The Biometrics Institute has released its guiding document “Top 10 Vulnerability Questions” to its members and key stakeholders, to clarify some of the frequently asked questions about the spoofing of biometrics.
Isabelle Moeller, Chief Executive, Biometrics Institute, says: “We have been following the research of fake biometrics very closely and with great interest. Most recently claims have been made that you can steal fingerprints with only a camera as presented at the Chaos Computer Club Conference in Germany in December 2014. This important topic will be discussed at two upcoming events, the BVAEG Workshop and Biometrics 2015: Secure identity solutions now!, both in London in the week from 12-15 October 2015”.
It has been known for many years that under the “just right” circumstances, with a high resolution camera, a fingerprint image can be captured from a distance. But does this have practical utility for hackers or others? Even if it is possible, the question remains if it is worth the effort required compared to other traditional ways that security can be breached, for instance by stealing passwords. Biometrics can provide a higher level of security than pins and passwords but as with all security measures, biometrics have vulnerabilities that need to be addressed.
Most modern matching algorithms use a variety of technologies to increase the difficulty of producing or using a fake biometric. As with all security technology there is a race of attack versus countermeasures, just like in the software virus world. It is therefore important to ensure security policies keep a balance between the security strength and what is being protected.
The Top 10 Vulnerability Questions guiding document will address questions such as whether a biometric can be stolen, what mitigation may be considered and what to do should this ever happen. It was designed to demystify some of the regular headlines around biometric spoofing, but more importantly, it will serve as a discussion paper for the Biometrics Institute members and stakeholders to raise awareness about the importance of vulnerability assessments and that mitigation is available.
There are a number of technologies, both software and hardware that can be used to detect such spoofing attacks. The international community is addressing this emerging area of technology through an ISO/IEC standards project to develop data interchange formats and testing principles for software and hardware used to combat biometric spoofing (called “spoof detection” or “presentation attack detection”).
Dr Dunstone Head of the BVAEG of the Biometrics Institute, says: “The Biometric Vulnerability Assessment Expert Group (BVAEG) – a subcommittee of the independent Biometrics Institute – consists of many of the most experienced experts in this area from around the world. The BVAEG mission is to raise awareness of the need for vulnerability detection to be included with biometric devices, to promote standards, enhance privacy protection, performance measures and testing, and to help facilitate the dissemination of new research or findings in this area.”
It issued a press release in October 2013 responding to the iPhone 5s fingerprint attack which used a number of steps including laser printing the fingerprints in high resolution onto transparent film, etching onto a printed circuit board and using a latex material to make a fake fingerprint. The steps required for this attack make this attack difficult under realistic usage scenarios.
The Biometrics Institute encourages manufacturers of equipment that include biometric sensors to be proactive in adopting spoof detection technology to maximise the chance of successfully rejecting a biometric spoof, and also recommends government agencies and top-level decision makers to become aware of the need for appropriate biometric vulnerability testing and certification as they consider both the risk and the convenience of the security mechanism(s).
The Top 10 is available to members of the Biometrics Institute; email [email protected].
A next workshop of the BVAEG will be held on October 12 when the Biometrics 2015: Secure identity solutions now! conference organised by Elsevier with the Biometrics Institute runs in London from October 13 to 15, 2015.
