Biometric Vein Recognition Hacked

Biometric vein recognition is considered with iris recognition as the most secure biometrics system. Vein recognition is used in highly secure areas. Automatic Telling Machines starts to use this technology with, for instance in Japan. This statement was valid until December 2018. At the famous German Chaos Communication Congress (35c3), Krissler Ian, also known as Starbug, and Albrecht Julian demonstrated a method (German video) to create a lure hand that defeats commercial systems.

Starbug is a well known hacker in the field of biometrics. For instance, in 2016, he faked successfully the fingerprints of a German minister using high resolution captured photos.

For about 20 years, vein recognition is mainly a Japanese technology. Fujitsu and Hitachi are the two leaders. The network of veins is captured either by reflection from the palm or through transparency with Infra Red (IR) light for fingers. The captured network is turned into minutiae like a typical fingerprint.

The capture phase seems rather simple. The researchers removed the IR filter of a traditional high-end DSLR camera (in that case, Nikon D600) with good lenses. They were able to get a proper capture up to 6 meters with a flash. They also built a raspberry-based system that could be hidden into a device, for instance, a hand-dry-blower. The captured image is processed via a python script to generate a skeleton of the network of veins (as illustrated by the figure below).

Once the skeleton available, they build a fake hand (or finger) using bee wax. The fake hand covers the printed picture. They tried many different materials, but the wax presented the best performance concerning transparency and diffraction of IR light, in other words, it better emulated skin.

Once the fake hand available, the attacker has to use it on the detector. They performed a live demonstration. The demonstration highlighted that the lighting conditions were critical. The strong lighting of the scene spoiled the demonstration, and they had to shade the detector to success. On the other hand, the fake finger detection went on smoothly. The detector was a kind of tunnel. At the time of the presentation, Hitachi and Fujitsu did not have yet reacted.

The attacked detectors had no liveliness detection. As I highlighted in section 7.4.2 of “Ten Laws for Security,” detecting the presence of a real living being behind the captured biometrics is necessarily for robust systems. Unfortunately, such detection increases the complexity and cost of detectors.

Conclusion: Once more, Law 1: Attackers will always find their way
was demonstrated.

Easier fingerprint spoofing

In September 2013, the German Computer Chaos Club (CCC) demonstrated the first hack of Apple’s TouchID. Since then, they repeatedly defeated every new version both from Apple and Samsung. Their solution implies to create a dummy finger. This creation is a complex, lengthy process. It uses a typical photographic process with the copy of the actual fingerprint acting as the negative image. Thus, the master fingerprint is printed onto a transparent sheet at 1,200 dpi. This printed mask is exposed on the photosensitive PCB material. The PCB material is developed, etched and cleaned to create a mold. A thin coat of graphite spray is applied to improve the capacitive response. Finally, a thin film of white wood glue is smeared into the mold to make it opaque and create the fake finger.

Two researchers (K. CAO and A. JAIN) at the Michigan State University disclosed a new method to simplify the creation of the fake finger. They use conductive ink from AgIC. AgIC sells ink cartridges for Brother printers. Rather than making a rubber finger, they print a conductive 2D image of the fingerprint. And, they claim it works. Surprisingly, they scan the user’s fingerprint at 300 dpi whereas the CCC used 2,400 dpi to defeat the latest sensors.

As fingerprint on mobile devices will be used for more than simple authentication but also payment, it will be paramount to come with a new generation of biometrics sensors that also detect the liveliness of the scanned subject.

CCC hacked Apple’s TouchID

One of the “innovative” features of the new Apple iPhone 5S is TouchID. TouchID is an integrated fingerprint recognition system. Once your fingerprint registered, you will be able to unlock the phone by pressing your finger on the home button. Is it secure?


On Saturday, the German Chaos Computer Club (CCC) announced that they cracked TouchID. According to them, the technology had nothing new excepted a higher resolution sensor. Thus the countermeasure was to use the traditional proven methods with higher resolution. Of course, it worked.

More interestingly, the official announcement of CCC highlights two major limits of biometrics:

  • It is not secure; Most of the systems can be lured.
  • Biometrics cannot be revoked! Once cracked, your fingerprint will always valid!


Nevertheless, some comments to mitigate these comments:

  • Some systems are more sophisticated. for instance, some fingerprint systems check whether the applied “finger” is living or a piece of latex. These systems are more expensive of course.
  • Some biometrics systems such as venous system recognition are far more difficult to lure. Their price is currently out the reach of consumer market.
  • As many people do not use pin to lock their phone, using fingerprint may be a more acceptable solution for many people. This would be better than using no access control to the phone, as long as the user does not blindly believe that the phone’s security is absolute.

And if you would authenticate by touching your mobile device?

We are not yet there.   Nevertheless, Christian Holz and Patrick Baudisch, two German researchers seem to have made some progress towards this dream.  They designed a tabletop system with a touch screen that allows fingerprint detection.  

The magic comes from the screen material.  it uses a new fiber optical plate.  The plate is made of million highly reflective fibers.   Infra red lights is reflected back to the emitter.  When infra red lights exits the plate through skin, it reflects less light back.   Thus, an high resolution infra red camera can capture highly contrasted fingerprints.   This allows to authenticate the user who is using the touch screen.


Unfortunately, the current system requires a projector and a camera.  Thus, it is suitable for table top solution with enough room beneath the screen.   Not yet ready for small portable devices.

In any cases, it opens many interesting use cases.  They will present a paper at UIST’13.

Identity and its verification

Nicholas BOHM and Stephen MASON explore the problems of identity and to verify it (or them). as the authors are lawyers, this paper has an interesting point of view. They are fully aware(and even surprisingly accurate) of technology and security limitations.

First, they explain what an identity (or an identifier) is, and what the challenges are in our modern shrinking world. My preferred statement is

And there is an increasing tendency to confuse a person’s knowledge of an identifier with evidence that the person with the knowledge is the person to whom the identifier relates

Then, they explore the difficulty to prove the relationship between an identifier and a person. They show the limits of identification documents (intrinsic such as birth certificate, or extrinsic such as utility bill). Finally, they tackle the identity cards, more precisely electronic identity cards. They show the short-come because not every one will have a trusted reader, and especially not with general purpose devices.

Due to their background, the paper has a strong focus on liability. For instance, no Government will ever take liability for the passports it issues. This analysis of the identity problem is enlightening.

Due to this special point of view, it is recommended to read this paper. Even if you’re not interested in identity matters, the paper will be educational for the liability point of view.

N. Bohm and S. Mason, “Identity and its verification,” Computer Law & Security Review, vol. 26, Jan. 2010, pp. 43-51 available at … 011/01/bohm-mason-identity.pdf.

But(t) Authentication

No, I’m not turning my blog into a porn site. I just refer to a recent paper from FERRO M., PIOGGIA G., TOGNETTI A., CARBONARO N., and DE ROSSI D. These extremely serious Italian researchers have published “A Sensing Seat for Human Authentication“.

We know many biometrics authentications using voice, finger, palm, or iris. We had recognition through the way you walk, or the way you type. This one is recognition through the way you seat.

The seat is equipped with a set of strain sensors. These sensors show piezoresistive properties that can be turned into a digital fingerprint of the seating person. the paper describes the system, explains the measuring methods. They tested their system on 20 people over a period of 20 days in a truck simulator. The True Acceptance Rate is about 90-95%. The False Acceptance Rate was about 5%.

The researchers acknowledge that there are may parameters in the real world that may impact these rates such as movements and vibrations and changes of the human profile. A wallet in the pocket may derail the system. Too many hamburgers during a long period most probably also  :Wink:

The target is automotive industry. They foresee to couple it with face and voice recognition.

Thanks to BC for the pointer.

Cheap face recognition

I just read about KeyLemon, a company who offers face recognition based login to Windows XP for less than 40$. They have a trial version. For fun I decided to try it.

The installation was straight forward. It used my webcam. When registering for the first time, it became touchy. The software wants you to be in a given relatively precise position.

Instead of your typical login screen, you have a screen who displays what the webcam sees, and a field to possibly enter your password. Once it recognized me (after a few seconds), it logged on without any problem. Now, the funny part, let’s push slightly the limit. I registered with my glasses, because I work without them in front of my screen. When I tried with the glasses, it did not recognize me. OK, let’s do it without the glasses.

Of course, you all already though about it. I took a picture of me with the webcam and printed it on the color printer. YES!!!! It recognized my picture! That’s really bad! An easy way to impersonate.

Then, I decided to comb my hairs (those who know me will understand :Wink: ) It did not recognize me. Ouf, my picture works.

Then, I decided to train better the tool (after 20 cumulative training with glass or not, comber or not), it did perform worse. Gracefully, there was still the field to type the password in.

KeyLemon is a funny tool but not a secure tool. Don’t trust it. Interestingly, the announced advantage

Stop wasting time entering your password

I’m not sure who would win the race

Stop remembering your password

No!!! What if it does not work correctly.

The only funny feature is the lock of the computer once it does not see you anymore in front of the screen.