID chips is to use them only in an active mode (dual port chips). In this case the data subject has to power up the RFID holding device by a wilful act before the chip can be read by an external device. Such a scheme greatly reduces the possible physical points of attack. 

Concluding remarks on security and privacy aspects of biometrics 

Biometric systems contain numerous sensitive points which may be attacked by impostors or attackers that intend to make the biometric system inoperative. The aim of an attacker is to manipulate the system in a way that it produces untrustworthy or wrong results. For the points of attack which have been identified, appropriate countermeasures shall be taken both on a conceptual as on an organisational level before a biometric system is put into use. Direct attacks on the physical biometric characteristic of a subject are conceptually not avoidable and the risk that such an attack succeeds is difficult to estimate. In addition to the security threats biometric systems pose also several and significant privacy risks which have been summed up above. These security and privacy threats are elements which need to be taken into account when evaluating the proportionality and the efficiency of the use of a biometric system for a specific purpose and in the context of a specific type of application (see above, section 3.3.3). Biometric applications should not be introduced if the privacy and security threats for individuals are disproportionate in comparison with to the benefits of the system.