In Defense of Biometrics

Published: 2013-09-11
Last Updated: 2013-09-11 19:44:30 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

There is a new iPhone and it comes with a finger print sensor! What better reason to talk a bit about biometric. In the good old days before Defcon and Wardriving, Biometrics had an ambiance of "high security". Remember the James Bond movie where they cut out a guy's eye to bypass a retina scanner? Those days are long gone. Now we have seen fingerprint and facial recognition systems being bypassed by simple printouts of the fingerprint or face, or rubber molds of fingerprints being used instead of the real thing.

So how meaningful is a fingerprint sensor these days? The right answer is of course: It depends. First on the quality of the sensor, secondly of the software used to analyze the acquired data, and finally the alternative authentication methods it replaces or suplements.

During enrollment, the sensor acquires a reference image of the fingerprint. This image is then analyzed, and certain parameters are extracted from the image. It is these parameters, not the original image, that will be used to compare later authentication attempts. Of course, no two images are quite alike. It may not be possible to identify all the parameters, or some additional characteristics may be discovered that were not visible in the reference scan. The result is that the software has to allow for some variability. For low quality sensors, this variability can be quite large, leaving you with only few distinct features. The result is the same as having a bad password: Many different users will end up with the same "fingerprint" as far as the sensor is concerned.

So what does this mean for the iPhone, or mobile device authentication in general? The problem with mobile device authentication has always been the fact that it is difficult for the user to enter complex passwords on a small keyboard. The result is that most users choose short numeric PINs. There have been a couple of other attempts, for example the Android "pattern" login and the use of cameras for facial recognition. The facial recognition usually suffers from bad sensor quality and from very variable lighting. The pattern login is a pretty neat idea, but I think it hasn't been tested sufficiently to figure out how much patterns users choose actually differ.

There is one thing Apple appears to have done right: The fingerprint data stays on the phone, and is not backed up to any cloud service. If this information got lost, an attacker could use it to reconstruct a duplicate of the finger, which in turn could be used for biometric identification even beyond the iPhone itself. 

As far as the quality of the image sensor and software: We will have to wait for it to be tested once the phone is released. It probably does not include more advanced feat rues like measuring the users body temperature or observing blood flow. But I hope it will be better then a 4 digit pin.

One easy improvement: Make it "real two factor" by allowing users to require a PIN/Password in addition to the fingerprint. Could they have done better then a fingerprint? There are a few different common biometric sensors: Facial recognition, Fingerprint, Weight/Height, retina scans and iris scans. Fingerprints are probably best considering the price of the sensor and the difficulty to acquire the data.

Finally: There is probably one real big vulnerability here. A stolen iPhone is likely covered in the user's fingerprints. It shouldn't be too hard for an attacker to lift a finger print off the phone itself to bypass the sensor.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

6 comment(s)


Agreed. If they could support requiring both a PIN and a fingerprint this would provide real value to me. Currently I use a traditional password on my devices but if this option existed it would allow me to use a PIN rather than typing an entire password without sacrificing as much vulnerability to brute force. But, I'll stick with my password over just a fingerprint.
Forging someone's fingerprint might have first involved tracking that person and lifting prints from a drinking glass, door handle or similar. So it seemed like a good extra layer of security for some purposes. It might be considerably easier for malware to obtain this from the memory of a smartphone though, and then it's compromised forever as a security mechanism for anything. You can change a password, but you can't permanently change your fingerprint. How much longer can this be viable, except as a toy?
The James Bond film would be Never Say Never Again. And it was the US President's iris or retina that was forged, so I don't imagine his eyeball was cut out of him, but rather the forgery created surgically only with knowledge of its appearance. I think a similar technique was used in the film Entrapment, which coincidentally starred Sean Connery. Actually removing someone's eyeball happened in Demolition Man to open an exit door, whereas in Minority Report both eyeballs were replaced consensually to avoid identification.

Also 007 disguised his fingerprints in Diamonds are Forever, leaving fake prints on a drinking glass. He also had a rifle in License to Kill programmed with a biometric signature only his palm could activate.

The Bourne Supremacy features an HP iPaQ supposedly scanning and transmitting fingerprint collected in the field. The H5400, released about 10 years ago, did in fact have a (thermal) fingerprint scanning strip as an optional sign-in method.
2-factor is not easy for the user, but Apple has added some extra protection. So the hacker can't turn it off, he needs to hide it under the tin-foil hat until he has the fingerprint. RF scan should be a 3D scan of the fingerprint, but it should be possible to create fakes anyway if you are good enough.

Here what is mentioned about the system

Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours. This feature is meant to block hackers from stalling for time as they try to find a way to circumvent the fingerprint scanner.

Apple says testing has shown that although the sensor is substantially better than fingerprint protection systems found in laptops, it will fail occasionally. In particular, Apple points out that moist fingers (such as sweat or residue from creams and lotions) do not work well with the device. The system may also have difficulty reading fingers that have scarred skin. However, as Touch ID can manage up to five fingerprint profiles at a time, Apple notes that customers can still take advantage of the feature by simply using a different finger for recognition.
Ah, you missed the NCIS episode where CIA agent Cort's eye was cut out and used to access a retina scanner...
It's not that kind of fingerprint reader. It's capacitive.

Diary Archives