Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Defending Biometric Security

86 views

Published on

Biometric exploits are here. Basic overview of attack vectors and how to confront these attacks and harden your biometric-secured systems.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Defending Biometric Security

  1. 1. Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™
  2. 2. Biometric Exploits are Here
  3. 3. Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive
  4. 4. Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive The Threats to Biometric Security
  5. 5. Identity Locker Biometric Exploits
  6. 6. Biometric Exploits • Fingerprints • Facial Recognition • Iris Scans
  7. 7. Fingerprints on Device Just asking to be broken: • Insecure storage on device Insecure storage in cloud • On-device enclave easily hacked / not encrypted
  8. 8. Basic Exploit that actually works (on some Android phones) • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
  9. 9. How to Hack Fingerprints • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
  10. 10. Update on Fingerprints The Big Exploit (2018) • Deep Master Print – Philip Bontrager & Academic Team at NYU • A machine learning driven exploit that analyzed a number of fingerprints in order to build a 3D model fingerprint that matches a large portion of fingers used on for secure login on devices today.
  11. 11. Facial Recognition Exploits • Facial scans work by matching characteristics of a face to a template enrolled in a DB. Basic “blocks” on face recognizers are known: • Adding obfuscation and visual confusion • Even wearing a hat and sunglasses can muck up a facial scan • Downside of most facial “obfuscation” hacks is that it can be recognized by other human beings More advanced exploits to fake the results: • Machine learning derived fake faces • AI-driven creation of face from multiple angles • 3D printing of 3D faces, with fake liveliness (hard to do, but academics have proven it’s doable)
  12. 12. How to Stop a Facial Scan: Obfuscation
  13. 13. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  14. 14. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  15. 15. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  16. 16. How to Fake a Facial Scan: 3D Heads • Reproduction of Facial Recog Areas only (higher fidelity)_
  17. 17. Iris Scan Exploits • Iris scans appear to be highly secure, because it is scanning a unique body part under high resolution. However, it can be hacked: • Contact Lens can fake an iris • Upload of a infrared scan of a person’s face (no access to reference data, instead, just an infrared scan of a eye at high rez) • Requires technical expertise • Newer hacks require a scan of the iris – hack of reference data
  18. 18. Iris Scan Exploits • Examples: Eye spy By Chaim Gartenberg @cgartenberg May 23, 2017, 10:37am EDT TECH SAMSUNG CYBERSECURITY Hacker beats Galaxy S8 iris scanner using an IR image and a contact lens 11 Based on name alone, the futuristic iris-scanning feature on the Galaxy S8 sounds like it would be the most secure way to lock your phone. Hacker Jan Krissler, who goes by the name Starbug, shows in a recent video that, despite the impressive technology in unlocking your phone with your eyes, the security system can be beaten with a relatively low-tech hack. As the video shows, Starbug is able to take a infrared picture of a person’s face using the night mode setting on a regular point and shoot camera. Print it out on an ordinary laser printer and it fools the camera by placing a contact lens over the image to give it the appearance of an actual human eye. While it certainly is a little more effort than, say, (https://1.bp.blogspot.com/-rSiTjwXZmT4/VPmbURLovxI/AAAAAAAAiH0/jB3L24BeGO0/s728- e100/iris-biometric-security-system.jpg) Hacker Finds a Simple Way to Fool IRIS Biometric Security Systems March 06, 2015 Swati Khandelwal Biometric security systems that involve person's unique identi cation (ID), such as Retinal, IRIS, Fingerprint or DNA, are still evolving to change our lives for the better even though the biometric scanning technology still has many concerns such as information privacy, and physical privacy. In past years, Fingerprint security system (https://thehackernews.com/2013/09/ nally- iphones- ngerprint-scanner.html) , which is widely used in different applications such as smartphones and judicial systems to record users' information and verify person's identity, were bypassed several times by various security researches, and now, IRIS scanner claimed to be defeated.
  19. 19. Veins / Palm Exploits • Vein / Palm scans were thought to be highly secure alternative to fingerprints • Turns out that these can be hacked as well (with reference data)
  20. 20. Veins/ Palms Exploits
  21. 21. Identity Locker Attack Vectors for Biometrics
  22. 22. Biometric Identity Processing System • Input Data (1) • Input Data (1a) • Reference Data (1b) • Sensor (2) • Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) Structure of this system originally outlined in this format by Starbug, 2014
  23. 23. 3 Types of Attacks Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)• Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database
  24. 24. 1. Attack Via Input Data • Attack the Input Data (1) • Input Data (1a) • Most Common Attack Vector: Easiest and most accessible vulnerability • Reference Data (1b) • No Attacks recently directly along this vector • But high-fidelity hacks require access to cracked original Reference data Sensor Database (1b )(1a) Software Input Data Reference Data (1a)
  25. 25. 2. Attack Via Sensor • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) Sensor Software Preprocessing Database (2) (1b)(1a) Input Data (1a)
  26. 26. 2. Attack Via Software • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)
  27. 27. Identity Locker Defending Against Biometric Hacks
  28. 28. Multi-factor authentication • NIRVANA: Multiple biometrics + Identity Face match / PIV-I card check validation by an in-person check with actual human (military grade) • BETTER FOR BUSINESS: Multi-factor authentication which includes but does not privilege biometrics – treats data knowledge as equivalent • Multiple biometrics + PIN/Login / Passcode • PRETTY GOOD SECURITY: Multi-factor biometric security which occurs simultaneously (pretty hard to hack all in sync) • Fingerprints + Facial Recognition + Iris + Audio Recognition • Note: Requires enrollment/login stations capable of handling multiple biometrics BEST BETTER GOOD
  29. 29. High fidelity / Multi-finger enrollment • Most fingerprint systems (on device) only collect and store a few millimeters of a fingertip. • This small sample set is relatively easy to replicate and use in a hack. • To prevent this hack, use a higher fidelity enrollment system that enrolls more area of the finger and more fingers on each hand. VS. Collect much more data, match on many more points
  30. 30. Facial Recognition • Facial recognition systems also operate off a limited template • Adding complexity to the input is useful - ensure you are capturing not only the front face, but also the side, the back, as much movement as possible • Add Liveliness detection + multi-angles • Collect much more data, match on many more points VS.
  31. 31. Software How to Prevent 3 Types of Attacks • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • Harden the Software (3) Preprocessing Matching Database (2) (1b)(1a) Input Data (1a) (3) Sensor
  32. 32. 1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) Database (1a) Input Data (1a) Sensor Software
  33. 33. 1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) • Add multiple biometrics that login simultaneously (not sequentially) • Require higher fidelity enrollment and more data from each biometric • Add more minutiae as input data Database (1b)(1a) Input Data (1a) Input Data + Sensor Software
  34. 34. 2. Add Observation of Sensor Database (2) (1b)(1a) Input Data (1a)• Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Software
  35. 35. 2. Add Observation of Sensor • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Database (2) (1b)(1a) Input Data (1a) Software
  36. 36. Software 3. Harden the Software Sensor Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time.
  37. 37. Software 3. Harden the Software • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time. Sensor Preprocessing Database (2) (1b)(1a) Input Data (1a) MatchingMatchingMatchingMatching (3)
  38. 38. Software A Hardened Biometrics System More complicated, but much more secure • Complicate/Harden the Input Data (1) • Includes multiple bio inputs • Enroll at higher fidelity / more minutiae • Provide Observation of Sensor (2) • Includes observational data (actual human ideal) • Harden the Software (3) • Higher threshold for enrollment/login • Includes encrypted template DB • Includes multi-factor matching Sensor Preprocessing Matching Database (2) (1b) (1a) Input Data (1a) (3) MatchingMatchingMatching
  39. 39. Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™

×