We wouldn’t mind tearing down a fingerprint scanner, but we hate to bust up our expensive laptop or cell phone. [Julian], however, got a hold of a fingerprint scanning padlock and was willing to tear it apart for our benefit. The video appears below.
The padlock is a simple enough little device with a cable lock instead of a solid metal shackle, although we have seen similar devices with traditional shackles. Initially, the lock’s fingerprint storage is empty and it will open for any fingerprint. The first task is to set an administrator fingerprint. You’ll need that fingerprint to set up other fingerprints or to reset the unit. Of course, what we are really interested in is what’s inside.
In 2008, the then German interior minister, [Wolfgang Schäuble] had his fingerprint reproduced by members of the German Chaos Computer Club, or CCC, and published on a piece of plastic film distributed with their magazine. [Schäuble] was a keen proponent of mass gathering of biometric information by the state, and his widely circulated fingerprint lifted from a water glass served as an effective demonstration against the supposed infallibility of biometric information.
It was reported at the time that the plastic [Schäuble] fingerprint could fool the commercial scanners of the day, including those used by the German passport agency, and the episode caused significant embarrassment to the politician. The idea of “spoofing” a fingerprint would completely undermine the plans for biometric data collection that were a significant policy feature for several European governments of the day.
It is interesting then to read a paper from Michigan State University, “RaspiReader: An Open Source Fingerprint Reader Facilitating Spoof Detection” (PDF downloadable from the linked page) by [Joshua J. Engelsma], [Kai Cao], and [Anil K. Jain] investigates the mechanism of an optical fingerprint reader and presents a design using the ever-popular Raspberry Pi that attempts to detect and defeat attempts at spoofing. For the uninitiated is serves as a fascinating primer on FTIR (Frustrated Total Internal Reflection) photography of fingerprints, and describes their technique combining it with a conventional image to detect spoofing. Best of all, the whole thing is open-source, meaning that you too can try building one yourself.
We have a love-hate relationship with biometric ID. After all, it looks so cool when the hero in a sci-fi movie enters the restricted-access area after having his hand and iris scanned. But that’s about the best you can say about biometric security. It’s conceptually flawed in a bunch of ways, and nearly every implementation we’ve seen gets broken sooner or later.
Case in point: prolific anti-biometry hacker [starbug] and a group of friends at the Berlin CCC are able to authenticate to the “Samsung Pay” payment system through the iris scanner. The video, embedded below, shows you how: take a picture of the target’s eye, print it out, and hold it up to the phone. That was hard!
Sarcasm aside, the iris sensor uses IR to recognize patterns in your eye, so [starbug] and Co. had to use a camera with night vision mode. A contact lens placed over the photo completes the illusion — we’re guessing it gets the reflections from room lighting right. No etching fingerprint patterns into copper, no conductive gel — just a printout and a contact lens.
Like most (if not all) Hackaday readers, I like to know how the technology I use works. I’m always amazed, for example, how many otherwise smart people have no idea how the cellphone network works other than “it’s a radio.” So now that I have two phones with fingerprint scanners on them, I decided I needed to know more about what’s going on in there.
Sure, I assumed the sensor was capacitive (but maybe not, I found out). Plus we all know some super glue, scotch tape, and gummy bears are all you need to fake one out. However, that’s been known for about 15 years and we are still seeing phones and other devices rolling out with the same scanners. So for now, put aside the debate about whether we should be using fingerprint scanners. Let’s talk about how those sensors work.
Maybe you suspected this already, but researchers at MSU Computer Science just published a paper explaining just how easy it is to spoof a fingerprint scanner with a ink-jet printed scan of a finger.
We’re not talking about casting a new finger using superglue or anything, but rather using conductive ink you can literally print — on paper. A paper-printed-fingerprint that will unlock your smartphone. We’ve already told you fingerprints suck for security, but hopefully this drives the point home.
[Kai Cao] and [Anil K Jain] released this paper (Direct PDF link) outlining their technique. Using an existing scan of a fingerprint (which can be taken from your phone’s scanner), the image is mirrored, and then printed using a regular ink-jet printer, with all of its color cartridges replaced with AgIC4 silver conductive ink. Continue reading “Finger Print Scanners Really Aren’t That Secure”→
For the last few iPhone generations, the TouchID fingerprint sensor has been integrated into the home button of every iPhone. This fingerprint sensor provides an additional layer of security for the iPhone, and like everything on smartphones, there is a thriving market of companies who will fix broken phones. If you walk into an Apple store, replacing the TouchID sensor will cost about $300. This part is available on Amazon for about $10, and anyone with a pentalobe screwdriver, spudger, and fine motor control can easily replace it. Doing so, however, will eventually brick the phone, as software updates render the device inoperable if the TouchID sensor is not authorized by Apple.
According to an Apple spokeswoman, the reason for the error 53 is because the fingerprint data is uniquely paired to the touch ID sensor found in the home button. If the TouchID sensor was substituted with a malicious TouchID sensor, complete and total access to the phone would be easy, providing a forehead-slapping security hole. Error 53 is just Apple’s way of detecting devices that were tampered with.
This is a rare case where Apple are damned if they do, damned if they don’t. By not disabling the phone when the TouchID sensor is replaced, all iPhones are open to a gaping security hole that would send the Internet into a tizzy. By bricking each and every iPhone with a replacement TouchID sensor, Apple gets a customer support nightmare. That said, the $300 replacement cost for the TouchID sensor will get you a very nice Android phone that doesn’t have this problem.
One of the big problems in detecting malware is that there are so many different forms of the same malicious code. This problem of polymorphism is what led Rick Wesson to develop icewater, a clustering technique that identifies malware.
Presented at Shmoocon 2016, the icewater project is a new way to process and filter the vast number of samples one finds on the Internet. Processing 300,000 new samples a day to determine if they have polymorphic malware in them is a daunting task. The approach used here is to create a fingerprint from each binary sample by using a space-filling curve. Polymorphism will change a lot of the bits in each sample, but as with human fingerprints, patterns are still present in this binary fingerprints that indicate the sample is a variation on a previously known object. Continue reading “Shmoocon 2016: GPUs and FPGAs to Better Detect Malware”→