Think You Know Biometrics?

Anatomy of a
Presentation Attack

Malicious actors use presentation attacks, also known as “spoofing,” to defeat biometric systems. As soon as a new biometric authentication method emerges, someone will inevitably look for ways to foil it, and some of those methods involve materials that are readily available. The notorious German hacker collective, Chaos Computer Club (CCC), has famously developed spoofing attacks for fingerprint, iris and face recognition scanners within days of their emergence in popular devices like the iPhone and Samsung Galaxy. While most systems now have ways to detect certain kinds of presentation attacks, the constant efforts of hackers to beat emerging tech means that organizations should have a strategy for dealing with these nefarious tricksters. To do that, organizations should understand their methods and consider how they use attacks to both assume others’ identities and evade their own identification.

Attacks can be divided into two major groups: attacks on the physical layer, and attacks on the digital layer.

Physical layer attacks exploit a necessary limitation of biometric scanners—their narrow window of observation. Most scanners only focus on a specific set of features on a limited area of the human body. A well-done physical layer attack can sometimes defeat the sensors on a device and achieve a positive match. Your two-finger scanner can only see the fingers on the platen. It’s up to the officer or other layers of security to see that the two fingers aren’t attached to a human being, and might actually be painted gummy bears (yes — gummy bears).

Below are some common biometric authentication methods,
and what attackers use to fool sensors on the digital layer:

fingerprint scanning icon

Fingerprint Scanning

Spoofing some fingerprint scanners is feasible, and can be achieved with varying degrees of difficulty. It is possible to pick up a latent print from certain surfaces where prints of the desired user might be found, and transfer that image to a mold. Unless your employees wear gloves all the time (except when they’re using your biometric scanners) chances are that a determined and knowledgeable attacker could pick up a latent print and replicate a play-doh thumb, or craft a thin piece of silicone rubber daubed with conductive gold leaf to put on their own finger, or perhaps bare conductive latex paint. Done well and in an unmonitored environment, the attack might fool a scanner.

Facial Recognition icon

Facial Recognition

Like your fingerprint, your face isn’t exactly private. Attackers with cameras or access to social networking can grab your face and use it to their own ends. Face recognition devices have been foiled by high-resolution pictures, videos and 3D-printed masks. Identical twins can also pose a challenge to these systems. Once again, in today’s social posting culture and monitored environments, it’s impossible to keep faces from getting around.

Iris Scanning icon

Iris Scanning

To fool an iris scanner, you have to get a little more creative. While the CCC was able to fool an iris scanner using a high-resolution picture some years ago, technology has improved since then. Attackers have had to graduate to more complicated methods, including 3D-printed contact lenses and even artificial eyes with artificial inner eye structures. However, the latest iris scanning technologies aren’t circumvented by these methods.

Behavioral Biometrics icon

Behavioral Biometrics

Behavioral biometrics, including keystroke rhythm, mouse movement or gait analysis, are also vulnerable to physical layer attacks and are not currently as accurate as physiological biometrics. These attacks typically require the attacker to mimic the target, which can be rather challenging, but they could provide a truly determined attacker an opportunity.

Presentation Attack

All of that said, in typical Hollywood glamorization and misrepresentation, a recent spy flick showed Tom Cruise doing a variety of implausible things using equally implausible technology, but the one thing he didn’t try to do was fool a gait authentication system (complete with tasers). Instead, our hero swam to an underground data vault to add his friend – the attacker – to the closed database of approved individuals to match against — which is what you would call a digital layer attack.

Digital layer attacks exploit the other limitation of any authentication system — their programming and connectivity. Biometric scanners have to be connected to computing capabilities to process and submit. Since they’re connected to other systems which run their own sets of digital processes, they can be hacked. Attacks on the digital layer don’t fool the device’s sensors; they fool, or infiltrate the programming downstream from the sensor. In such cases the system is manipulated into providing the desired positive match or no match.

Any of the above biometric authentication methods can be targeted by a sophisticated digital layer attack. Strong cybersecurity measures are the best way to head-off those kinds of intrusions. While criminals are smart, biometric technology keeps getting smarter. A risk-adaptive, multi-layered approach to security can help head off presentation attacks and thwart the attackers, no matter what they’ve got up their sleeves.

think biometrics 1
think biometrics 2

Think You Know
Biometrics?

Think again.

Keep finding out more about the fascinating world of biometrics.
Subscribe below to receive monthly email updates.