Much ado about nothing

July 2014 Access Control & Identity Management

Attribution: Some rights reserved by Leszek 
Leszczynski via Flickr Creative Commons (<a href="https://www.flickr.com/photos/leszekleszczynski/" target="_blank">https://www.flickr.com/photos/leszekleszczynski/</a>).
Attribution: Some rights reserved by Leszek Leszczynski via Flickr Creative Commons (https://www.flickr.com/photos/leszekleszczynski/).

Reports in online media over the last few weeks that Germany’s Security Research Labs (SRLabs) has been able to crack the much-hyped biometric fingerprint scanner on the Samsung S5 mobile phone have created quite a stir within cyberspace. Mobile phone aficionados, security experts, members of academia, journalists and bored keyboard ninjas have been atwitter about this development, especially after the marketing efforts emphasising the security benefits of the S5.

This dèbâcle followed hot on the heels of a similar security vulnerability in the Apple iPhone 5s biometric fingerprint scanner identified by the Chaos Computer Club in September 2013, leading to vociferous condemnations of fingerprint biometrics as a security feature in the mobile device market.

The concept is a simple one: the fingerprint biometric scanner is bypassed by manufacturing a fake fingerprint. This is achieved by obtaining an image of the real fingerprint and using a garden-variety wood glue as filler. A life-like copy of the real fingerprint is created that is in turn recognised by the on-board fingerprint scanner. I personally would have used bathroom silicone and hot candle wax as it is easier to manipulate. A YouTube video is available that explains the steps to achieve the desired effect. This serves as proof that fingerprint biometrics are not a secure technology for mobile device applications, or any other application for that matter, if one reads between the lines.

No doubt that if you have a friend that owns at least one pocket protector, and you are unlucky enough to own either a Samsung S5 or iPhone 5s, you will shortly have to endure either a mini lecture or a demonstration of how easy it is to bypass your phone’s biometric security feature.

This of course is much ado about nothing and is purely a backlash to the hype that Samsung placed on the S5’s ability to utilise fingerprints as an added security feature for its mobile device.

Fingerprint insecurity

Practitioners of biometrics are not surprised by the news. Fake or spoof fingerprints have been a nuisance for as long as fingerprint biometric devices have been commercially available. The TV Series Mythbusters, for instance, filmed a whole segment on bypassing a fingerprint biometric device using a spoof fingerprint. This segment is also available on YouTube. In fact, if one knows what to look for, there are approximately 4000 YouTube videos available on the subjects of manufacturing spoof fingerprints and bypassing biometric fingerprint devices. The availability of this quantity of videos, coupled with the doubts expressed by all and sundry, should then indicate that fingerprint biometrics are unsecure and even downright dangerous. Right? Wrong!

Biometric researchers and manufacturers have been aware of the spoof fingerprint phenomenon since day one and have taken the appropriate steps to ensure that their devices are as immune as possible to spoof fingerprints. As with everything in life, there is a cost involved in any technology and fake fingerprint technology is no different. You get what you pay for and if you want to buy cheap, chances are you are not going to get what you expect out of the device. Susceptibility to fake fingerprints being right at the top of that list.

Some of the better known and widely used biometric devices available today still lack a basic implementation of fake fingerprint detection technology to safeguard the end-user against spoof fingerprints. This is simply due to cost considerations and the connected profitability impact of deploying these technologies. This is bad form and places the whole industry at risk as the Samsung/Apple dèbâcle has shown.

Don’t get me wrong, Samsung and Apple are not cheap products by any stretch of the imagination. The pure quantities of these products sold on an annual basis tells one that they are quality products packed with useful features. Unfortunately too much was made of an added security feature that many decided is the Achilles heel of these devices. This weakness was then used to knock them off their perches. Unfortunately, the knock-on effect is the perception that all fingerprint biometrics are not secure, which is erroneous.

Fashionable fail

One can only speculate about the reasons why fake fingerprint technology was not included in the on-board fingerprint biometric scanners of both the Samsung and Apple devices. This could include ignorance of the problems associated with fitting the technology into the form factor of the device. Smartphones are touted to be the highest functioning devices in the smallest possible form factor available. Having to change the form factor to that of a brick defeats the object of a smartphone, especially if it is then for just one added security feature that forms part of the product offering and is not defining to the product offering itself.

The fact that thermal swipe scanners are being used, which is a very outdated and insecure scanning technology with a history of susceptibility to spoof fingerprints, leads me to believe that both ignorance and space in the form factor were major issues. Hopefully the next version will contain MIT optical sensors.

Don’t be surprised to see a whole industry sprout up around biometrics for mobile devices. The foremost manufacturers are already showcasing add-on and integrated devices for the mobile market that features live fingerprint detection (LFD), multispectral imaging technology (MIT) and BioLab rated algorithms for extracting and matching minutiae points on a fingerprint. One US-based company has already launched a software platform to patch the LFD issues with the S5 and 5s even before the dust has settled.

This is the first foray for smartphone and mobile device manufacturers into biometric fingerprint scanners. I cannot imagine that these manufacturers will not provide future dated devices with updated and more advanced biometric fingerprint scanners that are more secure, as was the case in the PC/laptop market. The advantages of biometrics fingerprint scanners outweigh the disadvantages too heavily.

Samsung and Apple decided to pioneer what will undoubtedly become a mainstream feature on all mobile devices and have unjustly been thrown onto the sword because of it. It remains to be seen if either company takes steps to rectify the shortcomings in their existing devices. After all, the remedy is available, but at a price.

For more information contact Virdi Distribution, +27 (0)11 454 6006, deon@virditech.co.za, www.virditech.co.za



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

A contact-free hotel experience
Issue 7 2020, Technews Publishing , Access Control & Identity Management
Check-in and go straight to your room without stopping at the reception desk at Hotel Sky in Sandton and Cape Town.

Read more...
AI digitises coronavirus management
Issue 7 2020, NEC XON , Access Control & Identity Management
NEC XON is using NeoFace Watch and specialised thermography cameras to measure temperature and identify employees and visitors.

Read more...
Combining visual and IR face recognition
Issue 7 2020, Suprema , Access Control & Identity Management
The FaceStation F2 offers face recognition and anti-spoofing performance.

Read more...
Anviz unveils FaceDeep5
Issue 7 2020, ANVIZ SA , Access Control & Identity Management
Anviz Global has unveiled its new touchless facial recognition identity management and IoT biometric device.

Read more...
Touchless biometric options
Issue 6 2020, Entry Pro , Access Control & Identity Management
When it comes to estate access control management, the foremost topic of conversation at the moment seems to be the importance of touchless biometrics.

Read more...
Fast access to Kevro production facilities
Issue 6 2020, Turnstar Systems , Access Control & Identity Management
Employee and visitor access at Kevro’s Linbro Park premises in Gauteng is controlled through eight Dynamic Drop Arm Barriers from Turnstar.

Read more...
Know your facial recognition temperature scanner
Issue 6 2020, ViRDI Distribution SA , Access Control & Identity Management
Facial recognition with temperature measurement is, for the most part, available in one of two technologies – thermopile and thermography/IRT.

Read more...
Suprema integrates with Paxton’s Net2 access control
Issue 6 2020, Suprema , Access Control & Identity Management
Suprema has announced it has integrated its devices with Paxton’s access control system, Net2.

Read more...
Contactless check-in at hotels
Issue 6 2020 , Access Control & Identity Management
Onity has delivered the DirectKey mobile access solution to hotel chains around the globe, which allows for contactless check-in and property access.

Read more...
UFace facial recognition now in SA
Issue 6 2020, Trac-Tech , Access Control & Identity Management
Trac-Tech has secured the distribution rights to the UFace range of contactless biometric facial recognition and identity management IoT devices.

Read more...