Some years ago the Chaos Computer Club (CCC) posted a video (actually two: one in English and one in German) showing how to capture fingerprints from objects and use the copies to spoof a fingerprint scanner. The method of capturing the prints was one often seen in TV crime dramas: use Cyanoacrylate glue to make the print visible, take a picture of the print, use that picture to make an image on plastic and use that plastic on a finger pad to authenticate. There have been variations, too, including one using Gummi Bears.
These attacks all required an actual fingerprint impression – until now.
The CCC recently showed (or, if you don’t speak German, here is the English translation) that it can copy a fingerprint from photos of the finger. They took a picture of the German Defense Minister and cloned it from photographs. That clone was good enough to spoof a fingerprint scanner.
Does this mean biometric authentication is at risk? Well, it may mean fingerprint authentication is less likely to be used for serious applications. I discussed some of the issues with fingerprint scanners in “Sharing Fingers?” back in 2013. I like fingerprint biometric authentication because it is quick and easy. It is clearly spoofable, but so are passwords. Fingerprints can’t be changed once compromised, though so given this latest demonstration by the CCC, I believe they are less useful than before as an authentication method.
But that doesn’t mean all biometric authentication is at risk. There are still other methods including iris scanning that aren’t as easily defeated as fingerprint authentication. Some examples include palm vein scanning and body odor analysis. Neither is affordable (yet) nor practical for desktop deployment as I write this, but iris scanning may come to a phone or tablet near you in the not too distant future.
In any case, as we discuss in Learning Tree’s System and Network Security Introduction, biometrics are generally deployed as part of a multi-factor authentication system. That is, an additional PIN or password is often required in addition to the fingerprint. Unlike the fingerprint, this can and probably should be changed regularly. Using two-factor authentication means an attacker has to compromise both paths in order to get to the resource the authentication is protecting. If one of these can be changed, it makes the compromise just that less likely.
I’d love to hear your comments about this latest attack. Watch the video and let us know in the comments below what you think.
To your safe computing,