Defcon 16: Biometric Cloning

One of the more novel talks we saw at Defcon was [Zac Franken] presenting on access control systems. He covered several different types, but the real fun was his live demo of bypassing a hand geometry scanners like the one pictured above. With the help of two assistants, 4 pounds of chromatic dental alginate, and 5 liters of water, he made a mold of his hand. The box he placed his hand in had markings to show where the pegs on the scanner are located. After 2 minutes he could remove his hand from the cavity. They then filled the mold with vinylpolysiloxane, making sure to remove all bubbles. 20 minutes later the hand was solid and passed the scanner’s test. This may not be a completely practical attack, but it does defeat the overall idea of biometrics; biometrics are built on the assumption that every person is unique and can’t have their features reproduced.

[Zac] also showed an interesting magnetic card spoofer that emulated all three tracks using coils of magnet wire. We hope to see more about that in the future.

[photo: morgan.davis]

7 thoughts on “Defcon 16: Biometric Cloning

  1. In the Mythbuster’s episode rivetgeek is referring to, they broke an extremely cheap type of fingerprint reader which is no longer in use (and was never actually in professional use) because it was well known that it was vulnerable to that type of attack. And the feasibility of the hack being used in the field is not part of the question for this presentation:

    “it does defeat the overall idea of biometrics; biometrics are built on the assumption that every person is unique and can’t have their features reproduced”

  2. Biometrics: the ultimate single signon.

    Why would you want a password that you can’t change, isn’t private, and is a login for everywhere that uses biometric authentication?

    You think we have “identity theft” problems now? Spread biometric authentication wide and far. At least when someone steals my keycode it can be changed and I can have a different keycode for every place I go. And at least I don’t share my keycode with every person who might bother to follow me in the park to pick up a piece of my trash.

  3. i always remember something someone said (It might have been steve gibson) about *proper security*…

    to be really secure you need multiple vectors: who you are, what you are, what you know and where you are.

    basically, the point im making is all these biometric devices offer more than is relistically possible – a single fingerprint scanner only takes one vector of the equasion, which is easily spoofed (as we know) same for the hand, which although I am assuming is a more complicated issue.

    For my 2c I dont think biometrics should exist at all unless they take in as many possible variables to make it impossible – I guess what Im saying is a body scanner, with a pin code you have to manually enter. anything else seems to be vulnerable….

    at the very least ANY biometric system that assumes your the person your claiming to be without the knowlege vector (ie: a password or pin you know) is a failure in my books…

  4. Biometrics are a terrible authentication mechanism, but they work great as an identification mechanism. Basically, a properly designed system asks the following:

    “Who are you?”
    “Can you prove it?”
    Then to itself, “Okay, what is this guy allowed to do”.

    The talk was great, by the way, as Franken’s talks are every time.

  5. We are talking here, about spoofing a biometric sensor, the better the sensor and algorithms, and the richer the biometric input (Iris, Finger, Facial) the better the identification. Multi-modal is the main defense against spoofing, besides quality of system.

    The above poster was right about Biometrics as an identification method… the ideal way to use biometrics is not in centralized system, where biometric matching templates are stored in a backend database.

    These centralized “FBI model systems have complete failure risk on the back end, and have everyone’s immutable data (biometric) centralized.. and thus enable identity use… The is the model for unfriendlies identification (like Iraq). This is what the DOD Biometrics Task force is focused on.

    Much better is to have biometrics used on local devices (phone, USB, ect), with matching and storage exsiting only on a single secured chip. This is the Friendlies model. Decentralized credentials.

    For backend: use a Biometric Token to represent the match on device, and send this to the backend (and it should change each time)… no Biometrics ever leave the secure chip. This system stores no personal information on the back-end… only the token management system.

    So the Friendlies model is the direction we need to go. I think that Pay by Touch, learned the hard way that users do not want to give up their fingerprints…..

    So lets protect personal privicy by promoting the decentralized model, that uses the strength of Biometric, with out the risk exposure of the current implementations. Lets leave biometrics only in the possession of the owner….


Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.