Biometrics

Vulnerabilities & Exploits

Jtd1959@gmail.com
INTRODUCTION
• Old World methods of trust and
authentication
– Personal introductions, documents
– Key role player is the authenticator
• New World requirements
– Annonymous, large scale, short term
relationships
– Key requirement is building up of trust
• No defence mechanisms of older methods
present in newer systems
Authentication by Technology
• Requires the exchange of certain
FACTORS
• Requires an authority who can verify these
factors
• Requires an authority who can provide
permission to build a relationship and
transact
...Authentication by Technology
Factors are classified into 3 types
• Ownership factor like cards, badges or keys
• Knowledge factor like user id, password
and pins
• Inheritance factor like weight, height, face
shape, color of eyes/hair, birth marks etc.
all nicely encoded in a photo
Properties of different Factors
Table 1. Properties of different Factors
Factors Examples Desired Properties Available properties
Ownership factor Cards Unique and Shareable Yes
What you have Badges No Duplication Usually can be duplicated
Revocable Yes
Keys
Knowledge factor User ID Unique and Shareable Yes (within a particular
What you know context)
Password Hard to guess, easy to Usually the reverse
PIN remember.
Must be a secret
Inheritance factor Fingerprint Easily Digitized Discussed below
What you are Face Easily Verifiable
(Something Unique Iris Non Spoofable
about you) Voice Time Invariant
Retina Environment Invariant
The Inheritance Factor - Biometrics
The Subject of discussion for today is the
Inheritance Factor – Biometrics
• Implementation difficulties
• Vulnerabilities
• The authentication process and it's
vulnerabilities, in brief
• Since the UIDAI has choosen the use of
finger prints and iris as a means of
authentication, we will be discussing only
these factors
Finger Print Scanners
Most commonly used Finger Print scanners
Sensor Technology Scanner types Live finger Number of
detection fingers
Optical Swipe Conductivity Single
Capacitive Static contact Thermal Paired
Thermal Static non contact Both All
RF Resistive Capacitive

• Many variations on these basic techniques

• Variations are primarily to reduce cost, size and
probably to overcome existing patents
• Some claims exist about the ability to sense below
the “dead skin” surface. However for our
vulnerability assements, these claims are trivially
overcome
• Sensor technologies are not relevant to the scope
of vulnerabilites and exploits
Fingerprint Readers

Fig 1: Optical Sensing Fig 2: Capacitive Sensing

Fig 3: Optical Reader Fig 4: Optical Fig 5: Multi-

module Slap
Iris Scanners
IRIS Scanne rs

Fig 6: Hand-Held Iris Scanner Fig 7: Iris scanner in field use

• Iris scanners use a Near Infra Red light
• Camera coupled with some autofocusing
techniques (commonly used in autofocus
cameras)
Iris scan - Base Technique

θ John Daugman (1994)

r
r
0 1

θ
Pupil detection:
circular edge detector
∂ I ( x, y )
max Gσ (r )
r , x0 , y 0 ∫
∂ r r , x0 , y0 2π r
ds

Segmenting sclera
r+δ φ +π /8
∂ 2
r∈[1.5 r0 ,1 0r0 ] ∂ r ∫ π δ r ∫
m ax I ( ρ , θ ) ρ dρ dθ
ρ = r−δ θ =φ −π / 8

Fig 8: An Iris with circular segmentation and the maths involved in deriving the 2048 bit value
The Process

Fig 9: Biometric Enrollment and Verification process

• All id systems involve an enrollment process and

an authentication process, followed by an
authorization process, to enter / exit / recieve /
depoist etc
The Enrollement Process
• Capture image
• Process image
• Extract Features
• Create Template
Fig 10: Finger Print Capture • Save raw data in
the case of
criminal records
• Encryption
• Transmission
Fig 11: Index values extracted from fingerprint images

• De duplication
and storage
The Authentication process
• Capture image
• Process image
• Extract Features
• Create Template
• Encryption
• Transmission
Fig 13: Comparison of minutae with stored template
• Receive result
• UIDAI has not
specified iris for
authentication*
Threats faced by biometric systems
• Threat agents
– Only simple impostor, without much
sophistication or resources. We shall
leave out crossborder attack vectors, as
pilfering state subsidies may not be their
highest priority
• Threat Vectors
– Fake credentials and replay attacks
• System Weaknesses
– Extraction of digital keys, use of internal
facilities of sensors
Desired Characteristics And
Limitations
• Easy and accurate Digitization of the
presented bio characteristic
• Time Invariant
• Environment Invariant
• Spoof proof
... Limitations in enrollment / auth
• Easy and accurate Digitization – neither
easy nor accurate
• Too many wrong
methods, results
in
unreproduceable
template
• Guided
enrollment
useless for auth
• Very difficult for
Fig 14: How not to place your finger on the sensor
occasional users
• Manual overides
= more holes
... Limitations in enrollment / auth
• Time invariance – a myth
– Ageing changes fingerprints (1)
– Skin ailments makes auth difficult if not impossible
– No large scale studies on heterogenous
populations
– Will require frequent re-enrollment – aka more
holes
– No (available?) studies on iris variations due to
ageing
– Errors due to unknown causes (2)
1) https://www.cerias.purdue.edu/apps/reports_and_papers/view/3155/
2)http://biometrics.nist.gov/cs_links/quality/workshopII/proc/Kim_Analysis_of_Effect_of_F
ingerprint_Sample_Quality_in_Template_Ageing.pdf
... Limitations in enrollment / auth
• Environment invariance – a myth
– Water logged hands changes fingerprints
machine readbility
– Dry skin changes fingerprints machine
readbility
– Will require frequent re-enrollment – aka more
holes
– No (available?) studies on iris variations due
to harsh environments
– Inter device variations
http://www.slideshare.net/bspalabs/2008-investigating-the-
relationship-between-fingerprint-image-quality-and-skin-
characteristics.
... Limitations in enrollment / auth
• Non- Spoofability
– Biometrics are the worst
– Fingeprints are spoofed by gummy finger
techniqe
– Iris are spoofed by photographs
– Iris are spoofed by patterned contacts
Spoofing made easy - Fingerprints
• Uses common
ingredients
• Fools all
systems with
greater than
60%
repeatability
• Newer
mateials and
techniques
even more
effective
http://cryptome.org/gummy.htm
Spoofing made easy - Iris
• Buy from the net to
create fake ids for
sale
Fig A.3-1: Spiderman returns • PCB etching
techniues for
masqureading
• Older technique
using high res
photograph with
pupil holes
http://www.visiondirect.com/lens/default.asp?
catid=10774&trx=LeftNav&trxp1=27087&trxp2=10774&trxp3=2
Attack Vectors requiring skill
• Template reconstruction
– Biometric id systems store data as a
templates, usually a few kilobytes in
size. It has been shown that a biometric
fingerprint system can be compromised
by recreating the biometric using the
stored template
– Template extraction and storage a
feature of systems
... Attack Vectors requiring skill
• Key duplication
– Trivial to break into the device and
extract keys
– Addition deletion of keys a feature
– Even in locked down devices, the key
can be recovered by simply copying the
onboard flash to a pc and reusing the
backup in a device purchased from the
market
... Attack Vectors requiring skill
• Replay attack at sensor pins
– The sensor interfaces are relatively
simple
– Produce raw data (Fig 4). It is possible
to record all data, and then replay that
data
– This attack requires some technical skill
– However once developed it can be
mass produced and will be
undetectable
Biometrics WORST CHARACTERISTIC

• Cannot be
withdrawn
• Cannot be changed
• This violates the
basic requirement
of any id system
Inherent problems with Biometric
Systems
• FAR - False Acceptance Rate indicates the
number of wrong matches of a presented
biometric – mistakenly identyfying one person
as another
• FRR - False Rejection Rate (also called False
Non Match Rate) indicates the number of
wrong rejects of a presented biometric.
• Best FAR of .00060 for fingerprints
• Best FAR of .000120 for Iris
• Best FRR of .0060 for fingerprints
• Best FRR of .0012 for Iris
... Inherent problems with Biometric
Systems

F A R (% )F R R (% ) A d ult F a lse F a ls e R e je c t
P o p u l a ti o na c c e p ta n c e ( M i l l i o n )
( M illio n ) ( M illio n )
F i n g e r p r i n t 0 .0 0 0 6 0 0 0 .0 0 6 0 850 0 .5 1 5 .1
Ir is 0 .0 0 0 1 2 0 0 .0 0 1 2 850 0 .1 1 .0 2

• FAR and FRR closely linked to template size

• Reducing FAR increase FRR
• Reducing FRR increases FAR
... Inherent problems with Biometric
Systems
• Requires very good power
• Requires very good telecommunications
infrastructure
• Both of very poor quality in many areas
• Even in Maharshtra in the Konkan region,
such infratructure is poor due to natural
causes
– Hilly terrain
– RF shadow regions
– Heavy rains and lightning
Summary
• Biometrics as a unique id in an automated system
has never been tested on a large scale
• The inherent characteristic of biometrics is it's
irrevocability. This is in direct contradiction of any
id / security system, where keys must be
revocable and reissueable
• Fingerprints are easily spoofable
• Iris patterns are easily spoofable
• Biometrics are very susceptible to the natural
biological processes of growth, ageing and
environment
• Numerous technical vulnerabilities are availble for
exploitation at the sensor-system interface