Potential weaknesses of biometrics

[hesperus]

Defcon 2005 : Not as hard as you might think

By Charlie Demerjian in Las Vegas: Saturday 30 July 2005, 15:58

Concise description of how the systems work and their potential weakness.

[Spyder32]

Interesting article.. found quite a few things interesting, actually.

Many use the Lantronix Micro100 serial server to control the data flow over the network.

Did not know that about which servers they use (those specific companies).

While this may be a fine controller, if you send any packet to port 30718, it crashes the server to the point where it has to be sent back to Lantronix for reflashing.

I wonder if this means any external packet (well, obviously..) because if the packet is allowed through, then it will crash the server.

You can also tap the data coming off the sensor to the extractor, in many cases this is sent in the clear over a TCP/IP link to a remote machine. You capture this data, and replay it when you want to get in.

All apart of the fingerprinting described earlier in the article. Anyways, nice read on biometrics.

[pshannon]

This was an interesting article, thank you hesperus, it really got me thinking.

Obviously, biometrics aren't entirely safe, but you really have to compare them to passwords. For example, A user doesn't have to think up a "strong" fingerprint, so the security of the metric doesn't depend on human intelligence. The only way to create a "gummy bear finger" would be to take a print with the permission of the user, unlikely, or to lift a latent print.But lifting a print would take time, expertise and ressources. As for intercepting the link, All it would take would be a challenge/response, encrypted link between the sensor device and a trusted authentication server to protect the integrity of the data.I'm pretty sure that there are a few sensors out on the market that work this way.I suppose you could always hack the server, but that kind of puts you back at square one.I'd rather have a biometric sensor system at my workplace than a password system, simply because I don't trust people not to make stupid, easy passwords.

Mind you, couldn't you have biometrics and a PIN or a password...

just my thoughts on the subject.

[Noia]

Erm, is it just me or does he use the word Biometrics but mean Finger-scanners?

There are alot more that just finger-print scanners out there, one interesting one that I have come accross acctualy had no lense or optical component at all, it bas a metal plate with poles inbetween that you put your hand on and your fingers went in the gaps between the poles. An odd system but apparently very secure because it did not rely on things that could be faked (ie, taking some one elses hand....kinda forcefully....with a knife).

In any event, I kinda question the credibility of this article, it seems that the main attack used here is social engeneering, which works for the stanard lock-and-key system aswell so its not really specificaly attacking Biometrics.

- Noia

[pshannon]

Noia, that's the new scanner at my job! (I work at safeway). It is so cool compared to the punch card thing.We even get our own ID cards, with pictures. I feel like an important part of the safeway team, especially since my boss says I'm a fast cashier who is friendly with the customers.

ten dollars an hour, here I come...

[Aspman]

Passwords are easy to change regularly or int he event of a compromise. Try changing your fingerprints or iris every 40 days.

If someone compromises your fingerprint pattern it will stay compromised.

I can imagine a company database of fingerprint patterns being infiltrated and then fake fingerprints being 'printed' on a device like a rapid prototyper.

[zENGER]

Originally posted here by Noia
Erm, is it just me or does he use the word Biometrics but mean Finger-scanners?

Although he is specifically talking about finger scanners, this applys to most biometric devices. The main difference is the physical scan, while everything behind the scenes is the same. Once its data, the comparisons are done either locally or transmitted somewhere for comparison.

There are alot more that just finger-print scanners out there, one interesting one that I have come accross acctualy had no lense or optical component at all, it bas a metal plate with poles inbetween that you put your hand on and your fingers went in the gaps between the poles. An odd system but apparently very secure because it did not rely on things that could be faked (ie, taking some one elses hand....kinda forcefully....with a knife).

Are you talking about a hand-geometry unit?