<div dir="ltr">The key to understanding it is Figure 1 on page 2. Everything else in the paper is describing attacks on the system from different attack vectors. When they reference "type 1" attacks, for example, those just pertain to attacking the fingerprint sensor itself, and that's where talk of gummy fingers and such come in. <div><br></div><div>So to directly answer your question, no, they're not saying any fingerprint systems out there give hot/cold responses through a user-facing interface. I've used a lot of different biometrics over the past 15 years, and they all tend to have three responses: Success, Fail and You did it wrong (e.g. scanner surface is dirty, finger was at an odd angle, not enough of the finger was visible, scanner was flying sideways during the finger press, etc).</div><div><br></div><div>As for the particular bit you're referencing, I think that was a "type 2" attack (I just skimmed the rest of the paper), which assumes you've already got penetrated to the back-end fingerprint system, or at least the underlying API. Equivalent to a privilege escalation vuln.</div><div><br></div><div>Finally, one important thing to note with most fingerprint scanner setups (they probably explain this better somewhere in the paper) is that they usually don't do image matching, which is what you might imagine. Most have algorithms that create data points based on the fingerprint pattern. The more the data points, the better the accuracy, but too many, and you could potentially recreate the fingerprint from the data, perhaps (I'm just guessing here). If I'm remembering correctly, the last one I did due diligence matched a fingerprint with less than 10 data points. The importance here is that, if only a small number of data points are retained, it is like storing a one-way hash in that you can't reverse the data points to get the image of the fingerprint. </div><div><br></div><div>We're trying to avoid permanent compromise here, since changing our fingerprints isn't currently medically feasible in an enterprise scenario (or desirable, even if it were). Of course, in practice, I've often found that they DO retain a full TIFF image of your fingerprint, because the developers said they needed to. The developer argument is that if they update/change/improve the algorithm, they'll have to recreate all the data points and they can only do that using the original images.</div><div><br></div><div><personal rant></div><div>Aside from login convenience in non-critical applications, biometrics are not worth the trouble. We already have better solutions for second factors: soft-tokens/MFA apps/SMS on smartphones.</div><div><br></div><div>--Adrian</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 12, 2016 at 3:32 PM, dave aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><a href="http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10.7168&rep=rep1&type=pdf" rel="noreferrer" target="_blank">http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10.7168&rep=rep1&type=pdf</a><br>
<br>
I want everyone to click on this paper and then maybe help explain it to<br>
me! From what I understand they got a fingerprint reader to tell them<br>
how hot/cold they were to an acceptable fingerprint. So they they modify<br>
a fingerprint to get closer and closer until it matches.<br>
<br>
DOES THAT EVER HAPPEN IN REAL LIFE? I'm so confused at what security<br>
system gives you a "hot/cold" value so you can use this algorithm. Could<br>
this paper be summed up to say in one sentence "Obviously if you give a<br>
matching score from your biometric, you can use a model of that<br>
biometric to retrieve the raw data with enough tries?"<br>
<br>
-dave<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</blockquote></div><br></div>