Biometrics–the technique of using something unique about your body as a security device–promises to improve safety while being more convenient than a password. Fingerprints, retinal scans, and voice identification have all found some use, although not without limitations.
Now researchers in Germany want you to use your head, literally. SkullConduct measures vibrations of your skull in response to a sonic signal. A small prototype was successful and is particularly well suited for something you are holding up to your head anyway, like a smartphone or a headset like a Google Glass.
There are some limitations, though. For one thing, background noise can be a factor. It stands to reason, also, that more testing is necessary.
This looks straightforward enough that you could try your own version of it. After all, scanning veins in your hand has been hacked. We’ve even seen a biometric safe.
[Christian Holz, Senaka Buthpitiya, and Marius Knaust] are researchers at Yahoo that have created a biometric solution for those unlucky folks that always forget their smartphone PIN codes. Bodyprint is an authentication system that allows a variety of body parts to act as the password. These range from ears to fists.
Bodyprint uses the phone’s touchscreen as an image scanner. In order to do so, the researchers rooted an LG Nexus 5 and modified the touchscreen module. When a user sets up Bodyprint, they hold the desired body part to the touchscreen. A series of images are taken, sorted into various intensity categories. These files are stored in a database that identifies them by body type and associates the user authentication with them. When the user wants to access their phone, they simply hold that body part on the touchscreen, and Bodyprint will do the rest. There is an interesting security option: the two person authentication process. In the example shown in the video below, two users can restrict file access on a phone. Both users must be present to unlock the files on the phone.
How does Bodyprint compare to capacitive fingerprint scanners? These scanners are available on the more expensive phone models, as they require a higher touchscreen resolution and quality sensor. Bodyprint makes do with a much lower resolution of approximately 6dpi while increasing the false rejection rate to help compensate. In a 12 participant study using the ears to authenticate, accuracy was over 99% with a false rejection rate of 1 out of 13.
Continue reading “Your Body is Your PIN with Bodyprint”
[Greg] sent in his biometric pistol safe lock. He keeps his guide light on details so not every Joe can crack the system (there is a thread to sift through if you really wanted to), but the idea runs fairly simple anyway. [Greg] took an old garage door opening fingerprint scanner and wired it into a half broken keypad based pistol safe. While he did have some issues finding a signal that only fired when the correct fingerprint is scanned, a little magic with a CMOS HEX inverter fixed that problem quick.
This does bring one question to our minds, are fingerprint scanners as easy to crack as fingerprint readers?
[Mike] is building his own Pulse Oximeter which uses light to measure the oxygen saturation in blood. One collateral benefit of this measurement is that pulse rate can be calculated from the same data. The parts used for the detector include a red LED, infrared LED, and a TSL230R light intensity measuring chip. As explained in the video above, each LED is shined through the tip of your finger and onto the light sensor. The IR LED is used as a baseline and compared to the red LED, which has some of its intensity absorbed by the red blood in your finger. This is a pretty approachable biometric concept so you may want to start here before moving on to more involved biometric interfaces.
The Narcisystem is part of an art display where [Eric] strapped himself to as many biometric sensors as he could. The core of the system was a Funnel IO which includes an Arduino, Xbee plug, and LiPo charging circuit. It was collecting data from a heart rate monitor, an EEG, a breathalyzer, compass, and an accelerometer. This data was sent to a laptop and then sent to different displays. You can see the setup functioning in a video after the break. The red flashes are his heart beat, the blue light is the direction he’s facing. What you can’t see is the high power bass thud every time he takes a step. The EEG data was supposed to effect the tempo of the music, but it failed and was dropped, as was the fog machine based on his blood alcohol level. He notes that he wanted to do more, but was lacking the hardware.
Continue reading “The Narcisystem”
In the same vein as our recent Defcon article on biometric cloning, White Wolf Security has released this article about turning a biometric door lock into a trojan. They note that there are many common ways to break into one, from harvesting fingerprints to using gummy bears to fake a finger. This hack involves having full access to the unit so you can disassemble it.
The unit has a system built-in where you can touch a 9-volt battery to some connectors on the bottom to power it in case of a building power failure. The researchers simply routed some wires from the motorized lock to the plates used for the 9-volt and then reassembled the lock. The door can then be opened at any time without verification, even if the software on the unit is reset.
One of the more novel talks we saw at Defcon was [Zac Franken] presenting on access control systems. He covered several different types, but the real fun was his live demo of bypassing a hand geometry scanners like the one pictured above. With the help of two assistants, 4 pounds of chromatic dental alginate, and 5 liters of water, he made a mold of his hand. The box he placed his hand in had markings to show where the pegs on the scanner are located. After 2 minutes he could remove his hand from the cavity. They then filled the mold with vinylpolysiloxane, making sure to remove all bubbles. 20 minutes later the hand was solid and passed the scanner’s test. This may not be a completely practical attack, but it does defeat the overall idea of biometrics; biometrics are built on the assumption that every person is unique and can’t have their features reproduced.
[Zac] also showed an interesting magnetic card spoofer that emulated all three tracks using coils of magnet wire. We hope to see more about that in the future.