LinkBack URL
About LinkBacksRead more.Hackers could bypass both Fujitsu and Hitachi palm scanners (95 per cent of the market).
Read more.Hackers could bypass both Fujitsu and Hitachi palm scanners (95 per cent of the market).
I have some sympathy with Fujitsu, etc, on this, and bear in mind I'm somewhere closer to the cynic/paranoid end of the spectrum re: asoects of internet security.
To achieve this "hack" the researchers appear to need to take photos, using a converted infra-red camera, of a user's palm.
Maybe I'm too cynical, but I think most users not only the paranoid, might be just a bit suspicious of someone saying "stick your hand in here, palm down and open, while we take a picture" and, ummm .... decline. Firmly.
If their hack had a way of bypassing neefing access to the user's palm, or some innocuous way of getting that, they'd hsve a point.
But so far, all they seem to have demonstrated is a basic weakness, which is if you can get to the original biometric spurce, whatever that is (fingerprint palm, iris, whatever) AND copy it, then that biometric security is blown open.
But they haven't.
Yet.
Probably wouldn't take much - Fake readers, piggybacking data sources, perhaps the usual virusy-trojan things you are tricked into clicking that then install data harvesters in your computer and pass on your scans....Originally Posted by Saracen999
Once one of these systems is compromised, wouldn't you have biometric data of basically everyone using that system anyway?
With a password you can at least try to use a different password for every place you visit. But the palm of your hand (or iris, or fingerprint) is much more difficult to change.
Not necessarily - properly implemented, biometric systems will only store something akin to a hash of the data, from which you cannot recreate the original input. That doesn't stop someone simply lifting fingerprints or iris photographs though. Assuming these traits uniquely identify an individual for security purposes can be a fairly dangerous assumption to make for that reason. And as has been show, some rubbish implementations of e.g. fingerprint scanners can be fooled with something as simple as one printed on a piece of paper.
Again, a properly-made biometric device won't expose raw biometric data to the host computer.
Last edited by watercooled; 01-01-2019 at 05:43 PM.
So, what you're saying is that the cake is real but we only expose it as a lie to the host so they can't re-create its deliciousness.
Gotcha.
Ah, so as long as the fake reader attached to a device by the thief looking to steal your info is properly made, it won't reveal your BioData. Good to know...
To be fair the article claims a picture from 5m (15ft) is sufficient, that seems like quiet a long distance, although not knowing much about photography maybe it's not, IDK.
I know little about the detail theory of photography but dabble in it and even my meagre kit can take a pretty decent tele-macro image from 5m. It's all about having the right lens and enough light for a reasonably quick shutter speed to keep things sharp. If they need true macro quality it's more tricky, but not impossible SFAIK, but I imagine those palm scanners aren't mapping every wrinkle or line like a finger print, but the palm lines - which are much more visible.
5m is not that far. 4.8-5m is the length of a standard carparking space. Not far at all.
Yea sorry, when i said that seems like quiet a long distance it was in the context of stick your hand in here, palm down and open, while we take a picture, basically at 5m it's something that could, theoretically, be done without the target noticing.
I skipped over the bit about 'fake readers' - that's an issue of course, if you're in an environment where you cannot trust the hardware for example. The rest should be covered though, e.g. malware on the host system should not be able to access such data. Furthermore, biometric data should not be stored in its raw form anyway. Again, in a properly-implemented system, I'm making no claims about which systems meet that criteria! And nor do I have much faith that some company won't think they know better than everyone else and create their own terrible implementation.
so.. the guy at the office party trying to get girls to scan their bums on the photocopier was inventing the foolproof security system he claimed they had to do it for..?
Many biometric hacks are done with the cooperation of the subject. For example in some parts of the world factory time clocks will check each worker's fingerprint as the clock in at the start of the day, so that people can't clock in their mates who are not actually there.
This has given rise to a cottage industry that makes fake fingers that will fool the time clock. These are of course made with the full knowledge of the owner of the finger being copped, as they will be main recipient of wages for time not worked (less the kickback to their accomplice who clocks them in).
In other words not all biometric hacks need to be stealthy to break security.
More that you're in one where it has been so widely adopted that you don't have a choice...
Except that, with the advent and widespread use of such tech, all the malware has to do is spoof something or otherwise trick the user into enabling such access (in the same manner that many people have their apps store passwords and auto-login), and you're away.
Humans are always the weakest link.
I'm predicting an episode of The Real Hustle where Jess plays a waitress and takes your glass/cutlery away, while Paul pilfers your MacBook from your bag and passes it to Alex, who has already lifted your prints off the tableware, forged every finger that touched it and is ready to simply swipe-access your personal data...
Just the one company.....?
Agreed, but I was speaking more about the odd malicious device being used like card skimmers for example - where people might use them not realising they're malicious. If you're suspicious of hardware you own, it's obviously a concern but that's entering the realm of targeted attacks. I'm also speaking about malicious hardware rather than plain badly made, but the same can obviously apply.
Not necessarily. Again I'm referring to properly designed systems rather than something like a dumb scanner relying on the host for authentication, but in said 'proper' system, they will be designed so malware cannot act as a middleman, and such access is not something the user could grant either, it's just not the way they work. Check out stuff like secure enclave. You would have to target and breach the security of the physically separate security hardware which would be no small feat - malware on the host would be useless otherwise (as far as recovering biometric data goes anyway). Regardless of secure data stores, they won't actually store nor be capable of passing raw scan data anyway - even those secure stores would only store something like a hash of the data, and much like a SIM card, authenticate users without having to reveal any confidential data.
It can works something like this (massively oversimplified before anyone steps in to correct me, and it's just one example of a variety of approaches):
Host asks scanner to authenticate user over a secure channel.
Scanner takes scan and compares scan data and compares against internal database (check how fingerprint scanners work for more information - they don't actually store a photo of the fingerprint).
After confirming scan, the scanner e.g. encrypts a random number, provided by the host over the secure channel, with scanner's private key.
The host receives this encrypted data and, by decrypting it with the scanner's public key, cryptographically proves it was created by the scanner, confirming it as authentic.
As you can see, the host has nothing to do with the actual biometric data and is simply relying on the biometric scanner to give it the thumbs up or thumbs down, and relies on asymmetric encryption techniques to prove authenticity of said messages. None of the data available to the host system would be of any use to malware.
So was I, in that they'd be less odd and more common as the technology sees wider use. Case in point, the fake cash dispensers that get you to put your card in and enter your PIN before simply pretending they're out of cash.
If there is any form of communication between host and scanner, I would assume that's a possible route of compromise?
Failing that (or adding to it), some sort of interception where the host sends out an authentication request, the malware intercepts it and pings back a signal saying, "Uhh, everything's perfectly all right now. We're fine. We're all fine here... now... thank-you... How are you?"?
So in other words, not needing the acual scanner data, just to make the host (or app) think it's gotten the OK from the scanner.
There must be a decryption key at the host end or something the malware can use?
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote