For years, Hollywood has offered some entertaining futuristic scenarios that involve defeating biometric-based security systems in sometimes spectacular ways.
Here are three of my favorites:
- "Diamonds are Forever," 1971: James Bond leaves a fake fingerprint on a glass, which then fakes out a spy's high-tech scanner, which in Hollywood terms means that it uses a lot of red lights.
- "Never Say Never Again," 1983: In this Bond film, an operative of the criminal organization SPECTRE undergoes eye surgery to make his retinal pattern match that of the U.S. president, after which the operative infiltrates a military facility, fools a retinal scanner and uses it to steal two nuclear warheads.
- "Minority Report," 2002: Tom Cruise's Chief Anderton, a future cop who's on the run, defeats pervasive eyeball-scanning technology, goes to a black market eye-surgery doctor and gets his eyeballs replaced.
None of those, however, tops 1993's sci-fi thriller "Demolition Man," in which Wesley Snipes - starring as psychopath Simon Phoenix - gets thawed out for a parole hearing, after having been locked away in a high-tech deep freezer for 36 years. Phoenix disables the guards, steals the prison warden's eyeball, sticks it on a pen, and uses it to fool a retinal scanner, thus enabling his escape.
But in real life, defeating security is typically a much more sedate affair.
For example, whoever hacked into the U.S. Office of Personnel Management didn't have to defeat advanced countermeasures, because they weren't in place. Instead, the attackers apparently just stole legitimate access credentials, then used them to remotely log into OPM's systems, which didn't even require or allow for the use of two-factor authentication (see OPM: 'Victim-as-a-Service' Provider).
OPM's attackers also stole fingerprint data for approximately 5.6 million government workers gathered via background-investigation checks (see Stolen OPM Fingerprints Pose Risks). But in an ironic twist, reportedly no biometric-based authentication systems were being used to protect the breached OPM systems.
Getting Around Biometrics
That doesn't mean biometric-based authentication systems are foolproof. In the past, fingerprint readers have been successfully defeated using everything from Play-doh to gummy bears, while facial recognition programs that use blinks to ensure that a person is alive have been fooled by attackers' videos of people blinking.
And this week, researchers from the University of Alabama at Birmingham demonstrated at the European Symposium on Research in Computer Security in Vienna how they can use off-the-shelf software to defeat voice-biometrics authentication systems.
The researchers' voice-impersonation attack works by cloning a target's voice, then morphing an attacker's voice to sound like the target. "Just a few minutes' worth of audio in a victim's voice would lead to the cloning of the victim's voice itself," says Nitesh Saxena, UAB associate professor of computer and information sciences. "The consequences of such a clone can be grave."
Indeed, voice-biometrics systems are now in use on some smartphones as a PIN-lock replacement. And they're used for access control to buildings by many government organizations.
"This research is fascinating, bearing in mind that it was done with off-the-shelf software," says Alan Woodward, a visiting computer science professor at Surrey University, as well as a cybersecurity adviser to the association of European police agencies known as Europol. "It's interesting to note that even the Bank of England's gold vaults use voice recognition as part of their security."
Signs of Life
Research into how biometric systems can be defeated in the lab might not make for a great Hollywood movie plot - English gold vaults excepted. Nevertheless, the research is essential for building authentication tools that are harder to spoof.
For example, some systems now employ vein-recognition techniques to ensure that veins are actively pumping blood. "Just having the biometric per se is not good enough," Woodward says. "They have to show that they're actively attached to a human being who's alive."
Similarly, UAB's Saxena suspects that the voice attacks his lab has concocted can be blocked, in part, by checking for the presence of a live speaker. "Ultimately, the best defense of all would be the development of speaker verification systems that can completely resist voice imitation attacks by testing the live presence of a speaker," he says. "Our future research will examine this and other defense strategies."
This carefully measured approach to improving authentication systems may seem mundane. But when it comes to over-the-top abuses of technology, we'll always have the movies.