Every month, I am more and more surprised at how dangerously insecure the information world is becoming. This is especially true when it comes to implementation of systems which use biometrics, including fingerprint authentication. As more and more of our assets become virtual, the security of said assets becomes a quantum-leap more complicated than before. Why? Well, the security of said assets is determined by our ability to prove that we are who we claim to be. In the digital world, this is where passwords, biometric identification, PINs , and other methods come into play. By using these alone or in combination, it is hoped that access will be fully restricted.
Before the internet, passwords, cards, and PINs generally worked quite well to restrict access. Partially because physical access was also required and physical access is reasonably easy to secure. However, by having all of this information within an ever growing international network of banks, government computers, and border systems, the need to ensure that the non-physical methods used to secure these assets actually work increases. Since it is easy for an adversary to gain access to the physical system itself, the only real barrier to access are token-based authentication systems.
One token, which is incredibly easy to break, but is being pushed at all levels of policy right now is biometric identification, specifically fingerprint identification. First off, as seen in Mythbusters, with very little knowhow it is trivial to copy someone's fingerprint. It is not outside the realm of doubt that a determined adversary would be able to improve on the Mythbusters hack in a fashion where their hand has false fingerprints but, without very close examination, remain undetectable.
Yet, many people still think that fingerprint authentication/identification alone is secure. Even government border programs have been using it in the hope that it is more efficient and secure. Yet, ironically, by collecting fingerprints en masse like that, they make any system based on fingerprint id less secure since access to a single database would provide hundreds of fingerprints and real world identities. Security tokens which are not revocable. Any unauthorized access to the database of fingerprints would instantly make all of those fingerprints useless for the purposes of secure identification. In comparison, gaining direct access to a similar plain-text password file would have less long-term detrimental effects, because unlike fingerprints, passwords can be changed trivially.
Amazingly, this fact seems to be completely missed by some world leaders and ignored by others. As an example, the US uses fingerprints at the border as a form of identification and security, yet homeland security czar Chertoff is quoted as saying:
"The U.S. homeland security czar says Canadians shouldn't fear plans to expand international sharing of biometric information such as fingerprints. Michael Chertoff says a person's fingerprints are like footprints.
"They're not particularly private," Chertoff said in an interview Wednesday during a brief visit to Ottawa."Your fingerprint's hardly personal data, because you leave it on glasses and silverware and articles all over the world."
If he doesn't believe they are private, then why do they use them? This is not simply an American issue, in Europe many governments considering using them with passports to "improve passport security." Mostly like to match an irrevocable fingerprint to the owner of the passport. At first glance, it may seem to be a great new tool to link passport to person. However, due to the simplicity of faking a print, it isn't.
This is most astutely demonstrated by a German hacker group known as the "Chaos Computer Club." They acquired the fingerprint of Germany's interior minister and published not only a clean image of it, but also complete instructions for how to create a quality duplicate of it. At this point, since the interior minister cannot change their fingerprint, any security system where the fingerprint is one of the necessary tokens is permanently compromised to some degree. This is not a real change though, since it can be easily seen that the security token (the fingerprint) was compromised before this group published it, because we all leave fingerprints everywhere (unless we are always wearing gloves), but their "hack" demonstrated the sheer silliness of viewing a fingerprint as a security device for identification.
I must note that in a multiple token system where the fingerprint is just one of many tokens, using a fingerprint is not as disastrous. However, since it should be assumed that the fingerprint has already been compromised, using it as security device is as useful as the person using their full name as a security device. A needless, complicated step with no real contribution to the actual security of the system. So for an authentication system, fingerprints are completely useless.
In the case where fingerprints are used for id verification, similar complaints remain. While fingerprints cannot be changed, false fingerprints can be created. As such, whenever fingerprints are used to identify someone, it must be ensured that they have not been faked in any fashion. An exceedingly difficult task at the best of times. However, at the expense of solid physical controls on site (eg. A security guard manually checking the finger for discrepancies before it is placed on the sensor), as far as I am aware, it may be possible to prevent these issues. However, that is assuming fingerprint copying technology doesn't improve to the point that a manual check is ineffectual.
Fingerprints, simply put, are not secure. A determined adversary can easily copy them or fake them. We should stop using them for authentication and be wary of using them for id verification. The sooner we all realize this, the more secure we'll be in the long run.
1h
-- * Crossposted at 1337hax0r.com