It wasn't the first time the Chaos Computer Club exposed vulnerabilities in fingerprints as passwords. But it was the first time since Apple Inc. released its increasingly popular pay-by-fingerprint Apple Pay system.
At the club's annual conference late last month, CCC member Jan "Starbug" Krissler showed how to reconstruct convincing enough prints from surreptitiously taken photographs to dupe fingerprint scanners. The club, known for cutting-edge research, promoted Mr. Krissler's talk on their German-language site in a way that would strike fear into the heart of anyone working on – or promoting – fingerprint security: "Fingerprint biometrics [are] finally only a safety placebo."
Biometric security is the use of human attributes such as fingerprints, iris scans, and facial features to verify identity. The field of biometrics is wider – the Fitbit relies on biometrics – but in common parlance, “biometrics” is mostly used for authentication. It's often touted as the eventual replacement for passwords by a group who see Apple Pay as the first nail in the password's coffin.
The cybersecurity coordinator for the White House, Michael Daniel, even declared he was on a mission to "kill the password dead." He's not alone: Passwords are clumsy, forgettable, typo-prone, unloved, and unlovable. Biometrics is the opposite. Using physical attributes is impossibly convenient – just try forgetting a password when your finger is the password.
Krissler effectively muted the excitement. After his talk, a Los Angeles CBS affiliate proclaimed: "Experts Warn Fingerprints Easier To Hack Than Old-Fashioned Passwords."
But fingerprints, faces, retinas, and all kinds of biometric indicators have been easy to forge as long as there have been methods to use them as identification. Go back 20 years to the movie "Sneakers," and the big heist hinged on a tape recorder beating voice identification. People leave fingerprints all over the place. We show our faces in public. There's plenty of opportunities for physical identity to be replicated.
“My password is in my head, and if I'm careful when I’m typing, I’ll stay the only one who knows it,” said Krissler, during a 2013 German-language interview discussing how the CCC had cracked the iPhone's fingerprint security.
But a critical component of Krissler's ruse (known as a spoof) had been thwarted by researchers years before – the materials used to make the fingerprint. Many popular fingerprint scanners have been slow to adopt a fix. And while manufacturers lag in picking up the last generation of attacks, attackers have beaten – and been defeated by – generations of cutting edge anti-spoofing technology.
It's a cat and mouse game. And you are the mouse.
“People need to realize: biometrics is not secret,” says Clarkson University Prof. Stephanie Schuckers, director the multiuniversity, federally funded biometrics project Center for Identity Technology Research. “Your fingerprints are not a secret. Your face is obviously not a secret.”
The success of biometrics, says Dr. Shuckers and slew of other researchers in the field, depends on meeting an unending supply of new threats with better and better forms of “liveness detection,” determining whether or not the thing that looks like a fingerprint is connected to you.
“Liveness detection means taking advantage of fakes being fake,” she says.
Companies slow to learn from vulnerabilities
In 2002, cryptographer Tsutomu Matsumoto first demonstrated how anyone who could make a dessert could beat a fingerprint scanner. His team at Yokohama National University replicated fingerprints using gelatin.
Fingerprint scanners detect fingerprints the same way a cellphone knows a finger is touching the screen – the ability of human skin to hold a tiny electric charge. But gelatin, the basic substance of Jell-O and Gummy Bears, has similar properties. Mr. Matsumoto etched molds of fingerprints he lifted off of glass using the type of circuit board kit anyone could buy at Radio Shack and the “gummy fingerprint” was born.
Gummy fingerprints brought to the forefront the problem Krissler continues to exploit, creating a new focus on liveness detection research. Fingerprint scanners can now be designed to analyze pores, sweat, heartbeat, vein placement, and many other mechanisms of determining whether or not their looking at gelatin or any other not-living print.
But much of that advanced research and science isn't found in the most widely used fingerprint scanners on the market. After Apple released its fingerprint scanning iPhone 5s in late 2013, the Chaos Computer Club beat the technology using the decade-old gummy fingerprint attack. The same attack still works on the iPhone 6.
“What’s frustrating on the part of insiders is the reluctance to publicly discuss the problems,” says Mark Cornet, chief operating officer of NexID Biometrics, a fingerprint-based identification company cofounded and healmed by Shuckers. “We don’t have 100 percent security, but we have huge advances that don’t get used unless we admit the need.”
Until that happens, companies such as Apple that promote biometrics and its many detractors will appear to be having two different conversations.
Some security consultants refuse to recommend biometrics to clients. Dave Aitel, chief executive officer of Immunity Inc., wrote piece for USA Today entitled “Why biometrics don't work” (the answer, he said, was that biometric passwords could never be reset if stolen). Nima Dezhkam, a consultant at Compass Security, is equally against a biometric-only world, worrying that “as a primary authentication method, weaknesses are more exposed.”
Meanwhile, Apple's website raves: "Your fingerprint is one of the best passcodes in the world."
This is not to harp on Apple, which declined to comment on this story. Gummy prints have fooled Samsung phones, too. In 2013, a Brazilian doctor was caught using silicone fingerprints to sign his friends in to work. In 2009, a $45 million dollar fingerprint scanning system at the Tokyo airport used to prevent blacklisted passengers from reentry was defeated by a South Korean woman who put clear tape over her fingers. In 2005, a Malaysian car thief successfully circumvented a cars’ fingerprint-based security system by chopping off its owners' finger.
Nor is this to harp on fingerprint scanning. A team of scientists from Universidad Autonoma de Madrid and West Virginia University successfully reconstructed irises in 2012. Nguyen Minh Duc of the Hanoi University of Technology bypassed facial recognition programs on Lenovo, Asus, and Toshiba laptops using photographs in 2009. Researchers adapted to that new threat with techniques like requiring blinking, and this year Nesli Erdogmus and Sebastien Marcel of the Idiap Research Institute bypassed those methods with 3D-printed masks.
This is to harp on the promise of invulnerability when there is money at stake.
“We know large banks are currently being attacked [by hackers] 20,000 times a day,” says Mr. Dezhkam. “If there is money in attacking biometrics, people will attack biometrics."
To catch a spoof
“Gelatin is great – its only drawback is shelf life,” says NexID COO Cornet. “But when I really want to scare potential clients, I’ll take out an iPhone and spoof a fingerprint using latex paint.”
Wood glue will also work – Krissler of the Chaos Computer Club is a fan. Or Silly Putty. Or certain waxes.
None of these attacks will work on the liveness detection software NexID develops to work with other companies' scanners. NexID uses machine learning to detect the difference between fake prints and real ones. But being able to thwart a wide array of threats only happens through continuously training their program each time a new vulnerability arises.
It takes six to eight weeks for the company to adapt to new threats, most of which is impossible to speed up. The brunt of the work comes from wrangling test subjects to donate fingerprints and manufacturing the false ones the computer will be trained to differentiate the authentic prints from. It takes 1,000 sets of fingerprints – half that will work, half to simulate attackers trying to break the system – for their program to learn the difference.
The most recent advances in fingerprint spoofing, says Cornet, the NexID chief operating officer, have come in improvements to the molds that set fake fingerprints. Today, inexpensive 3D scanning technology can create detailed molds quickly and accurately.
“In fact, we can imagine 3D printed digits infused with liquid to mimic the composition of human skin,” he says.
But even though NexID can adapt more quickly to spoofs, getting those solutions to consumer devices can take longer. Manufacturers have taken more than a decade to adapt to gummy prints.
“A hardware solution for gummy fingerprints, when you’re talking about a smartphone, might require different components, a thicker case and more cost,” says Dr. Ross of Michigan State.
Occasionally, says Cornet, the delay is an advanced case of manufacturers ignoring problems until something big, such as the Chaos Computer Club, forces them to deal with the consequences.
They are starting to take notice, he says. "The sensor manufacturers that wouldn’t take our phone calls two years ago are calling us now."
Are you even worth spoofing?
Passwords are strong when they are difficult to guess. By that standard, biometrics are amazing – no one can guess your password. That doesn't mean they don't know where to find it.
“When people use passwords, attackers try to steal passwords to get access,” says Dezhkam. “When they use biometrics, the focus turns to you.”
Hacking a person takes a lot more effort than cutting and pasting a password from a compromised database. Successful attacks require some amount of direct contact (even if it's just through Krissler's photo lens tailing you). Are you even worth spoofing?
For high value targets, biometrics alone may never be enough. They'll need many layers of security. And the same may be true for people who worry about the ever-changing landscape of threats. For others, especially the third of cellphone users who don't employ any kind of security, Apple's fingerprint technology may strike the right balance of security and convenience.
“The notion of security isn't scientifically precise,” says Arun Ross, a current Michigan State professor and member of the West Virginia team that first demonstrated how reverse engineer a fake iris. "We could have a method that was entirely secure, and people would still prefer what was most convenient."