Much ado about nothing

July 2014 Access Control & Identity Management

Attribution: Some rights reserved by Leszek 
Leszczynski via Flickr Creative Commons (<a href="https://www.flickr.com/photos/leszekleszczynski/" target="_blank">https://www.flickr.com/photos/leszekleszczynski/</a>).
Attribution: Some rights reserved by Leszek Leszczynski via Flickr Creative Commons (https://www.flickr.com/photos/leszekleszczynski/).

Reports in online media over the last few weeks that Germany’s Security Research Labs (SRLabs) has been able to crack the much-hyped biometric fingerprint scanner on the Samsung S5 mobile phone have created quite a stir within cyberspace. Mobile phone aficionados, security experts, members of academia, journalists and bored keyboard ninjas have been atwitter about this development, especially after the marketing efforts emphasising the security benefits of the S5.

This dèbâcle followed hot on the heels of a similar security vulnerability in the Apple iPhone 5s biometric fingerprint scanner identified by the Chaos Computer Club in September 2013, leading to vociferous condemnations of fingerprint biometrics as a security feature in the mobile device market.

The concept is a simple one: the fingerprint biometric scanner is bypassed by manufacturing a fake fingerprint. This is achieved by obtaining an image of the real fingerprint and using a garden-variety wood glue as filler. A life-like copy of the real fingerprint is created that is in turn recognised by the on-board fingerprint scanner. I personally would have used bathroom silicone and hot candle wax as it is easier to manipulate. A YouTube video is available that explains the steps to achieve the desired effect. This serves as proof that fingerprint biometrics are not a secure technology for mobile device applications, or any other application for that matter, if one reads between the lines.

No doubt that if you have a friend that owns at least one pocket protector, and you are unlucky enough to own either a Samsung S5 or iPhone 5s, you will shortly have to endure either a mini lecture or a demonstration of how easy it is to bypass your phone’s biometric security feature.

This of course is much ado about nothing and is purely a backlash to the hype that Samsung placed on the S5’s ability to utilise fingerprints as an added security feature for its mobile device.

Fingerprint insecurity

Practitioners of biometrics are not surprised by the news. Fake or spoof fingerprints have been a nuisance for as long as fingerprint biometric devices have been commercially available. The TV Series Mythbusters, for instance, filmed a whole segment on bypassing a fingerprint biometric device using a spoof fingerprint. This segment is also available on YouTube. In fact, if one knows what to look for, there are approximately 4000 YouTube videos available on the subjects of manufacturing spoof fingerprints and bypassing biometric fingerprint devices. The availability of this quantity of videos, coupled with the doubts expressed by all and sundry, should then indicate that fingerprint biometrics are unsecure and even downright dangerous. Right? Wrong!

Biometric researchers and manufacturers have been aware of the spoof fingerprint phenomenon since day one and have taken the appropriate steps to ensure that their devices are as immune as possible to spoof fingerprints. As with everything in life, there is a cost involved in any technology and fake fingerprint technology is no different. You get what you pay for and if you want to buy cheap, chances are you are not going to get what you expect out of the device. Susceptibility to fake fingerprints being right at the top of that list.

Some of the better known and widely used biometric devices available today still lack a basic implementation of fake fingerprint detection technology to safeguard the end-user against spoof fingerprints. This is simply due to cost considerations and the connected profitability impact of deploying these technologies. This is bad form and places the whole industry at risk as the Samsung/Apple dèbâcle has shown.

Don’t get me wrong, Samsung and Apple are not cheap products by any stretch of the imagination. The pure quantities of these products sold on an annual basis tells one that they are quality products packed with useful features. Unfortunately too much was made of an added security feature that many decided is the Achilles heel of these devices. This weakness was then used to knock them off their perches. Unfortunately, the knock-on effect is the perception that all fingerprint biometrics are not secure, which is erroneous.

Fashionable fail

One can only speculate about the reasons why fake fingerprint technology was not included in the on-board fingerprint biometric scanners of both the Samsung and Apple devices. This could include ignorance of the problems associated with fitting the technology into the form factor of the device. Smartphones are touted to be the highest functioning devices in the smallest possible form factor available. Having to change the form factor to that of a brick defeats the object of a smartphone, especially if it is then for just one added security feature that forms part of the product offering and is not defining to the product offering itself.

The fact that thermal swipe scanners are being used, which is a very outdated and insecure scanning technology with a history of susceptibility to spoof fingerprints, leads me to believe that both ignorance and space in the form factor were major issues. Hopefully the next version will contain MIT optical sensors.

Don’t be surprised to see a whole industry sprout up around biometrics for mobile devices. The foremost manufacturers are already showcasing add-on and integrated devices for the mobile market that features live fingerprint detection (LFD), multispectral imaging technology (MIT) and BioLab rated algorithms for extracting and matching minutiae points on a fingerprint. One US-based company has already launched a software platform to patch the LFD issues with the S5 and 5s even before the dust has settled.

This is the first foray for smartphone and mobile device manufacturers into biometric fingerprint scanners. I cannot imagine that these manufacturers will not provide future dated devices with updated and more advanced biometric fingerprint scanners that are more secure, as was the case in the PC/laptop market. The advantages of biometrics fingerprint scanners outweigh the disadvantages too heavily.

Samsung and Apple decided to pioneer what will undoubtedly become a mainstream feature on all mobile devices and have unjustly been thrown onto the sword because of it. It remains to be seen if either company takes steps to rectify the shortcomings in their existing devices. After all, the remedy is available, but at a price.

For more information contact Virdi Distribution, +27 (0)11 454 6006, deon@virditech.co.za, www.virditech.co.za



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Paxton10 for smart buildings
Issue 5 2020, Paxton Access , Access Control & Identity Management
Paxton10, offering access control and video management on one simple platform, is available in the South African market.

Read more...
Suprema enhances cybersecurity
Issue 5 2020, Suprema , Access Control & Identity Management
Suprema BioStar 2 is a web-based, open and integrated security platform that provides comprehensive functionality for access control and time and attendance.

Read more...
A wizz at visitor management
Issue 5 2020 , Access Control & Identity Management
WizzPass is a locally developed software platform for managing visitors to businesses, buildings or business parks.

Read more...
Contactless at the game
Issue 5 2020, IDEMIA , Access Control & Identity Management
IDEMIA partners with JAC to successfully test frictionless biometric access technology at Level5 Stadium in Japan.

Read more...
Focus on touchless biometrics
Residential Estate Security Handbook 2020, Hikvision South Africa, Saflec, IDEMIA , Suprema, Technews Publishing , Access Control & Identity Management
The coronavirus has made touchless biometrics an important consideration for access control installations in estates and for industries globally.

Read more...
Providing peace of mind
Residential Estate Security Handbook 2020, ZKTeco , Access Control & Identity Management
Touchless technology embedded with face and palm recognition sensors provide 100% touchless user authentication for a variety of applications.

Read more...
Frictionless access with a wave from IDEMIA
Residential Estate Security Handbook 2020, IDEMIA , Access Control & Identity Management
Platinum Sponsor IDEMIA displayed its frictionless biometric reader, the MorphoWave Compact, at the Residential Estate Security Conference.

Read more...
Cost effective without compromising security
Residential Estate Security Handbook 2020, Bidvest Protea Coin , Access Control & Identity Management
Bidvest Protea Coin offers a range of services, all integrated to offer a future-proof and cost-effective security solution for estates.

Read more...
Broad range of estate solutions
Residential Estate Security Handbook 2020, Hikvision South Africa , Access Control & Identity Management
Hikvision offers residential estates a range of systems and solutions that deliver security, from the gate to the individual’s own home.

Read more...
Excellerate looks beyond traditional guarding
Residential Estate Security Handbook 2020, Excellerate Services , Access Control & Identity Management
Excellerate Services has a suite of best-of-breed technologies that have been integrated into a sophisticated SLA, incident and people management system.

Read more...