Biometric Recognition Gets the Middle Finger
You may have seen biometric recognition products such as Microsoft's fingerprint reader, which remembers your passwords for you and inserts the appropriate passwords in the appropriate password fields when you visit a web page.
I returned Microsoft's fingerprint reader to the store the next day after learning the hard way that it worked only with Microsoft's Internet Explorer which I had long since replaced with Firefox, and after learning that it remembered the Windows login password for domain logons only.
Many other products feature biometric recognition. For example, Lenovo's T-series ThinkPad notebooks include a built-in fingerprint reader that helps remember passwords.
Certainly it's easier to tap the fingerprint reader instead of maneuvering the cursor to the password box and remembering and subsequently entering the password. Well, that's unless you consider trust your browser's browser password storage security with remembering the passwords for your various web pages, in which case your browser automatically inserts your user name and password for you, eliminating the need to either type the password nor tap the biometric reader. At least Firefox can do that; I'm not sure whether Internet Explorer can do it.
Still, you may not want your browser to do that, say, if occasionally you leave your computer while logged in and don't want to risk having others sneak up and visit one of your password-protected pages.
Perhaps the fingerprint recognition is a secure and convenient solution in some situations.
I'd agree on the convenience, but as security guru Bruce Schneier once said, if you think technology will solve your security problems, then you don't know about technology and you don't understand security. If you think biometric recognition is safe, perhaps it's time to think again.
I'm not talking about flaws in the accompanying software, which (true to Microsoft tradition, one might add) does appear to contain serious security holes according to Wikipedia, but about trusting that your fingerprint will remain your own personal property.
This YouTube video demonstrates how you can easily copy someone else's fingerprint and use it on the fingerprint recognition device that he or she is using to load passwords. The audio track is in German, and I haven't been able to locate a similar video with English audio or captions. However, with a little explanation I think it's reasonably straight-forward to follow what's going on:
The video shows a member of the German computer club "Kaos," which has experimented with security issues for years. To successfully copy someone's fingerprint for use in a biometric sensor, you need:
The user's fingerprint is found on a bottle that the user has touched. This could be any smooth surface that the user has touched, of course.
The narrator applies a few drops of superglue in the lid from the plastic bottle and presses it against the fingerprint left on the bottle. The superglue leaves a visible white pattern on the fingerprint when the plastic lid is removed, and the narrator takes a picture of it with his digital camera.
Next, the narrator transfers the image from the camera to the computer and cleans it of irregularities. The size is also adjusted to match that of the original fingerprint. The narrator then prints the image onto a sheet of transparent.
The printer ink leaves a three-dimensional structure, which is covered by the hobby glue. When the glue has dried, it can be removed from the plastic transparent, since the glue won't stick well to the smooth plastic. The glue is now a copy of the user's fingerprint.
The glue fingerprint is cut into an appropriate size and glued to the imposter's finger with cosmetic glue.
The fingerprint copy can now be used on the computer mouse, and voila: the fingerprint copy is recognized as the user's own printerprint.
"Kaos" demonstrates that copying a fingerprint is so easy that in practice you'll be leaving the biometric equivalent of yellow notes with your password written down on them everywhere. With biometric recognition finding its way into our daily lives and being hyped as much more secure than simple experiments disprove, perhaps it will soon be glove season all year as people realize that they leave their passwords on anything they touch.
I returned Microsoft's fingerprint reader to the store the next day after learning the hard way that it worked only with Microsoft's Internet Explorer which I had long since replaced with Firefox, and after learning that it remembered the Windows login password for domain logons only.Many other products feature biometric recognition. For example, Lenovo's T-series ThinkPad notebooks include a built-in fingerprint reader that helps remember passwords.
Certainly it's easier to tap the fingerprint reader instead of maneuvering the cursor to the password box and remembering and subsequently entering the password. Well, that's unless you consider trust your browser's browser password storage security with remembering the passwords for your various web pages, in which case your browser automatically inserts your user name and password for you, eliminating the need to either type the password nor tap the biometric reader. At least Firefox can do that; I'm not sure whether Internet Explorer can do it.
Still, you may not want your browser to do that, say, if occasionally you leave your computer while logged in and don't want to risk having others sneak up and visit one of your password-protected pages.
Perhaps the fingerprint recognition is a secure and convenient solution in some situations.
I'd agree on the convenience, but as security guru Bruce Schneier once said, if you think technology will solve your security problems, then you don't know about technology and you don't understand security. If you think biometric recognition is safe, perhaps it's time to think again.
I'm not talking about flaws in the accompanying software, which (true to Microsoft tradition, one might add) does appear to contain serious security holes according to Wikipedia, but about trusting that your fingerprint will remain your own personal property.
This YouTube video demonstrates how you can easily copy someone else's fingerprint and use it on the fingerprint recognition device that he or she is using to load passwords. The audio track is in German, and I haven't been able to locate a similar video with English audio or captions. However, with a little explanation I think it's reasonably straight-forward to follow what's going on:
The video shows a member of the German computer club "Kaos," which has experimented with security issues for years. To successfully copy someone's fingerprint for use in a biometric sensor, you need:
- The lid from a plastic bottle
- Superglue (the kind that glues within seconds)
- A digital camera
- Hobby glue (for gluing wood and such)
- Skin friendly cosmetic glue
- A computer with an image processing program
- A regular office printer that can print on transparents.
- A sheet of plastic transparent.
The user's fingerprint is found on a bottle that the user has touched. This could be any smooth surface that the user has touched, of course.
The narrator applies a few drops of superglue in the lid from the plastic bottle and presses it against the fingerprint left on the bottle. The superglue leaves a visible white pattern on the fingerprint when the plastic lid is removed, and the narrator takes a picture of it with his digital camera.
Next, the narrator transfers the image from the camera to the computer and cleans it of irregularities. The size is also adjusted to match that of the original fingerprint. The narrator then prints the image onto a sheet of transparent.
The printer ink leaves a three-dimensional structure, which is covered by the hobby glue. When the glue has dried, it can be removed from the plastic transparent, since the glue won't stick well to the smooth plastic. The glue is now a copy of the user's fingerprint.
The glue fingerprint is cut into an appropriate size and glued to the imposter's finger with cosmetic glue.
The fingerprint copy can now be used on the computer mouse, and voila: the fingerprint copy is recognized as the user's own printerprint.
"Kaos" demonstrates that copying a fingerprint is so easy that in practice you'll be leaving the biometric equivalent of yellow notes with your password written down on them everywhere. With biometric recognition finding its way into our daily lives and being hyped as much more secure than simple experiments disprove, perhaps it will soon be glove season all year as people realize that they leave their passwords on anything they touch.
If you liked this post, share it with others:
Categories
Security , Technology
0 TrackBacks
Listed below are links to blogs that reference this entry: Biometric Recognition Gets the Middle Finger.
TrackBack URL for this entry: http://blog.blazingangles.net/MT/mt-tb.cgi/19
Changing LINKS GeekySpeaky: Submit Your Site! Blog Directory
Ratings on this site are powered by the Ajax Rating plugin for Movable Type.
Leave a comment