Hackers Make a Fake Hand to Beat Vein Authentication

Devices and security systems are increasingly using biometric authentication to let users in and keep hackers out, be that fingerprint sensors or perhaps the iPhone's FaceID. Another method is so-called 'vein authentication,' which, as the name implies, involves a computer scanning the shape, size, and position of a users' veins under the skin of their hand. But hackers have found a workaround for that, too. From a report: On Thursday at the annual Chaos Communication Congress hacking conference in Leipzig, Germany, security researchers described how they created a fake hand out of wax to fool a vein sensor. "It makes you feel uneasy that the process is praised as a high-security system and then you modify a camera, take some cheap materials and hack it," Jan Krissler, who goes by the handle starbug, and who researched the vein authentication system along with Julian Albrecht, told Motherboard over email in German. Vein authentication works with systems that compare a user's placement of veins under their skin compared to a copy on record. According to a recent report from German news wire DPA, the BND, Germany's signals intelligence agency, uses vein authentication in its new headquarter building in Berlin.

One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.

If something is not secret,

[Mr.+Dollar+Ton]

it is usually not very hard to copy.

Re:If something is not secret,

[93+Escort+Wagon]

Are veins free as in beer or free as in speech?

Re:If something is not secret,

[Mr.+Dollar+Ton]

Free as in "the best things in life are free".

I want to know

Which idiot decided to use an identification as an authorization. Someone deserves to be beaten to pulp for being so stupid. Identification is not authorization, especially when it cannot determine intent. More specifically whether the person being identified is actively seeking service pr is being presented under duress and external force

Re: I want to know

No it's not. It answers just one of the 3 - it is the something that you are. It does not answer what do you know and what do you have.
Who you are is utterly insufficient. You always are who you are.
What you know is used to determine intent. It is used to determine what kind of service you are seeking and if you are under duress.
What you have is used to determine whether you are trusted by the system or not. When you can no longer present back the token the system has given you you may have been compromised or the trust removed from you

Re: I want to know

[Sique]

You messed something up here.

First: No one said that the biometric identification was the sole source for authorisation. It is a means to establish identity, not more, and not less. And this method was now defeated. The BND mentioned in the article does not use veins as the sole source of identification, it's just one of the layers of security there. There are still badges to be worn, pin codes to be entered and personal documents checked by security personel at the BND sites etc.pp.

Second: The main problem with biometric identification is that you can't change your identification after yours got compromised. When your password becomes known to someone else, you can change it. When someone steals or copies your badge, you get issued a new one, and the old one gets blocked. But you can't change your vein pattern, your retina or your hand shape that easily.

Re: I want to know

[orlanz]

And then I think you got things mixed up.

Your vein/finger/retinal ID should be your login ID. Not it's verification token. The password, however simple, should still be a secret, hash communicated, mutable unique to an authentication system.

You can use your Bio-based user ID to be tracked around a secured building, but shouldn't be used to keep you out of a room. It's should be treated no differently than a badge or RFID tag.

But for the reason you gave, I think it is still a bad idea to use your bio as an ID. If it is used for DOSing or Spaming, you are efficiently blocked out. And you can't just go get another ID number.

Re:I want to know

[gravewax]

Very few do, but it is a significant increase in security to do so. As others stated you seem to have confused your terms.
Identification is WHO YOU ARE. Bio-metrics handy for that.
Authentication is proving who you are or at least that you have the associated secret/device.
Authorisation is simply given who you are, are you allowed to perform Y Action or Access X Resource. e.g. an ACL lookup, adding biometrics to this would be a significant increase from what 99.999% of systems do today. basically authorisation comes post identification and authentication.

Re: I want to know

[DredJohn]

My voice is my passport, verify me.

Ay Yup

[JustAnotherOldGuy]

I'm sure at the time this seemed like something that would be damn near impossible to spoof, and I can see where the idea was so compelling that it made it all the way into implementation and deployment.

When deployed it was essentially un-spoofable because it was a new kind of "lock"; no one had made a "key" for it because this kind of lock never existed before.

But as soon as the lock (in the form of a vein scanner) appeared, the "getting defeated" part was sure to follow.

I think the surprising part was that it was defeated fairly quickly...I'm sure the people using this thing expected it to be the end-all-be-all of security for the next decade or so.

Re:Ay Yup

Prior Art. Old 1998 Sony see through camera. And many others were modded. Even an Iris scan can be defeated, and 3d printing will only get better.
Face scans have moved to 256 points, up from 64 or so. Use a bolo to read fresh keypad codes. The experts still say voice is best.

Re:Ay Yup

[93+Escort+Wagon]

This will be interesting to follow. The question I have is - is this fundamentally easily hackable, or are the current implementations just too sloppily done?

I really want to see more info on just how accurate and detailed these photos can be at a distance.

Re:Ay Yup

[ShanghaiBill]

... or are the current implementations just too sloppily done?

An obvious improvement would be to take multiple images a fraction of a second apart, and look for a pulse. Some fingerprint scanners already do this.

More importantly, any biometric identifier should be used IN ADDITION to a password or PIN for anything important.

Re:Ay Yup

[drinkypoo]

What seems "obvious" to you is actually very, very, very complex

Obviousness is orthogonal to complexity. An obvious idea can be difficult to implement.

Re:Ay Yup

[colin_young]

The Fujitsu palm scanners do just that (look for blood flow that is), or at least claim to. When I worked with those scanners, I always idly wondered just how difficult it would be to take the image, use a 3d printer to make a fake hand with veins and then pump some sort fluid through it to fool the system.

I also wondered about verifying the blood flow thing, but was never able to verify due to lack of access to a supply of corpse hands.

The usual for today please...

[SirAstral]

Identification, Authentication, and Authorization are all VERY different things.

Identification = Information about who you are
Authentication = verifying that ID information being provided is correct through a predefined/established process
Authorization = gaining permissions or actual access AFTER authentication has checked out.

bio-metrics foolishly rolls all 3 of those things into ONE and that is just bad security practice and it's not going to likely change. The fact that this is still being pursued and developed in this way is tacit proof that real security is not desired or required. Security Theater once again... wins the day!

Re:The usual for today please...

[angel'o'sphere]

bio-metrics foolishly rolls all 3 of those things into ONE and that is just bad security practice and it's not going to likely change.
No it does not.
Authentication and Authorization are still separate. Or are you suddenly "root" when you put my fake hand on my sensor?

Re:The usual for today please...

[SirAstral]

Goal Post moving fallacy and straw-man fallacy argument well done... Authorization does not automatically mean "root" access. Gaining root access is irrelevant regardless if such access is going to be attempted. Is a person hacking into your email account search for root access too? Not likely, meaning root access is not the only goal possible.

The point is that Authorization is a piece of a pyramid that rests on top of Identification and Authentication. When either of those base pieces fail, the top piece topples just like the stones would in a physical pyramid.

Re:The usual for today please...

[AHuxley]

That would depend on the building and staff.
A human guard who can remember names and faces and new biometric authentication? Then you know someone put some money into a "secret" project.
That just get the person in the front door.
What they do later to get into their computer network is often different.

Re:The usual for today please...

[angel'o'sphere]

The parent claimed that Authentification and Authorization is the same as soon as I use my eye ball or my finger print to authentificate me. No, it is not ... go away with your fallacy mind ...

Re:So...

[Rosco+P.+Coltrane]

And when you're done logging in, you can use the fake hand to give yourself a stranger. What's not to love eh?

Wrong conclusion

The utter stupidity of the idiots who still think biometrics are a good idea in the face of all the evidence to the contrary simply doesn't count. Because tt was hackers, that hacked, with hacks! You really can't begin to defend against hackers, hacking, with hacks. Because they're hackers, and they do hacking, with hacks! Everyone knows this!

Well, at least msmash cherry-picks the "news" to look like that.

Beat Vein Authentication

[mentil]

If I made a fake hand, I'd use it to beat something else.

Some eggs, for instance.

Re:Beat Vein Authentication

[serviscope_minor]

If I made a fake hand, I'd use it to beat something else.

Glad it wasn't just me! I got 7 words in and that's where my mind was.

Some eggs, for instance.

Well played sir.

But since we both find these funny, have a complementary one. Here's a recent "don't masturbate" poster thing which is just hilarious:

https://i0.wp.com/www.wehunted...

If you don't want to visit the link, the text says:

"Strugling with the addiction to masturbation? Reach out to me and we will beat it toether." -- Jesus

Re:Beat Vein Authentication

[mentil]

Touched by the hand of God, indeed.

Re:Key

[Gavagai80]

The difference is that these wonderful biometrics allow you to enjoy ADA lawsuits from people whose hands were amputated, or never grew due to a birth defect. (For retinal scanners, likewise with people whose eyes have been poked out.)

Still best

[markdavis]

This is not anything fantastic. It is no great feat to make a fake "hand" to fool a deep-vein-palm-scanner. It changes nothing.

Fingerprints- you leave them everywhere.
DNA- you leave it everywhere.
Face- you show it everywhere.
Iris- visible when look at any device.
Hand/finger shape- not live, visible in any photo.

The whole point of deep vein scan is that what is being scanned is never left anywhere (latent) and not casually visible or obtainable. The veins are beneath the skin in the palm, in an area rarely exposed "outward" and can be seen only in infrared at very close range. When you "enroll", you know you are doing so and typically have to be an active participant. Combined with a password, something you "know", not "are", it is perhaps the most secure in-use thing out there while also being the most private, and actually very cheap to implement, and still fast enough for real-time use (those last qualifications throwing out things like retina, which is typically expensive, complex, and slow).

Meanwhile, fingerprint and faceID systems continue to erode privacy and diminish actual security. DNA, when it eventually comes, well.... go watch the old film GATTACA.

Re:So...

[drinkypoo]

And when you're done logging in, you can use the fake hand to give yourself a stranger. What's not to love eh?

It's a wax hand, not a whacks hand. Save your joke for when they start using this technique with video instead of still images, and it's necessary to make a silicone (or similar) hand so that it can be equipped with a pulse.

You're so vein

[Applehu+Akbar]

Biometrics is turning into the ligne Maginot of the IT world, a fixed defense that someone, somewhere will always find a way around.

Re:You're so vein

[Ol+Olsoc]

Biometrics is turning into the ligne Maginot of the IT world, a fixed defense that someone, somewhere will always find a way around.

Since this "exploit" requires the bad actor somehow getting photographs of the person's palm, some nice lightweight cotton gloves defeats the hack.

I wonder how any people walk around with their palms exposed anyhow?

If Biometrics are the only thing giving access to whatever is classified - well, that's just stupid. Even my phone requires me to input a PIN every so often in order to use the fingerprint reader. And if someone actually went to the trouble of raising my prints they better pick the right one or after three tries they better know my PIN. There are ten choices you know.

Thats why

[AHuxley]

in places that matter a human guard sits behind glass and knows all the staff allowed into an area.
Biometric authentication gets you part way in.

And so on

[Impy+the+Impiuos+Imp]

As usual for high tech, sex applications lead the way with fake body parts with accurate veining.