Category Archive: Biometrics

Mar 30 2016

Easier fingerprint spoofing

In September 2013, the German Computer Chaos Club (CCC) demonstrated the first hack of Apple’s TouchID. Since then, they repeatedly defeated every new version both from Apple and Samsung. Their solution implies to create a dummy finger. This creation is a complex, lengthy process. It uses a typical photographic process with the copy of the actual fingerprint acting as the negative image. Thus, the master fingerprint is printed onto a transparent sheet at 1,200 dpi. This printed mask is exposed on the photosensitive PCB material. The PCB material is developed, etched and cleaned to create a mold. A thin coat of graphite spray is applied to improve the capacitive response. Finally, a thin film of white wood glue is smeared into the mold to make it opaque and create the fake finger.

Two researchers (K. CAO and A. JAIN) at the Michigan State University disclosed a new method to simplify the creation of the fake finger. They use conductive ink from AgIC. AgIC sells ink cartridges for Brother printers. Rather than making a rubber finger, they print a conductive 2D image of the fingerprint. And, they claim it works. Surprisingly, they scan the user’s fingerprint at 300 dpi whereas the CCC used 2,400 dpi to defeat the latest sensors.

As fingerprint on mobile devices will be used for more than simple authentication but also payment, it will be paramount to come with a new generation of biometrics sensors that also detect the liveliness of the scanned subject.

Sep 23 2013

CCC hacked Apple’s TouchID

One of the “innovative” features of the new Apple iPhone 5S is TouchID. TouchID is an integrated fingerprint recognition system. Once your fingerprint registered, you will be able to unlock the phone by pressing your finger on the home button. Is it secure?


On Saturday, the German Chaos Computer Club (CCC) announced that they cracked TouchID. According to them, the technology had nothing new excepted a higher resolution sensor. Thus the countermeasure was to use the traditional proven methods with higher resolution. Of course, it worked.

More interestingly, the official announcement of CCC highlights two major limits of biometrics:

  • It is not secure; Most of the systems can be lured.
  • Biometrics cannot be revoked! Once cracked, your fingerprint will always valid!


Nevertheless, some comments to mitigate these comments:

  • Some systems are more sophisticated. for instance, some fingerprint systems check whether the applied “finger” is living or a piece of latex. These systems are more expensive of course.
  • Some biometrics systems such as venous system recognition are far more difficult to lure. Their price is currently out the reach of consumer market.
  • As many people do not use pin to lock their phone, using fingerprint may be a more acceptable solution for many people. This would be better than using no access control to the phone, as long as the user does not blindly believe that the phone’s security is absolute.

Jul 24 2013

And if you would authenticate by touching your mobile device?

We are not yet there.   Nevertheless, Christian Holz and Patrick Baudisch, two German researchers seem to have made some progress towards this dream.  They designed a tabletop system with a touch screen that allows fingerprint detection.  

The magic comes from the screen material.  it uses a new fiber optical plate.  The plate is made of million highly reflective fibers.   Infra red lights is reflected back to the emitter.  When infra red lights exits the plate through skin, it reflects less light back.   Thus, an high resolution infra red camera can capture highly contrasted fingerprints.   This allows to authenticate the user who is using the touch screen.


Unfortunately, the current system requires a projector and a camera.  Thus, it is suitable for table top solution with enough room beneath the screen.   Not yet ready for small portable devices.

In any cases, it opens many interesting use cases.  They will present a paper at UIST’13.

May 30 2011

Identity and its verification

Nicholas BOHM and Stephen MASON explore the problems of identity and to verify it (or them). as the authors are lawyers, this paper has an interesting point of view. They are fully aware(and even surprisingly accurate) of technology and security limitations.

First, they explain what an identity (or an identifier) is, and what the challenges are in our modern shrinking world. My preferred statement is

And there is an increasing tendency to confuse a person’s knowledge of an identifier with evidence that the person with the knowledge is the person to whom the identifier relates

Then, they explore the difficulty to prove the relationship between an identifier and a person. They show the limits of identification documents (intrinsic such as birth certificate, or extrinsic such as utility bill). Finally, they tackle the identity cards, more precisely electronic identity cards. They show the short-come because not every one will have a trusted reader, and especially not with general purpose devices.

Due to their background, the paper has a strong focus on liability. For instance, no Government will ever take liability for the passports it issues. This analysis of the identity problem is enlightening.

Due to this special point of view, it is recommended to read this paper. Even if you’re not interested in identity matters, the paper will be educational for the liability point of view.

N. Bohm and S. Mason, “Identity and its verification,” Computer Law & Security Review, vol. 26, Jan. 2010, pp. 43-51 available at … 011/01/bohm-mason-identity.pdf.

Sep 06 2010

But(t) Authentication

No, I’m not turning my blog into a porn site. I just refer to a recent paper from FERRO M., PIOGGIA G., TOGNETTI A., CARBONARO N., and DE ROSSI D. These extremely serious Italian researchers have published “A Sensing Seat for Human Authentication“.

We know many biometrics authentications using voice, finger, palm, or iris. We had recognition through the way you walk, or the way you type. This one is recognition through the way you seat.

The seat is equipped with a set of strain sensors. These sensors show piezoresistive properties that can be turned into a digital fingerprint of the seating person. the paper describes the system, explains the measuring methods. They tested their system on 20 people over a period of 20 days in a truck simulator. The True Acceptance Rate is about 90-95%. The False Acceptance Rate was about 5%.

The researchers acknowledge that there are may parameters in the real world that may impact these rates such as movements and vibrations and changes of the human profile. A wallet in the pocket may derail the system. Too many hamburgers during a long period most probably also  :Wink:

The target is automotive industry. They foresee to couple it with face and voice recognition.

Thanks to BC for the pointer.

May 19 2009

Cheap face recognition

I just read about KeyLemon, a company who offers face recognition based login to Windows XP for less than 40$. They have a trial version. For fun I decided to try it.

The installation was straight forward. It used my webcam. When registering for the first time, it became touchy. The software wants you to be in a given relatively precise position.

Instead of your typical login screen, you have a screen who displays what the webcam sees, and a field to possibly enter your password. Once it recognized me (after a few seconds), it logged on without any problem. Now, the funny part, let’s push slightly the limit. I registered with my glasses, because I work without them in front of my screen. When I tried with the glasses, it did not recognize me. OK, let’s do it without the glasses.

Of course, you all already though about it. I took a picture of me with the webcam and printed it on the color printer. YES!!!! It recognized my picture! That’s really bad! An easy way to impersonate.

Then, I decided to comb my hairs (those who know me will understand :Wink: ) It did not recognize me. Ouf, my picture works.

Then, I decided to train better the tool (after 20 cumulative training with glass or not, comber or not), it did perform worse. Gracefully, there was still the field to type the password in.

KeyLemon is a funny tool but not a secure tool. Don’t trust it. Interestingly, the announced advantage

Stop wasting time entering your password

I’m not sure who would win the race

Stop remembering your password

No!!! What if it does not work correctly.

The only funny feature is the lock of the computer once it does not see you anymore in front of the screen.

Apr 14 2008

Wide distribution of fingerprints

In issue 92 of “die Datenschleuder”, the official magazine of Chaos Computer Club (CCC), on a plastic foil, you may find the fingerprint of German interior minister Wolfgang Schlauble. According to CCC, applying the foil on the biometrics reader to be used for German passport may impersonate the minister. CCC could not test it. Nevertheless, the hackers claim that they experimented with them.

One of the challenges of biometrics is to verify that the measured biometrics are from a living principal. For instance, new generation of fingerprint measures temperature of the finger, blood pressure, or resistivity of the skin. This may allow to detect fake fingers. Of course, another potential weakness is impersonation after the physical capture. In this case, all the additional measurements are useless.

This story, regardless of its potential veracity, highlights the inherent limitations of biometrics. It is possible to revoke a compromised key. It is impossible to revoke a compromised biometrics identity. If your fingerprint is available for a given technology, there is noway to stop it.

If this risk of capturing biometrics is real, then biometrics should be used only on two-factor authentication. In this configuration, the compromise of biometrics identity can be partly compensated by the second factor. In fact, in this case, the authentication is reduced (for the compromised identities) to a one-factor authentication. This is better than nothing. An upgrade of the biometrics method that would cope with the attacks would allow to re-validate the value of the biometrics.

In any case, generalization of biometrics will open a new black market: forged biometrics identity.

PS: “Die Datenschleuder” could be translated as “the data sling”.