Recent independent research has suggested that many of these high-technology devices may be surprisingly simple to defeat. Biometric fingerprint readers, facial recognition systems and IP-addressable surveillance cameras are especially vulnerable due to the relative ease of manufacturing biological similes or accessing a corporate LAN/WAN or Internet connection. Many biometric systems already have high rates of false acceptance. These high error rates can allow access to unauthorized or unregistered users, even in the absence of deceptive tricks.
Manufacturers of biometric readers have claimed that their devices can provide an increased level of security by preventing unauthorized personnel from gaining access to a facility and by minimizing the total number of false reads. Because biometric data is unique to each individual, it always has been believed that it would be nearly impossible to duplicate the specific characteristics needed to effectively fool a biometric system. However, several studies conducted both in the United States and abroad have raised some serious questions about the true accuracy of biometrics.
While most security systems are quite effective in preventing the average felon from gaining unauthorized access, a knowledgeable and determined intruder may be able to defeat many biometric systems with readily available materials. Much of the information on how to do this has been published openly on the Internet for some time, but many end users are not aware of their systems’ vulnerabilities.
There are different kinds of biometric readers. Some reader types, such as gait recognition, human scent recognition and nailbed identification, which measures the pattern of ridges in the fingernails, are not common in industrial applications. More common biometric readers are iris scanners, fingerprint readers, hand geometry readers, and facial and voice recognition devices.
Fooling the systemMany secure facilities employ iris scanners, which analyze the features that exist in the colored tissue surrounding the pupil including rings, furrows and freckles. To help prevent “fake eyes” from being used, these systems shine a light into the user’s eye to monitor pupil dilation. However, they have been routinely defeated in the laboratory by several astute experimenters. To accomplish this, a high-quality digital image of an authorized person first was obtained by the experimenter, then enlarged to show the eye detail and subsequently printed out on high-quality photographic paper. Then, a small hole was cut in the photograph where the pupil was printed to expose the pupil in the experimenter’s own eye. The experimenter would then place the photo up against his eye so that his pupil could be seen behind the hole. This very basic and inexpensive technique was effective in routinely fooling the iris scan readers of several manufacturers.
At least one manufacturer of these iris scanners has claimed that its units have since been redesigned and that this scenario is no longer possible. Even if it is true, there are still considerable numbers of existing systems installed that are of the older design, and that raises some concern in the security community.
Retinal scan technology is quite old and largely has been superseded by the iris scan reader. Retinal scanners have some shortcomings of their own; they do not work with people who have cataracts or who are blind.
Fingerprint readers, the most common type of biometric reader, are perhaps the easiest to fool using a variety of methodologies. Some time ago, a Japanese cryptographer from Yokohama National University was able to prove that these fingerprint readers could be reliably and consistently fooled using a mere $10 worth of readily available household supplies. Using free-molding plastic available at most hobby shops, the cryptographer first made a mold of the finger of a person who was already in the access control system database. Then he poured a mixture of half liquid gelatin and half water into the mold and allowed it to harden. This simple device was able to fool approximately 80 percent of the detectors tested.
To further demonstrate the vulnerability of these types of biometric readers, he went on to obtain latent fingerprints left on drinking glasses and other objects. Using the cyanoacrylate tester found in Super Glue to highlight the image and clarify key fingerprint details in a process called cyanoacrylate fuming, he subsequently photographed the resultant fingerprint image with a digital camera. After digitally enhancing the image, he then printed out a fingerprint transparency. Using a commercially available printed circuit board kit, he acid etched the image of the fingerprint onto a copper substrate to produce a three-dimensional image of the print. This fabricated fingerprint, when placed against the reader sensor of several readers, resulted in a “positive” read approximately 80 percent of the time.
Simpler methodologies have been devised to fool such systems.To defeat some computer mouse fingerprint readers, one can simply exhale on the capacitive reader sensor. Here, the moisture from the breath enhances fingerprint detail from the fat deposits deposited by latent fingerprints and fools the system into accepting this image as a valid read. An even more reliable method is first to dust the latent fingerprint with graphite powder, and then gently blow across the fingerprint scanner so that the graphite powder only adheres to the raised ridges of the print. These deceptive tricks worked especially well on capacitive and optical design type sensors.
There are many other clever ways of covertly obtaining a fingerprint image from an authorized user. The point here is that latent fingerprints can be found everywhere, and it only takes a little knowledge and some modest materials to effectively trick a costly and complex state-of-the art computerized system. Some manufacturers claim that the newer generation of silicon-based fingerprint readers and laser readers are more difficult to defeat than the older optical type systems, as they read several layers of skin rather than only the surface layer in order to generate a three-dimensional map. Even if true, there are many of the older technology systems currently deployed in secure locations worldwide, many of which will remain there for several years to come.
Facial recognition systems have likewise been fooled by a variety of very simple methodologies. One such method is to place an image of the face of a registered user onto a laptop computer screen and then play the video clip before the facial recognition system camera. Even simpler, a still image taken either with a digital or film camera has proven to be effective in gaining unlawful access in several instances.
IP addressable cameras have been around now for a few years, and their innovative features and attractive user-available options make them a tempting alternative to the analog system. By its very nature, an analog system is regarded as a closed circuit system because all surveillance camera cables are home run to the switching and recording devices at the command and control center. It would be quite difficult for an interloper to “hack into” the system, and even then only one camera could be viewed at a time. This would have to be done by physically cutting the camera cable routed in the ceiling and attaching a monitor for local viewing.
By comparison, a fully digital camera system transmits its video over an Ethernet LAN/WAN connection to any computer on the network that is authorized to view it. These systems also can be made secure by having the system password-protected to restrict access to authorized viewers. In addition, anyone attempting to hack into the system would need to have the viewing client module installed in his or her personal computer with a customized short cut to be able to access the camera system.
Placing the security camera system on a dedicated LAN is another way to decrease the opportunity for attack. However, LAN networks are less reliable than analog switch networks, and periodically crash. Finally, information technology security firewalls and other safeguards need to be in place to assure system reliability and security.
There are ways, however, to enhance security and harden these systems to attack. One such method is to use personal identification number (PIN) codes and access control cards in combination with single-factor biometric readers. This method is known as three-factor security. Redundancy can be tiresome, but when guaranteeing a security system’s effectiveness, it can only help.