[IP] Hacking Fingerprint Readers

David Farber dave at farber.net
Mon Feb 7 13:11:15 PST 2005 

------ Forwarded Message
From: Muheed Jeeran <muhidanj at YAHOO.COM>
Reply-To: The Biometric Consortium's Discussion List
<BIOMETRICS at PEACH.EASE.LSOFT.COM>
Date: Mon, 7 Feb 2005 12:52:13 -0800
To: <BIOMETRICS at PEACH.EASE.LSOFT.COM>
Subject: Subject: Hacking Fingerprint Readers

Hello all
I have report of fake the fingerprint reader. Is this technique is fooling
the most of the fingerprint readers currently? Or are they any improvement
to block this impostor attempt?

I think it is better to talk about this matter, cause the biometrics
becoming a major security barrier to most of the governments currently,
especially on national security. If we cannot cope to block this kind of
attempt, I think our biometric industry will have to face a major blow;
Cause public is still not much interest to keep their feet on our security
measure. Our responsibility is to keep this Industry stable by developing
this technology by looking at the criminals move on break this security
barrier.

Muheed Jeeran
Bsc Hons Computing



Subject: Hacking Fingerprint Readers

Last year in the June issue of CRYPTO-GRAM you made a reference to our
article "Don't get your fingers burned".  In the article we describe two
methods to duplicate fingerprints.  One method assumes co-operation
(somebody "lends" his finger to make a duplicate), while in the other method
a lifted latent fingerprint is duplicated by means of a photo/chemical
process.  With these dummy fingerprints we have been able to fool all
fingerprint sensors we have tested in our lab and on exhibitions (about 20
different brands).  I started with these
experiments in the early nineties, so more than 10 years ago.

Last week we were invited by the BBC to come to London for in interview
about duplicating fingerprints.  The reason was that the British
Administration intends to add biometrics to the new British identity card,
one of the options is fingerprint biometrics.  The programme,
"Kenyon Confronts" has aired on Wednesday October 29th and is (for a short
period of time) available for on-line viewing at the BBC site.

Since my first experiments were dated ten years back, I decided to redo my
experiments.  I knew it would be easier to duplicate fingerprints with all
the materials and equipment available today, but the results even amazed me.
To give you an idea, ten years ago to make a duplicate of a fingerprint with
co-operation took me 2 to 3 hours and for an optimum result I used materials
used by dental technicians.  Nowadays I use materials you can buy in a
do-it-yourself shop and the total material costs are about $10 (enough for
about 20 dummy fingers).

The time it takes to make a perfect duplicate is about 15 minutes (with
special material it can be reduced to less than 10 minutes).  To make a
duplicate of a lifted fingerprint took me several days in 1992 and I had to
do a lot of experiments to find the right process/technique.  Now it takes
me half an hour and the material costs are $20 (also sufficient for about 20
duplicates), the only equipment you need is a digital camera and an UV lamp.
Not only do I now make the duplicates in a fraction of the time, but also
the quality is better.

The reason for writing you all this is the following.  Although, most of the
fingerprint manufacturers still ignore that there is a problem or claim to
have solved it, some are willing to admit, but use the argument that it is
very difficult and expensive to duplicate fingerprints and that it can only
be done by highly skilled professionals.  In the first place I think this is
not a very strong argument, second I admit I am a professional, but now the
average do-it-yourself is able to achieve perfect results and requires only
limited means and skills.

So it is our opinion, that as long as the manufacturers of fingerprint
equipment do not solve the live detection problem (i.e. detect the
difference between a live finger and a dummy), biometric fingerprint sensors
should not be used in combination with identity cards, or in
medium to high security applications.  In fact, we even believe that
identity cards with fingerprint biometrics are in fact weaker than cards
without it.  The following two examples may illustrate this statement.

1.  Suppose, because of the fingerprint check, there is no longer visual
identification by an official or a controller.  When the fingerprint matches
with the template in the card then access is granted if it is a valid card
(not on the blacklist).  In that case someone who's own card is on the
blacklist, can buy a valid identity card with matching dummy fingerprint
(only 15 minutes work) and still get access without anyone noticing this.

2.  Another example: Suppose there still is visual identification and only
in case of doubt--the look-alike problem with identity cardsthe fingerprint
will be checked.  When the photo on the identity card and the person do not
really match and the official asks for fingerprint verification, most likely
the positive result of the fingerprint scan will prevail.  That is, the "OK"
from the technical fingerprint system will remove any (legitimate) doubt.

It is our opinion that especially the combination of identity cards and
biometric fingerprint sensors results in risks of which not many people are
aware.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


-------------------------------------------------------------------
The preceding was forwarded by the Biometric Consortium's Electronic
Discussion Group.  Any opinions expressed here do not necessarily
reflect those of the Biometric Consortium.  Further distribution
is prohibited.

LISTSERV members may access the BIOMETRICS mailing list archives or change
their subscription settings (including removing your name from the list)
at: http://peach.ease.lsoft.com/archives/biometrics.html.

Also, you may revove your name from the list by sending the command
"SIGNOFF BIOMETRICS" to <LISTSERV at PEACH.EASE.LSOFT.COM>.  Please do not
send the "SIGNOFF BIOMETRICS" command to the BIOMETRICS list.

You may update your membership information (new e-mail address etc.) by
sending a message to <bailey at biometrics.org> providing the updated
information.  Please do not send membership information change requests
to the BIOMETRICS list.

Problems and questions regarding this list should be sent to
BIOMETRICS-request at PEACH.EASE.LSOFT.COM.
-------------------------------------------------------------------


------ End of Forwarded Message

-------------------------------------
You are subscribed as eugen at leitl.org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net

[demime 1.01d removed an attachment of type application/pgp-signature]

More information about the Testlist mailing list