Potential weaknesses of biometrics
Results 1 to 7 of 7

Thread: Potential weaknesses of biometrics

  1. #1
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416

    Potential weaknesses of biometrics


    Concise description of how the systems work and their potential weakness.

  2. #2
    King Arana: Super Moderator
    Join Date
    Oct 2002
    Posts
    4,055
    Interesting article.. found quite a few things interesting, actually.

    Many use the Lantronix Micro100 serial server to control the data flow over the network.
    Did not know that about which servers they use (those specific companies).

    While this may be a fine controller, if you send any packet to port 30718, it crashes the server to the point where it has to be sent back to Lantronix for reflashing.
    I wonder if this means any external packet (well, obviously..) because if the packet is allowed through, then it will crash the server.

    You can also tap the data coming off the sensor to the extractor, in many cases this is sent in the clear over a TCP/IP link to a remote machine. You capture this data, and replay it when you want to get in.
    All apart of the fingerprinting described earlier in the article. Anyways, nice read on biometrics.
    Space For Rent.. =]

  3. #3
    This was an interesting article, thank you hesperus, it really got me thinking.

    Obviously, biometrics aren't entirely safe, but you really have to compare them to passwords. For example, A user doesn't have to think up a "strong" fingerprint, so the security of the metric doesn't depend on human intelligence. The only way to create a "gummy bear finger" would be to take a print with the permission of the user, unlikely, or to lift a latent print.But lifting a print would take time, expertise and ressources. As for intercepting the link, All it would take would be a challenge/response, encrypted link between the sensor device and a trusted authentication server to protect the integrity of the data.I'm pretty sure that there are a few sensors out on the market that work this way.I suppose you could always hack the server, but that kind of puts you back at square one.I'd rather have a biometric sensor system at my workplace than a password system, simply because I don't trust people not to make stupid, easy passwords.

    Mind you, couldn't you have biometrics and a PIN or a password...

    just my thoughts on the subject.
    It seems to be peaceful,but it is incorrect.CATS is still alive.
    Zig-01 must fight CATS again.And down with them completely!
    GOOD LUCK!

  4. #4
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Erm, is it just me or does he use the word Biometrics but mean Finger-scanners?

    There are alot more that just finger-print scanners out there, one interesting one that I have come accross acctualy had no lense or optical component at all, it bas a metal plate with poles inbetween that you put your hand on and your fingers went in the gaps between the poles. An odd system but apparently very secure because it did not rely on things that could be faked (ie, taking some one elses hand....kinda forcefully....with a knife).

    In any event, I kinda question the credibility of this article, it seems that the main attack used here is social engeneering, which works for the stanard lock-and-key system aswell so its not really specificaly attacking Biometrics.

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  5. #5
    Noia, that's the new scanner at my job! (I work at safeway). It is so cool compared to the punch card thing.We even get our own ID cards, with pictures. I feel like an important part of the safeway team, especially since my boss says I'm a fast cashier who is friendly with the customers.

    ten dollars an hour, here I come...
    It seems to be peaceful,but it is incorrect.CATS is still alive.
    Zig-01 must fight CATS again.And down with them completely!
    GOOD LUCK!

  6. #6
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Passwords are easy to change regularly or int he event of a compromise. Try changing your fingerprints or iris every 40 days.

    If someone compromises your fingerprint pattern it will stay compromised.

    I can imagine a company database of fingerprint patterns being infiltrated and then fake fingerprints being 'printed' on a device like a rapid prototyper.

  7. #7
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Originally posted here by Noia
    Erm, is it just me or does he use the word Biometrics but mean Finger-scanners?
    Although he is specifically talking about finger scanners, this applys to most biometric devices. The main difference is the physical scan, while everything behind the scenes is the same. Once its data, the comparisons are done either locally or transmitted somewhere for comparison.

    There are alot more that just finger-print scanners out there, one interesting one that I have come accross acctualy had no lense or optical component at all, it bas a metal plate with poles inbetween that you put your hand on and your fingers went in the gaps between the poles. An odd system but apparently very secure because it did not rely on things that could be faked (ie, taking some one elses hand....kinda forcefully....with a knife).
    Are you talking about a hand-geometry unit?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides