[Dailydave] Fingerprint biometrics attack paper...

Adrian Sanabria adrian.sanabria at gmail.com
Tue Apr 12 22:18:58 EDT 2016

The key to understanding it is Figure 1 on page 2. Everything else in the
paper is describing attacks on the system from different attack vectors.
When they reference "type 1" attacks, for example, those just pertain to
attacking the fingerprint sensor itself, and that's where talk of gummy
fingers and such come in.

So to directly answer your question, no, they're not saying any fingerprint
systems out there give hot/cold responses through a user-facing interface.
I've used a lot of different biometrics over the past 15 years, and they
all tend to have three responses: Success, Fail and You did it wrong (e.g.
scanner surface is dirty, finger was at an odd angle, not enough of the
finger was visible, scanner was flying sideways during the finger press,

As for the particular bit you're referencing, I think that was a "type 2"
attack (I just skimmed the rest of the paper), which assumes you've already
got penetrated to the back-end fingerprint system, or at least the
underlying API. Equivalent to a privilege escalation vuln.

Finally, one important thing to note with most fingerprint scanner setups
(they probably explain this better somewhere in the paper) is that they
usually don't do image matching, which is what you might imagine. Most have
algorithms that create data points based on the fingerprint pattern. The
more the data points, the better the accuracy, but too many, and you could
potentially recreate the fingerprint from the data, perhaps (I'm just
guessing here). If I'm remembering correctly, the last one I did due
diligence matched a fingerprint with less than 10 data points. The
importance here is that, if only a small number of data points are
retained, it is like storing a one-way hash in that you can't reverse the
data points to get the image of the fingerprint.

We're trying to avoid permanent compromise here, since changing our
fingerprints isn't currently medically feasible in an enterprise scenario
(or desirable, even if it were). Of course, in practice, I've often found
that they DO retain a full TIFF image of your fingerprint, because the
developers said they needed to. The developer argument is that if they
update/change/improve the algorithm, they'll have to recreate all the data
points and they can only do that using the original images.

<personal rant>
Aside from login convenience in non-critical applications, biometrics are
not worth the trouble. We already have better solutions for second factors:
soft-tokens/MFA apps/SMS on smartphones.


On Tue, Apr 12, 2016 at 3:32 PM, dave aitel <dave at immunityinc.com> wrote:

> http://citeseerx.ist.psu.edu/viewdoc/download?doi=
> I want everyone to click on this paper and then maybe help explain it to
> me! From what I understand they got a fingerprint reader to tell them
> how hot/cold they were to an acceptable fingerprint. So they they modify
> a fingerprint to get closer and closer until it matches.
> DOES THAT EVER HAPPEN IN REAL LIFE? I'm so confused at what security
> system gives you a "hot/cold" value so you can use this algorithm. Could
> this paper be summed up to say in one sentence "Obviously if you give a
> matching score from your biometric, you can use a model of that
> biometric to retrieve the raw data with enough tries?"
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160412/1cbacee8/attachment.html>

More information about the Dailydave mailing list