Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: In Defense of Biometrics InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

In Defense of Biometrics

Published: 2013-09-11
Last Updated: 2013-09-11 19:44:30 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

There is a new iPhone and it comes with a finger print sensor! What better reason to talk a bit about biometric. In the good old days before Defcon and Wardriving, Biometrics had an ambiance of "high security". Remember the James Bond movie where they cut out a guy's eye to bypass a retina scanner? Those days are long gone. Now we have seen fingerprint and facial recognition systems being bypassed by simple printouts of the fingerprint or face, or rubber molds of fingerprints being used instead of the real thing.

So how meaningful is a fingerprint sensor these days? The right answer is of course: It depends. First on the quality of the sensor, secondly of the software used to analyze the acquired data, and finally the alternative authentication methods it replaces or suplements.

During enrollment, the sensor acquires a reference image of the fingerprint. This image is then analyzed, and certain parameters are extracted from the image. It is these parameters, not the original image, that will be used to compare later authentication attempts. Of course, no two images are quite alike. It may not be possible to identify all the parameters, or some additional characteristics may be discovered that were not visible in the reference scan. The result is that the software has to allow for some variability. For low quality sensors, this variability can be quite large, leaving you with only few distinct features. The result is the same as having a bad password: Many different users will end up with the same "fingerprint" as far as the sensor is concerned.

So what does this mean for the iPhone, or mobile device authentication in general? The problem with mobile device authentication has always been the fact that it is difficult for the user to enter complex passwords on a small keyboard. The result is that most users choose short numeric PINs. There have been a couple of other attempts, for example the Android "pattern" login and the use of cameras for facial recognition. The facial recognition usually suffers from bad sensor quality and from very variable lighting. The pattern login is a pretty neat idea, but I think it hasn't been tested sufficiently to figure out how much patterns users choose actually differ.

There is one thing Apple appears to have done right: The fingerprint data stays on the phone, and is not backed up to any cloud service. If this information got lost, an attacker could use it to reconstruct a duplicate of the finger, which in turn could be used for biometric identification even beyond the iPhone itself. 

As far as the quality of the image sensor and software: We will have to wait for it to be tested once the phone is released. It probably does not include more advanced feat rues like measuring the users body temperature or observing blood flow. But I hope it will be better then a 4 digit pin.

One easy improvement: Make it "real two factor" by allowing users to require a PIN/Password in addition to the fingerprint. Could they have done better then a fingerprint? There are a few different common biometric sensors: Facial recognition, Fingerprint, Weight/Height, retina scans and iris scans. Fingerprints are probably best considering the price of the sensor and the difficulty to acquire the data.

Finally: There is probably one real big vulnerability here. A stolen iPhone is likely covered in the user's fingerprints. It shouldn't be too hard for an attacker to lift a finger print off the phone itself to bypass the sensor.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

6 comment(s)
Diary Archives