Could the iPhone fingerprint fake finger attack have been prevented?

Since the recent launch of the iPhone 5s there has been considerable attention on the successful hacking of the new Touch ID fingerprint scanner. The group that has claimed success, the Chaos Computer Club from Germany, has been involved in similar biometric attacks on different fingerprint sensors going back to at least 2004.

Biometric authentication has the potential to ease the burden of security given its simplicity and usability, particularly when compared to mobile devices with little or no protection. However, as with all security measures, it has vulnerabilities.

“This attack technique of presenting a fake biometric to a biometric sensor for identity theft or concealing one’s identity is commonly known as spoofing,” states Ted Dunstone, Chair of the Biometrics Institute Vulnerability Assessment Expert Group (BVAEG), “and such attacks are well known and studied.”

There are a number of technologies, both software and hardware, that can be used to detect such spoofing attacks. The international community is addressing this emerging area of technology through an ISO/IEC standards project to develop data interchange formats and testing principles for software and hardware used to combat biometric spoofing (called “spoof detection” or “presentation attack detection”).

“The BVAEG – a subcommittee of the independent Biometrics Institute – consists of many of the most experienced experts in this area from around the world,” says Isabelle Moeller, Chief Executive of the Biometrics Institute, “the BVAEG mission is to raise awareness of the need for vulnerability detection to be included with biometric devices, to promote standards, enhance privacy protection, performance measures and testing, and to help facilitate the dissemination of new research or findings in this area.”

“The iPhone fingerprint spoof uses a number of steps including laser printing the fingerprints in high resolution onto transparent film, etching onto a printed circuit board and using a latex material to make a fake fingerprint,” explains Tsutomu Matsumoto from Yokohama National University, a member of BVAEG, “the current attack requires the lifting and processing of a high quality latent fingerprint at high resolution in order to make a successful spoof. These factors should be considered when assessing this attack’s impact under realistic usage scenarios.”

Ralph Breithaupt from the Federal Ministry for Information Security, Germany who is also a member of BVAEG confirms that “all security technologies have flaws, including PINs and passwords, and when subject to a determined attack none will guarantee absolute security. Security relies not only on one factor but combines them, such as relying on a PIN and fingerprint.”

The Biometrics Institute encourages manufacturers of equipment that include biometrics sensors to be proactive in adopting spoof detection technology to maximise the chance of successfully rejecting a biometric spoof, and also recommends government agencies and top-level decision makers be aware of the need for appropriate biometric vulnerability testing and certification as they consider both the risk and the convenience of the security mechanism(s).

A next workshop of the BVAEG will be held in Gaithersburg, USA, in late March 2014. Email Isabelle to find out more.