As business realises the importance of all aspects of IT security, more companies are looking at biometric fingerprint readers as a more secure way to control access to corporate IT systems. But how secure are the fingerprint readers commonly available today? There are always rumours doing the rounds about how easy it is to beat the security of these devices and in some cases manufacturers advise against using them for controlling access to sensitive information.
The Information Security Group of Africa (ISGA) decided to find out just how secure biometric fingerprint readers are. We assigned an ISGA member, Frans Sauermann, CISSP, from Trispen the task of trying to break the security of these devices.
Although only two types of readers were tested, there are various readers and methods of measuring fingerprints in use today. Most readers fall into the following categories:
Optical: Uses refraction and reflection of light. This type of reader was tested and the ISGA's expert was able to easily fool the reader.
Capacitive: Uses a grid of capacitive sensors to detect ridges in fingerprints. This was far more difficult to fool.
Thermal: Detects differentials in temperature.
Ultrasonic: Measures acoustic impedance.
RF: Using radio frequency to detect deep ridges.
Pulse: Detects the pulse of your heartbeat.
Sauermann tested two different types of devices and after quite a process of surreptitiously extracting a fingerprint from a victim and creating 'wobbly jelly fingers' (see below) was able to compromise both devices. He did, however, have to make about 10 attempts with his artificial finger before the reader gave him access. The verdict therefore is that simple readers can be bypassed, but there is a lengthy process to go through to get it right.
The process used to get a fake fingerprint was to first find a target - a person Sauermann wanted to masquerade as. He then lifted the person's fingerprint from a surface they had touched (this could even be a fingerprint reader). The image was then scanned and Photoshopped, printed and etched to create the ridges for moulding, after which the casts were made and fake finger moulded.
While the typical optical scanners are easy to bypass, the capacitive sensors proved much harder. Of course, the more sophisticated thermal/ultrasonic/RF sensors are very difficult to get through - and naturally they cost more than your average entry-level scanner.
Biometric fingerprint readers can be fooled (the cheaper ones at least) if a hacker is patient (and desperate) enough to go through the process of obtaining a fake finger. In the real world, it would be more efficient to use social hacking techniques to learn someone's password.
Look out for more articles in this series where we will attempt to cut through the hype and provide real answers to the information security threats facing South African organisations.
About the author
Craig Rosewarne is the founder and chairman of the Information Security Group of Africa, a large volunteer group of professionals who are determined to spread security awareness and education in Africa. His website is waiting to be hacked at www.isgafrica.org
Wobbly finger ingredients
Groceries: clear tape, lighter, superglue, injections, gelatine, Tupperware, Prestick, gums, Brillo, latex gloves, crazy clay, wood glue, hummingbird, dental cast, goggles, candles, glue gun, Plasticene, transparencies, fine paper, brushes, liquid rubber.
Electronic: Capacitive and optical fingerprint readers, press and peel film, PCB, FeCl, transparent 21, graphit 33, positiv 20, kontakt 60.
Hardware: graphite dust, lye, silicone.