Page 1 of 2 12 LastLast
Results 1 to 16 of 23

Thread: Palm vein security bypassed using wax hand models

  1. #1
    HEXUS.admin
    Join Date
    Apr 2005
    Posts
    31,709
    Thanks
    0
    Thanked
    2,073 times in 719 posts

    Palm vein security bypassed using wax hand models

    Hackers could bypass both Fujitsu and Hitachi palm scanners (95 per cent of the market).
    Read more.

  2. #2
    Senior Member
    Join Date
    Aug 2016
    Posts
    3,888
    Thanks
    931
    Thanked
    971 times in 717 posts

    Re: Palm vein security bypassed using wax hand models

    I have some sympathy with Fujitsu, etc, on this, and bear in mind I'm somewhere closer to the cynic/paranoid end of the spectrum re: asoects of internet security.

    To achieve this "hack" the researchers appear to need to take photos, using a converted infra-red camera, of a user's palm.

    Maybe I'm too cynical, but I think most users not only the paranoid, might be just a bit suspicious of someone saying "stick your hand in here, palm down and open, while we take a picture" and, ummm .... decline. Firmly.

    If their hack had a way of bypassing neefing access to the user's palm, or some innocuous way of getting that, they'd hsve a point.

    But so far, all they seem to have demonstrated is a basic weakness, which is if you can get to the original biometric spurce, whatever that is (fingerprint palm, iris, whatever) AND copy it, then that biometric security is blown open.

    But they haven't.

    Yet.

  3. #3
    MCRN Tachi Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    6,916
    Thanks
    672
    Thanked
    806 times in 668 posts
    • Ttaskmaster's system
      • Motherboard:
      • Aorus Master X670E
      • CPU:
      • Ryzen 7800X3D
      • Memory:
      • 32GB Corsair Dominator DDR5 6000MHz
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Aorus Master 4090
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Lian Li V3000 Plus
      • Operating System:
      • Win11
      • Monitor(s):
      • Gigabyte M32U
      • Internet:
      • 900Mbps Gigaclear WHOOOOOOOOOOOO!!!!!!!!

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by Saracen999 View Post
    But so far, all they seem to have demonstrated is a basic weakness, which is if you can get to the original biometric spurce, whatever that is (fingerprint palm, iris, whatever) AND copy it, then that biometric security is blown open.
    Probably wouldn't take much - Fake readers, piggybacking data sources, perhaps the usual virusy-trojan things you are tricked into clicking that then install data harvesters in your computer and pass on your scans....

  4. #4
    Registered+
    Join Date
    May 2013
    Posts
    29
    Thanks
    0
    Thanked
    2 times in 2 posts

    Re: Palm vein security bypassed using wax hand models

    Once one of these systems is compromised, wouldn't you have biometric data of basically everyone using that system anyway?

    With a password you can at least try to use a different password for every place you visit. But the palm of your hand (or iris, or fingerprint) is much more difficult to change.

  5. #5
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,478
    Thanks
    1,541
    Thanked
    1,029 times in 872 posts

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by Waswat View Post
    Once one of these systems is compromised, wouldn't you have biometric data of basically everyone using that system anyway?

    With a password you can at least try to use a different password for every place you visit. But the palm of your hand (or iris, or fingerprint) is much more difficult to change.
    Not necessarily - properly implemented, biometric systems will only store something akin to a hash of the data, from which you cannot recreate the original input. That doesn't stop someone simply lifting fingerprints or iris photographs though. Assuming these traits uniquely identify an individual for security purposes can be a fairly dangerous assumption to make for that reason. And as has been show, some rubbish implementations of e.g. fingerprint scanners can be fooled with something as simple as one printed on a piece of paper.

    Quote Originally Posted by Ttaskmaster View Post
    Probably wouldn't take much - Fake readers, piggybacking data sources, perhaps the usual virusy-trojan things you are tricked into clicking that then install data harvesters in your computer and pass on your scans....
    Again, a properly-made biometric device won't expose raw biometric data to the host computer.
    Last edited by watercooled; 01-01-2019 at 05:43 PM.

  6. #6
    Long member
    Join Date
    Apr 2008
    Posts
    2,427
    Thanks
    70
    Thanked
    404 times in 291 posts
    • philehidiot's system
      • Motherboard:
      • Father's bored
      • CPU:
      • Cockroach brain V0.1
      • Memory:
      • Innebriated, unwritten
      • Storage:
      • Big Yellow Self Storage
      • Graphics card(s):
      • Semi chewed Crayola Mega Pack
      • PSU:
      • 20KW single phase direct grid supply
      • Case:
      • Closed, Open, Cold
      • Operating System:
      • Cockroach
      • Monitor(s):
      • The mental health nurses
      • Internet:
      • Please.

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by watercooled View Post
    Not necessarily - properly implemented, biometric systems will only store something akin to a hash of the data, from which you cannot recreate the original input. That doesn't stop someone simply lifting fingerprints or iris photographs though. Assuming these traits uniquely identify an individual for security purposes can be a fairly dangerous assumption to make for that reason. And as has been show, some rubbish implementations of e.g. fingerprint scanners can be fooled with something as simple as one printed on a piece of paper.



    Again, a properly-made biometric device won't expose raw biometric data to the host computer.
    So, what you're saying is that the cake is real but we only expose it as a lie to the host so they can't re-create its deliciousness.

    Gotcha.

  7. #7
    MCRN Tachi Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    6,916
    Thanks
    672
    Thanked
    806 times in 668 posts
    • Ttaskmaster's system
      • Motherboard:
      • Aorus Master X670E
      • CPU:
      • Ryzen 7800X3D
      • Memory:
      • 32GB Corsair Dominator DDR5 6000MHz
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Aorus Master 4090
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Lian Li V3000 Plus
      • Operating System:
      • Win11
      • Monitor(s):
      • Gigabyte M32U
      • Internet:
      • 900Mbps Gigaclear WHOOOOOOOOOOOO!!!!!!!!

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by watercooled View Post
    Again, a properly-made biometric device won't expose raw biometric data to the host computer.
    Ah, so as long as the fake reader attached to a device by the thief looking to steal your info is properly made, it won't reveal your BioData. Good to know...

  8. #8
    Senior Member
    Join Date
    Dec 2013
    Posts
    3,526
    Thanks
    504
    Thanked
    468 times in 326 posts

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by Saracen999 View Post
    Maybe I'm too cynical, but I think most users not only the paranoid, might be just a bit suspicious of someone saying "stick your hand in here, palm down and open, while we take a picture" and, ummm .... decline. Firmly.
    To be fair the article claims a picture from 5m (15ft) is sufficient, that seems like quiet a long distance, although not knowing much about photography maybe it's not, IDK.

  9. #9
    RIP Peterb ik9000's Avatar
    Join Date
    Nov 2009
    Posts
    7,699
    Thanks
    1,839
    Thanked
    1,434 times in 1,057 posts
    • ik9000's system
      • Motherboard:
      • Asus P7H55-M/USB3
      • CPU:
      • i7-870, Prolimatech Megahalems, 2x Akasa Apache 120mm
      • Memory:
      • 4x4GB Corsair Vengeance 2133 11-11-11-27
      • Storage:
      • 2x256GB Samsung 840-Pro, 1TB Seagate 7200.12, 1TB Seagate ES.2
      • Graphics card(s):
      • Gigabyte GTX 460 1GB SuperOverClocked
      • PSU:
      • NZXT Hale 90 750w
      • Case:
      • BitFenix Survivor + Bitfenix spectre LED fans, LG BluRay R/W optical drive
      • Operating System:
      • Windows 7 Professional
      • Monitor(s):
      • Dell U2414h, U2311h 1920x1080
      • Internet:
      • 200Mb/s Fibre and 4G wifi

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by Corky34 View Post
    To be fair the article claims a picture from 5m (15ft) is sufficient, that seems like quiet a long distance, although not knowing much about photography maybe it's not, IDK.
    I know little about the detail theory of photography but dabble in it and even my meagre kit can take a pretty decent tele-macro image from 5m. It's all about having the right lens and enough light for a reasonably quick shutter speed to keep things sharp. If they need true macro quality it's more tricky, but not impossible SFAIK, but I imagine those palm scanners aren't mapping every wrinkle or line like a finger print, but the palm lines - which are much more visible.

    5m is not that far. 4.8-5m is the length of a standard carparking space. Not far at all.

  10. #10
    Senior Member
    Join Date
    Dec 2013
    Posts
    3,526
    Thanks
    504
    Thanked
    468 times in 326 posts

    Re: Palm vein security bypassed using wax hand models

    Yea sorry, when i said that seems like quiet a long distance it was in the context of stick your hand in here, palm down and open, while we take a picture, basically at 5m it's something that could, theoretically, be done without the target noticing.

  11. #11
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,478
    Thanks
    1,541
    Thanked
    1,029 times in 872 posts

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by Ttaskmaster View Post
    Ah, so as long as the fake reader attached to a device by the thief looking to steal your info is properly made, it won't reveal your BioData. Good to know...
    I skipped over the bit about 'fake readers' - that's an issue of course, if you're in an environment where you cannot trust the hardware for example. The rest should be covered though, e.g. malware on the host system should not be able to access such data. Furthermore, biometric data should not be stored in its raw form anyway. Again, in a properly-implemented system, I'm making no claims about which systems meet that criteria! And nor do I have much faith that some company won't think they know better than everyone else and create their own terrible implementation.

  12. #12
    Senior Member
    Join Date
    Jul 2011
    Posts
    304
    Thanks
    113
    Thanked
    12 times in 12 posts

    Re: Palm vein security bypassed using wax hand models

    so.. the guy at the office party trying to get girls to scan their bums on the photocopier was inventing the foolproof security system he claimed they had to do it for..?

  13. #13
    Senior Member chrestomanci's Avatar
    Join Date
    Sep 2004
    Location
    Reading
    Posts
    1,614
    Thanks
    94
    Thanked
    96 times in 80 posts
    • chrestomanci's system
      • Motherboard:
      • Asus AMD AM4 Ryzen PRIME B350M
      • CPU:
      • AMD Ryzen 1600 @ stock clocks
      • Memory:
      • 16Gb DDR4 2666MHz
      • Storage:
      • 250Gb Samsung 960 Evo M.2 + 3Tb Western Digital Red
      • Graphics card(s):
      • Basic AMD GPU (OSS linux drivers)
      • PSU:
      • Novatech 500W
      • Case:
      • Silverstone Sugo SG02
      • Operating System:
      • Linux - Latest Xubuntu
      • Monitor(s):
      • BenQ 24" LCD (Thanks: DDY)
      • Internet:
      • Zen FTTC

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by Saracen999 View Post
    To achieve this "hack" the researchers appear to need to take photos, using a converted infra-red camera, of a user's palm.

    Maybe I'm too cynical, but I think most users not only the paranoid, might be just a bit suspicious of someone saying "stick your hand in here, palm down and open, while we take a picture" and, ummm .... decline. Firmly.

    If their hack had a way of bypassing neefing access to the user's palm, or some innocuous way of getting that, they'd hsve a point.
    Many biometric hacks are done with the cooperation of the subject. For example in some parts of the world factory time clocks will check each worker's fingerprint as the clock in at the start of the day, so that people can't clock in their mates who are not actually there.

    This has given rise to a cottage industry that makes fake fingers that will fool the time clock. These are of course made with the full knowledge of the owner of the finger being copped, as they will be main recipient of wages for time not worked (less the kickback to their accomplice who clocks them in).

    In other words not all biometric hacks need to be stealthy to break security.

  14. #14
    MCRN Tachi Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    6,916
    Thanks
    672
    Thanked
    806 times in 668 posts
    • Ttaskmaster's system
      • Motherboard:
      • Aorus Master X670E
      • CPU:
      • Ryzen 7800X3D
      • Memory:
      • 32GB Corsair Dominator DDR5 6000MHz
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Aorus Master 4090
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Lian Li V3000 Plus
      • Operating System:
      • Win11
      • Monitor(s):
      • Gigabyte M32U
      • Internet:
      • 900Mbps Gigaclear WHOOOOOOOOOOOO!!!!!!!!

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by watercooled View Post
    I skipped over the bit about 'fake readers' - that's an issue of course, if you're in an environment where you cannot trust the hardware for example.
    More that you're in one where it has been so widely adopted that you don't have a choice...

    Quote Originally Posted by watercooled View Post
    The rest should be covered though, e.g. malware on the host system should not be able to access such data.
    Except that, with the advent and widespread use of such tech, all the malware has to do is spoof something or otherwise trick the user into enabling such access (in the same manner that many people have their apps store passwords and auto-login), and you're away.
    Humans are always the weakest link.

    Quote Originally Posted by watercooled View Post
    Furthermore, biometric data should not be stored in its raw form anyway
    I'm predicting an episode of The Real Hustle where Jess plays a waitress and takes your glass/cutlery away, while Paul pilfers your MacBook from your bag and passes it to Alex, who has already lifted your prints off the tableware, forged every finger that touched it and is ready to simply swipe-access your personal data...

    Quote Originally Posted by watercooled View Post
    And nor do I have much faith that some company won't think they know better than everyone else and create their own terrible implementation.
    Just the one company.....?

  15. #15
    Senior Member watercooled's Avatar
    Join Date
    Jan 2009
    Posts
    11,478
    Thanks
    1,541
    Thanked
    1,029 times in 872 posts

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by Ttaskmaster View Post
    More that you're in one where it has been so widely adopted that you don't have a choice...
    Agreed, but I was speaking more about the odd malicious device being used like card skimmers for example - where people might use them not realising they're malicious. If you're suspicious of hardware you own, it's obviously a concern but that's entering the realm of targeted attacks. I'm also speaking about malicious hardware rather than plain badly made, but the same can obviously apply.

    Quote Originally Posted by Ttaskmaster View Post
    Except that, with the advent and widespread use of such tech, all the malware has to do is spoof something or otherwise trick the user into enabling such access (in the same manner that many people have their apps store passwords and auto-login), and you're away.
    Not necessarily. Again I'm referring to properly designed systems rather than something like a dumb scanner relying on the host for authentication, but in said 'proper' system, they will be designed so malware cannot act as a middleman, and such access is not something the user could grant either, it's just not the way they work. Check out stuff like secure enclave. You would have to target and breach the security of the physically separate security hardware which would be no small feat - malware on the host would be useless otherwise (as far as recovering biometric data goes anyway). Regardless of secure data stores, they won't actually store nor be capable of passing raw scan data anyway - even those secure stores would only store something like a hash of the data, and much like a SIM card, authenticate users without having to reveal any confidential data.

    It can works something like this (massively oversimplified before anyone steps in to correct me, and it's just one example of a variety of approaches):
    Host asks scanner to authenticate user over a secure channel.
    Scanner takes scan and compares scan data and compares against internal database (check how fingerprint scanners work for more information - they don't actually store a photo of the fingerprint).
    After confirming scan, the scanner e.g. encrypts a random number, provided by the host over the secure channel, with scanner's private key.
    The host receives this encrypted data and, by decrypting it with the scanner's public key, cryptographically proves it was created by the scanner, confirming it as authentic.

    As you can see, the host has nothing to do with the actual biometric data and is simply relying on the biometric scanner to give it the thumbs up or thumbs down, and relies on asymmetric encryption techniques to prove authenticity of said messages. None of the data available to the host system would be of any use to malware.

  16. #16
    MCRN Tachi Ttaskmaster's Avatar
    Join Date
    Nov 2013
    Location
    Reading, UK
    Posts
    6,916
    Thanks
    672
    Thanked
    806 times in 668 posts
    • Ttaskmaster's system
      • Motherboard:
      • Aorus Master X670E
      • CPU:
      • Ryzen 7800X3D
      • Memory:
      • 32GB Corsair Dominator DDR5 6000MHz
      • Storage:
      • Samsung Evo 120GB and Seagate Baracuda 2TB
      • Graphics card(s):
      • Aorus Master 4090
      • PSU:
      • EVGA Supernova G2 1000W
      • Case:
      • Lian Li V3000 Plus
      • Operating System:
      • Win11
      • Monitor(s):
      • Gigabyte M32U
      • Internet:
      • 900Mbps Gigaclear WHOOOOOOOOOOOO!!!!!!!!

    Re: Palm vein security bypassed using wax hand models

    Quote Originally Posted by watercooled View Post
    Agreed, but I was speaking more about the odd malicious device being used like card skimmers for example
    So was I, in that they'd be less odd and more common as the technology sees wider use. Case in point, the fake cash dispensers that get you to put your card in and enter your PIN before simply pretending they're out of cash.

    Quote Originally Posted by watercooled View Post
    You would have to target and breach the security of the physically separate security hardware which would be no small feat
    If there is any form of communication between host and scanner, I would assume that's a possible route of compromise?
    Failing that (or adding to it), some sort of interception where the host sends out an authentication request, the malware intercepts it and pings back a signal saying, "Uhh, everything's perfectly all right now. We're fine. We're all fine here... now... thank-you... How are you? "?

    So in other words, not needing the acual scanner data, just to make the host (or app) think it's gotten the OK from the scanner.

    Quote Originally Posted by watercooled View Post
    None of the data available to the host system would be of any use to malware.
    There must be a decryption key at the host end or something the malware can use?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •