We’ve seen some ways to bypass biometric security measures but here’s a new offering that we think will be hard to fool. The Safelock system is used in conjunction with a password to identify a specific user. This software records your typing style including the time between keystrokes, the time keys are held, and key pressure data. This information is then normalized and compared to the information stored about the user when the password was originally set. If you don’t fall within specifications that match the stored data, you won’t get in even with the right password.

The icing on the cake is that Safelock will look for malicious users. If you enter the wrong password, it will begin to record and analyze your typing style. If you make enough incorrect attempts you will be labeled as a security threat and locked out of the system altogether. We can only think of one reliable way to circumvent this and that’s using a man-in-the-middle method of recording the keyboard inputs of the legitimate user for playback later.

This is an innovative user identification system and we’re not the only ones that think so. [Jeff Allen] and [John Howard], students at SMU won first prize for the Student Innovation Contest at the 2009 User Interface Software and Technology Symposium.

One of the more novel talks we saw at Defcon was [Zac Franken] presenting on access control systems. He covered several different types, but the real fun was his live demo of bypassing a hand geometry scanners like the one pictured above. With the help of two assistants, 4 pounds of chromatic dental alginate, and 5 liters of water, he made a mold of his hand. The box he placed his hand in had markings to show where the pegs on the scanner are located. After 2 minutes he could remove his hand from the cavity. They then filled the mold with vinylpolysiloxane, making sure to remove all bubbles. 20 minutes later the hand was solid and passed the scanner’s test. This may not be a completely practical attack, but it does defeat the overall idea of biometrics; biometrics are built on the assumption that every person is unique and can’t have their features reproduced.

[Zac] also showed an interesting magnetic card spoofer that emulated all three tracks using coils of magnet wire. We hope to see more about that in the future.

[photo: morgan.davis]