How much does it cost to hack a biometric identification device: Part 1

How much does it cost to hack a biometric identification device: Part 1

A general misconception that biometric identification gives an especially high security level, due to the idea that a biometric feature can't be stolen. Well, this is part true and part untrue. As most with most questions of this kind, the security that biometry can give depends on the preparedness of the attacker, and more importantly the quality of the device in question.

It is not our aim to give a precise definition of the methods, that can be found with a little effort on the internet, moreover, under the White Hat section, we already feature multiple methodology. The main purpose is to demonstrate the possibilities and costs associated with them. The first episode features the fingerprint identification technology.

One of the most widespread and oldest technology used is fingerprint identification, and as such, the spoof for it is easily accessible. Multiple methods are available and it is practical to differentiate between them based on the sensor technology they can target. That being said, there are spoofs for both optical and capacitive sensors.

The easiest method available does not require anything but plasticine and some gelatine. However, this requires cooperation from the owner of the sample, but the copy can be made out of less than 5$, and the result achieved - of course, depending on the device - is a spectacular spoof. This is a cheap and easy solution, but the identity cannot be stolen, just copied with it.

Altough it might be unbelievable, fingerprint scanners can be spoofed with printed pictures. It shouldn't even be mentioned that the costs for this are virtually non-existent (for printing at least), the only real cost and effort associated with this method is acquiring the print itself. This is generally done with the method used in criminology (that is, the print is made visible with graphite powder). This also isn't very expensive, all that is needed is a soft brush and some graphite powder. Recently, methods where the print was stolen by photograph were demonstrated. Note, that this requires expert photo equipment and a suitable situation, so it may require a substantial investment. Also, paper copies can usually only spoof the cheapest, simplest devices.

Methods that require more substantial preparation offer greater chances for success. One of these is when one uses a photo-sensitive PCB board to cast the fake fingerprint. This can yield deeper impressions thus making the more sensitive devices recognise the fake as a legitimate finger. Although this method requires more money, the costs still top at a few 10s of dollars. Obtaining the sample can be done with the methods presented in the previous paragraph. This means that still, images are being processed, but in a more accurate way. Altogether this can pose a serious threat to advanced (but improperly configured) devices.

Summarising the above, we can say that most spoofs require more thoroughness and creativity than financial investment. The methods are easily accessed through the internet, and the ingredients can be bought in the grocery store on the corner, or - if a more serious method is used - in the nearest store that sells electronic components (or, better yet, can be purchased online).

Note, however, that as the methods are simple, they are far from infallible and unavoidable. Good spoofing protection can be achieved through selecting the proper device for a particular application and paying attention to proper configuration.