Biometric systems security [WAS: Re: Hacking USB Thumbdrives, Thumprint authentication]

[Gadi Evron <ge () linuxbox org>]

Allow me to reply to this thread using a reply I sent to s similar 
thread on alt.computer.security a few months ago, and then add some 
thoughts:

Begin quote -->

Okay, there are some good articles and books on the subject, but I have
a few things to contribute to this discussion.

Basically, it all comes down, once again, to who has you in their
sights, and how much of a target you are.

If someone will invest enough in it, they will eventually get in to
anywhere. But you can make their life very difficult. :)
So pretty much - yes, nothing is really impossible, as long as we follow
the rules of physics, and then some. :)

Myself, I like biometric systems.

It is true that finger-print based biometric systems are somewhat
unreliable for a few reasons, some of which include relatively easy
faking, there are very few duplicates (0.who-knows-how-many-zero's...1
per cent of the world's population has the same fingerprint, probably 1
out of a million, 10 million or 100 million people - I am bad with
statistics). Then there are the problems of how secure your system is,
based on how many minuteas you use? If too many you may not be
identified tomorrow, and if too few.. the rest of the world can pass for
being you.
I can go on for quite a bit about all this and a lot more, but you get
my drift.

Every system has its downsides.

The whole point is to use the biometric system along with another system.
That way you double the technology, and it is more difficult, to a
level, to get in.
For example, password + finger print.
Something you know + something you are.

As a security minded person when I hear the word laptop though, I start
sweating. I can't even begin to imagine the loss of information caused
world-wide by people simply forgetting the laptop somewhere.

My two cents.

>-- End quote.


Another way to bypass such a system would be, for example, if someone 
with greasy fingers used the system, you could come close behind and 
applying pressure and/or heat fool the reader into believing you are the 
same guy again (security policy about double entries? I can hear the 
angry support center calls already).
There are many other issues that may have to be covered, such as closing 
an electric circle or humidity. This is not the easiest contraption to 
invent, it would take some investing, but you get my drift.

In security, it always ends up with how much someone is willing to 
invest in order to get your information. Is that someone your enemy? 
Cost vs. benefit.

It is all about Trust, and "Implicit Trust" is a bad combination of words.
Allow me to burrow, as I always do, from the world of Cryptography.
If a person claims their system is _impossible_ to break, would you 
trust the system? More importantly, would you trust that person?
In retrospect history _may_ prove him or her right, but I personally 
would never use that system. _History_ proves me right.

As I mentioned, it is about doubling the technology.
Another example would be to perhaps use a chip that transmits an 
encrypted PIN, which shows your picture on the screen in front of the 
security guard, while (preferably before) you are use the biometric system.

Something *they* know + something you are? (sorry for the pun) :) )

One biometric company which I like, that shall remain unnamed in this 
email message, offers to show you how their systems could be bypassed. 
Very brave of them if you ask me. Very honest and professional. That is 
why I like them.

They also offer you the source code for their system.

Now, once they _offer_ you the source code you already feel more secure, 
knowing that they do. You can stop thinking about a 
master-password-print that is hidden in the system and haunts you at night.

As much as the feeling of being more secure is nice, did you compile the 
source yourself? Did you even allocate the resources so that three 
engineers could spend a few days going over the source you were provided 
with?

It brings me back to the issue of Trust.

An ancient article called "Reflections on Trusting Trust" by Ken 
Thompson (1984) is a good read, if you never read it before (you can 
find it at http://www.acm.org/classics/sep95/).

The point is, that even if you did check the source code and compiled it 
yourself, do you trust the compiler?

This circle never ends, I can take it a few steps further and ask: "do 
you trust the OS?" or "do you trust the hardware?". Somewhere we need to 
stop and decide that for our resources and potential threat from our 
opponents we trust what we use as a starting point.

Cost vs. benefit. Risk vs. gain.

I trust (too strong a word?) biometric systems when they are set up to 
work with a second system.

Double the technology!

A good read on the subject of bypassing biometric systems is a paper by 
a Japanese mathematician, who took gummy bears and forged finger prints 
(even latest ones) to fool most biometric readers, spending just a few 
bucks (US).

You can read more about it on:
http://www.schneier.com/crypto-gram-0205.html

I heard that the paper was released online since then, but I can't seem 
to be able to find it right now (via Google or Booble :o) ).

I hope this helps someone, took me some time to write.

        Gadi Evron,
        ge () linuxbox org.