[IP] Hacking Fingerprint Readers

To: Ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] Hacking Fingerprint Readers
From: David Farber <dave@xxxxxxxxxx>
Date: Mon, 07 Feb 2005 16:11:15 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx
User-agent: Microsoft-Entourage/11.1.0.040913

Title: Subject: Hacking Fingerprint Readers

------ Forwarded Message
From: Muheed Jeeran <muhidanj@xxxxxxxxx>
Reply-To: The Biometric Consortium's Discussion List <BIOMETRICS@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 7 Feb 2005 12:52:13 -0800
To: <BIOMETRICS@xxxxxxxxxxxxxxxxxxxx>
Subject: Subject: Hacking Fingerprint Readers

Hello all
I have report of fake the fingerprint reader. Is this technique is fooling the most of the fingerprint readers currently? Or are they any improvement to block this impostor attempt?

I think it is better to talk about this matter, cause the biometrics becoming a major security barrier to most of the governments currently, especially on national security. If we cannot cope to block this kind of attempt, I think our biometric industry will have to face a major blow; Cause public is still not much interest to keep their feet on our security measure. Our responsibility is to keep this Industry stable by developing this technology by looking at the criminals move on break this security barrier.

Muheed Jeeran
Bsc Hons Computing

Subject: Hacking Fingerprint Readers

Last year in the June issue of CRYPTO-GRAM you made a reference to our article "Don't get your fingers burned". In the article we describe two methods to duplicate fingerprints. One method assumes co-operation (somebody "lends" his finger to make a duplicate), while in the other method a lifted latent fingerprint is duplicated by means of a photo/chemical process. With these dummy fingerprints we have been able to fool all fingerprint sensors we have tested in our lab and on exhibitions (about 20 different brands). I started with these
experiments in the early nineties, so more than 10 years ago.

Last week we were invited by the BBC to come to London for in interview about duplicating fingerprints. The reason was that the British Administration intends to add biometrics to the new British identity card, one of the options is fingerprint biometrics. The programme,
"Kenyon Confronts" has aired on Wednesday October 29th and is (for a short period of time) available for on-line viewing at the BBC site.

Since my first experiments were dated ten years back, I decided to redo my experiments. I knew it would be easier to duplicate fingerprints with all the materials and equipment available today, but the results even amazed me. To give you an idea, ten years ago to make a duplicate of a fingerprint with co-operation took me 2 to 3 hours and for an optimum result I used materials used by dental technicians. Nowadays I use materials you can buy in a do-it-yourself shop and the total material costs are about $10 (enough for about 20 dummy fingers).

The time it takes to make a perfect duplicate is about 15 minutes (with special material it can be reduced to less than 10 minutes). To make a duplicate of a lifted fingerprint took me several days in 1992 and I had to do a lot of experiments to find the right process/technique. Now it takes me half an hour and the material costs are $20 (also sufficient for about 20 duplicates), the only equipment you need is a digital camera and an UV lamp. Not only do I now make the duplicates in a fraction of the time, but also the quality is better.

The reason for writing you all this is the following. Although, most of the fingerprint manufacturers still ignore that there is a problem or claim to have solved it, some are willing to admit, but use the argument that it is very difficult and expensive to duplicate fingerprints and that it can only be done by highly skilled professionals. In the first place I think this is not a very strong argument, second I admit I am a professional, but now the average do-it-yourself is able to achieve perfect results and requires only limited means and skills.

So it is our opinion, that as long as the manufacturers of fingerprint equipment do not solve the live detection problem (i.e. detect the difference between a live finger and a dummy), biometric fingerprint sensors should not be used in combination with identity cards, or in
medium to high security applications. In fact, we even believe that identity cards with fingerprint biometrics are in fact weaker than cards without it. The following two examples may illustrate this statement.

1. Suppose, because of the fingerprint check, there is no longer visual identification by an official or a controller. When the fingerprint matches with the template in the card then access is granted if it is a valid card (not on the blacklist). In that case someone who's own card is on the blacklist, can buy a valid identity card with matching dummy fingerprint (only 15 minutes work) and still get access without anyone noticing this.

2. Another example: Suppose there still is visual identification and only in case of doubt--the look-alike problem with identity cardsthe fingerprint will be checked. When the photo on the identity card and the person do not really match and the official asks for fingerprint verification, most likely the positive result of the fingerprint scan will prevail. That is, the "OK" from the technical fingerprint system will remove any (legitimate) doubt.

It is our opinion that especially the combination of identity cards and biometric fingerprint sensors results in risks of which not many people are aware.

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

-------------------------------------------------------------------
The preceding was forwarded by the Biometric Consortium's Electronic
Discussion Group. Any opinions expressed here do not necessarily
reflect those of the Biometric Consortium. Further distribution
is prohibited.

LISTSERV members may access the BIOMETRICS mailing list archives or change
their subscription settings (including removing your name from the list)
at: http://peach.ease.lsoft.com/archives/biometrics.html.

Also, you may revove your name from the list by sending the command
"SIGNOFF BIOMETRICS" to <LISTSERV@xxxxxxxxxxxxxxxxxxxx>. Please do not
send the "SIGNOFF BIOMETRICS" command to the BIOMETRICS list.

You may update your membership information (new e-mail address etc.) by
sending a message to <bailey@xxxxxxxxxxxxxx> providing the updated
information. Please do not send membership information change requests
to the BIOMETRICS list.

Problems and questions regarding this list should be sent to
BIOMETRICS-request@xxxxxxxxxxxxxxxxxxxxx
-------------------------------------------------------------------

------ End of Forwarded Message

You are subscribed as roessler@xxxxxxxxxxxxxxxxxx To manage your subscription, go to http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Bad software, bureaucratic feuds plague BART
Next by Date: [IP] EFF Announces New Privacy Tool
Previous by thread: [IP] Bad software, bureaucratic feuds plague BART
Next by thread: [IP] EFF Announces New Privacy Tool
Index(es):
- Date
- Thread