- 1. Biometrics Vulnerabilities & Exploits
[email_address]
2. INTRODUCTION
- Old World methods of trust and authentication
-
- Personal introductions, documents
-
- Key role player is theauthenticator
-
- Annonymous, large scale, short term relationships
-
- Key requirement is building up oftrust
- No defence mechanisms of older methods present in newer
systems
3. Authentication by Technology
- Requires the exchange of certain FACTORS
- Requires an authority who can verify these factors
- Requires an authority who can providepermission to build a
relationship and transact
4. ...Authentication by Technology
- Factors are classified into 3 types
- Ownership factor like cards, badges or keys
- Knowledge factor like user id, password and pins
- Inheritance factor like weight, height, face shape, color of
eyes/hair, birth marks etc. all nicely encoded in a photo
5. Properties of different Factors 6. The Inheritance Factor -
Biometrics
- The Subject of discussion for today is the Inheritance Factor
Biometrics
- Implementation difficulties
- The authentication process and it's vulnerabilities, in
brief
- Since the UIDAI has choosen the use of finger prints and iris
as a means of authentication, we will be discussing only these
factors
7. Finger Print Scanners
- Many variations on these basic techniques
- Variations are primarily to reduce cost, size and probably to
overcome existing patents
- Some claims exist about the ability to sense below the dead
skin surface. However for our vulnerability assements, these claims
are trivially overcome
- Sensor technologies are not relevant to the scope of
vulnerabilites and exploits
8. Fingerprint Readers 9. Iris Scanners
- Iris scanners use a Near Infra Red light
- Camera coupled with some autofocusing techniques (commonly used
in autofocus cameras)
10. Iris scan - Base Technique 11. The Process
- All id systems involve an enrollment process and an
authentication process, followed by an authorization process,to
enter / exit / recieve / depoist etc
12. The Enrollement Process
- Save raw data in the case ofcriminal records
- De duplication and storage
13. The Authentication process
- UIDAI has not specified iris for authentication*
14. Threats faced by biometric systems
-
- Only simple impostor, without much sophistication or resources.
We shall leave out crossborder attack vectors, as pilfering state
subsidies may not be their highest priority
-
- Fake credentials and replay attacks
-
- Extraction of digital keys, use of internal facilities of
sensors
15. Desired Characteristics And Limitations
- Easy and accurate Digitization of the presented bio
characteristic
16. ... Limitations in enrollment / auth
- Easy and accurate Digitization neither easy nor accurate
- Too many wrong methods, results in unreproduceable
template
- Guided enrollment useless for auth
- Very difficult for occasional users
- Manual overides = more holes
17. ... Limitations in enrollment / auth
-
- Ageing changes fingerprints (1)
-
- Skin ailments makes auth difficult if not impossible
-
- No large scale studies on heterogenous populations
-
- Will require frequent re-enrollment aka more holes
-
- No (available?) studies on irisvariations due to ageing
-
- Errors due to unknown causes (2)
18. ... Limitations in enrollment / auth
- Environment invariance a myth
-
- Water logged hands changes fingerprints machine readbility
-
- Dry skin changes fingerprints machine readbility
-
- Will require frequent re-enrollment aka more holes
-
- No (available?) studies on irisvariations due to harsh
environments
19. ... Limitations in enrollment / auth
-
- Fingeprints are spoofed by gummy finger techniqe
-
- Iris are spoofed by photographs
-
- Irisare spoofed by patterned contacts
20. Spoofing made easy - Fingerprints
- Fools all systems with greater than 60% repeatability
- Newer mateials and techniques even more effective
21. Spoofing made easy - Iris
- Buy from the net to create fake ids for sale
- PCB etching techniues for masqureading
- Older technique using high res photograph with pupil holes
22. Attack Vectors requiring skill
-
- Biometric id systems store data as a templates, usually a few
kilobytes in size. It has been shown that a biometric fingerprint
system can be compromised by recreating the biometric using the
stored template
-
- Template extraction and storage a feature of systems
23. ... Attack Vectors requiring skill
-
- Trivial to break into the device andextract keys
-
- Addition deletion of keys a feature
-
- Even in locked down devices, the key can be recovered by simply
copying the onboard flash to a pc and reusing thebackup in a device
purchased from the market
24. ... Attack Vectors requiring skill
- Replay attack at sensor pins
-
- The sensor interfaces are relatively simple
-
- Produce raw data (Fig 4). It is possible to record all data,
and then replay that data
-
- This attack requires some technical skill
-
- However once developed it can be mass produced and will be
undetectable
25. Biometrics WORST CHARACTERISTIC
- This violates the basic requirement of any id system
26. Inherent problems with Biometric Systems
- FAR - False Acceptance Rateindicates the number of wrong
matches of a presented biometric mistakenly identyfying one person
as another
- FRR - False Rejection Rate (also called False Non Match
Rate)indicates the number of wrong rejects of a presented
biometric.
- Best FAR of .00060 for fingerprints
- Best FAR of .000120 for Iris
- Best FRR of .0060 for fingerprints
- Best FRR of .0012 for Iris
27. ... Inherent problems with Biometric Systems
- FAR and FRR closely linked to template size
- Reducing FAR increase FRR
- Reducing FRR increases FAR
28. ... Inherent problems with Biometric Systems
- Requires very good telecommunications infrastructure
- Both of very poor quality in many areas
- Even in Maharshtra in the Konkan region, such infratructure is
poor due to natural causes
-
- Heavy rains and lightning
29. Summary
- Biometrics as a unique id in an automated system has never been
tested on a large scale
- The inherent characteristic ofbiometrics is it's
irrevocability. This is in direct contradiction of any id /
security system, where keys must be revocable and reissueable
- Fingerprints are easily spoofable
- Iris patterns are easily spoofable
- Biometrics are very susceptible to the natural biological
processes of growth, ageing and environment
- Numerous technical vulnerabilities are availble for
exploitation at the sensor-system interface