Slashdot Mirror
Hackers Make a Fake Hand to Beat Vein Authentication (vice.com)
Devices and security systems are increasingly using biometric authentication to let users in and keep hackers out, be that fingerprint sensors or perhaps the iPhone's FaceID. Another method is so-called 'vein authentication,' which, as the name implies, involves a computer scanning the shape, size, and position of a users' veins under the skin of their hand. But hackers have found a workaround for that, too.
From a report: On Thursday at the annual Chaos Communication Congress hacking conference in Leipzig, Germany, security researchers described how they created a fake hand out of wax to fool a vein sensor. "It makes you feel uneasy that the process is praised as a high-security system and then you modify a camera, take some cheap materials and hack it," Jan Krissler, who goes by the handle starbug, and who researched the vein authentication system along with Julian Albrecht, told Motherboard over email in German. Vein authentication works with systems that compare a user's placement of veins under their skin compared to a copy on record. According to a recent report from German news wire DPA, the BND, Germany's signals intelligence agency, uses vein authentication in its new headquarter building in Berlin.
One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.
One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example. But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.
I'm sure at the time this seemed like something that would be damn near impossible to spoof, and I can see where the idea was so compelling that it made it all the way into implementation and deployment.
When deployed it was essentially un-spoofable because it was a new kind of "lock"; no one had made a "key" for it because this kind of lock never existed before.
But as soon as the lock (in the form of a vein scanner) appeared, the "getting defeated" part was sure to follow.
I think the surprising part was that it was defeated fairly quickly...I'm sure the people using this thing expected it to be the end-all-be-all of security for the next decade or so.
Just cruising through this digital world at 33 1/3 rpm...
If I made a fake hand, I'd use it to beat something else.
Some eggs, for instance.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
First: No one said that the biometric identification was the sole source for authorisation. It is a means to establish identity, not more, and not less. And this method was now defeated. The BND mentioned in the article does not use veins as the sole source of identification, it's just one of the layers of security there. There are still badges to be worn, pin codes to be entered and personal documents checked by security personel at the BND sites etc.pp.
Second: The main problem with biometric identification is that you can't change your identification after yours got compromised. When your password becomes known to someone else, you can change it. When someone steals or copies your badge, you get issued a new one, and the old one gets blocked. But you can't change your vein pattern, your retina or your hand shape that easily.