Pain Points in Biometric System Security

Biometric Eye Scan
Biometric authentication is moving fast from science fiction into everyday reality. From unlocking devices at the sound of a voice, to facial recognition, biometrics systems are growing in use and application, and for good reason. They are convenient, easy to use, and viewed as more secure than conventional authentication systems.
Before you jump right in however, better grab your chief of security. Biometric systems are harder to tamper with, but they can be manipulated. If your team is moving forward with a system that uses biometric authentication, there are vulnerable areas you’ll need to defend.

A short guide on the biometric authentication process

In order to best explain where the vulnerabilities are with biometric authentication systems, it helps to understand how the systems operate. The diagram below is oversimplified for some current systems, but clear map of the basic process.
In a biometric authentication system, all subjects are first 'enrolled'. Enrollment means data must be first saved by the system for future use. The system scans the subject and extracts their 'features', the measurable data the system can use. Although we think of biometric systems, particularly facial recognition, as using photographs, the authentication itself does not use or save data through pictures. Instead, a biometrics system uses numbers and calculations based on our features. The system then processes the extracted feature data for quality, and saves it as a 'template' for later retrieval.
When the subject wants to access the system, it scans and re-extracts their features. This time however, instead of storing the data as a template, the system takes their extracted features to the matcher. The matcher compares the new data against the previously stored template. The decision engine makes a selection based on the match. If the match is correct (positive) the subject now has access, if incorrect (negative) the system denies their credentials.
Biometric Enrollment and Authentication

From this basic understanding of the process, we can immediately see where the system is vulnerable. An attacker can:

  1. Present fake biometrics to the scanner.
  2. Resubmit fake or previously stored biometric data.
  3. Tamper with or override the feature extraction engine.
  4. Tamper with the stored templates.
  5. Attack the channel between a matcher and stored template.
  6. Override the matcher.
  7. Override the final decision.

Present fake biometrics to the scanner

The idea of getting into a system using fake biometrics might bring up images of Charlie’s Angels, but truth can be stranger than fiction. In 2002 Japanese cryptographer Tsutomu Matsumoto made designers of fingerprint authentication ask how clever their systems really were. Through clever engineering Matsumoto was able to fool fingerprint scanners eight time out of ten. Even more impressive, Matsumato didn't need an expensive tool  kit to pull it off. The hack was successful using the same materials found in gummi bears. Meanwhile in 2006, a group of Malaysian car thieves found a less creative way to get around similar scanning. Unfortunately for accountant K. Kumaran they discovered they could steal his high-tech vehicle by cutting off the index finger used to authenticate. OUCH!
Additionally, biometric authenticators aren’t private. We leave our fingerprint everywhere, and unless you've taken to wearing mask, your face is publicly available. If they find a way to copy or steal this information accurately enough, identity thieves can present it to the system as you.

Resubmit fake or previously stored biometric data

Similar to using fake biometrics, but with a twist: instead of stealing or faking the fingerprint, the identity their steals or fakes the print data. These attacks are particularly troubling because they highlight a major problem with biometrics. We can reset stolen passwords, but the same is not true for biometric authenticators. Data subjects will not be able to alter their face, hand or eyes because your system had a data breach!
One of the privacy concerns against biometric systems is the exposure of sensitive data if hacked.  Once biometric system are compromised, they can never be considered secure again.

Tamper with or override the feature extraction engine

When a biometric system is in play, there are a number of things happening behind the scenes of the user. First, the system scans and records the intended area, such as hand, eye or full face. Next, the feature extraction engine pulls from the scan measurable and ideally unique data. What if someone, or something, interfered with the extraction process? If there is no or inaccurate data extraction, there is no chance of matching the data correctly.
There are two attack areas in the feature extraction level. First, the attacker can tamper or mess with the system as it removes the vital data from the original scan. Second is when the data is processed: the attacker interrupts the extracted data from going to the matcher. Both methods are effective. An attack on the feature extraction process makes a biometric authentication attempt impossible, even with correct credentials.

Tamper with the stored templates

How can you trust a system when the original data it relies on is bad? That’s the problem when fake credentials are used in the biometric system to begin with. Biometric systems operate by first having data to comparison against. Before any system can be operational, a user is first enrolled, having their fingerprint, iris, retina, voice or face scanned and stored as the original template data. All biometric authentication systems are then scanning and comparing against the template data. If a user provides false template data in the beginning the biometric system will fail when asked to authenticate the real party. Consider this: in an act of identity theft, O. J Thomas creates an account for John Smith using his own fingerprint and face. Now, if John Smith tries to authenticate, the system will say he does not match, while O.J can access the account at any point.
Another option for an attack is to tamper with templates themselves. Once the hacker has access to the saved data, they mismatch the templates. This locks out all future attempts at authentication: a biometric authentication system cannot work without accurate, original data for comparison.

Attack the channel between a matcher and stored template

This attack can be difficult, but very possible over an unencrypted network. The attacker waits until after the feature extraction process, then interrupts when the matcher accesses the template data. Similar to tampering with stored templates, if they modify the saved data they can block the authentication process. In this attack, a malicious scammer also has an opportunity to deny access for their target, and enable their own access in the future. They would simply copy the original template data before sending false data to the matcher. The matcher fails the original subject, and the attacker can resubmit the template data at a later point.

Override the matcher

The verification scan is secure, and the extracted features remain intact. The originals stored in a database remain untouched. Yet despite all this, the authentication system can't match the data.  What gives? A bit of malware in the right place makes all the difference. Biometric authentication systems need the ability to compare new data against saved templates.  If an attacker compromises the matcher, the system can't authenticate. Although attacks against biometric matchers are obscure, researchers agree they are viable.

Override the final decision

If the attacker can compromise the 'accept/reject' function of the system, it’s all over. At its worst, tampering with the final decision renders the system at the attacker's complete mercy: the ability to decide who to accept or deny as they please. More crudely, attacking the final decision engine can result in forcing the system to 'accept all', 'reject all', or be unable to decide. Consider for example, an attacker who hits the decision engine with a DoS attack. If the attack is  successful, the system becomes unusable, forcing the target to use another method of authentication.

Biometric authentication technology has come a long way, but it remains far from perfect. If your business or organization is considering implementation as a security solution, be ready for commitment. Security attacks are harder to pull off on biometric systems, but researchers have proven they are viable. As with all cyber security systems, the ingenuity of a determined malicious user should not be underestimated. If there are weak points, they will be tested, and if a way in is found it won’t take long before it is exploited. For a biometric authentication system, which uses personal data to protect even more sensitive data, the results can be devastating. Before moving forward, work with your security team, and talk with vendors before buying any new biometric authentication system. Examine the possibilities and establish how your system will protect against and prevent these vulnerable areas from falling to attacks.

Further Recommended Reading

Vacca, J. (2007). Biometric technologies and verification systems. Burlington, MA: Elsevier/Butterworth-Heinemann.

Roberts, C. (2007). Biometric attack vectors and defences. Computers & Security, 26(1), pp.14-25.

Posted in Protect, Security and tagged , , , .