Biometrics - Attack of the Clones

Ken Munro, MD, Securetest

Biometrics, the use of electronically-stored records of physical identifiers that corroborate a person's identity, is now moving out of the realms of fiction and into everyday life. Already there are reports that more than 60 hospitals in the UK use fingerprint technology to access patient files. Commercially, the technology is expectedto take off in the ecommerce and online banking arenas, and some European states already recognize a biometric signature as legally binding.

From the Microsoft fingerprint mouse to iris retina scans to facial recognition devices, it's a technology that promises to free us from the bane of recalling passwords. And it's essentially a 'cool' technology: IT departments are embracing biometrics in part because almost every systems administrator is a techno-geek, and all geeks love their gadgets. These drivers are fuelling the quick take-up of this technology.

In theory, biometrics should make the authentication process watertight because users are identified by patterns unique to their genetic makeup. However, there are a number of flaws with the concepts fundamental to biometrics. First of all, there is the problem of revocation. If someone steals your fingerprint or retina patterns and creates a duplicate, how does the administrator revoke these credentials, and get the user to supply new ones? Most people only have two retinas, whilst with a fingerprint scanner the user is limited to 10. This makes it a very vulnerable system. Many believe their retina or fingerprint patterns are safe, but a fingerprint is easily stolen from any surface the user has touched and a retina pattern is accessible using a high powered camera.

The second issue is using the same biometric on multiple systems. Many of these systems use single factor authentication, placing implicit trust in the authenticated user. A problem arises when a user is present on two or more systems using the same biometric data. If the first system is hacked and the pattern unique to that user is stolen, this data could be used to hack into the second system. Network segregation helps little here. In fact, if the systems are separate it's unlikely the compromise of the first system would be reported. This would enable the hacker to impersonate the legitimate user on the second system without arousing suspicion.

Thirdly, these systems can be vulnerable to replay attacks. If an authentication session takes place without passing a unique identifier such as a time stamp to the session initiator, an attacker can then infiltrate the network. He or she can use a network sniffer to capture the data sent from the biometric scanner to the authentication server. Later they can re-inject the session to the server to impersonate the user. Many installed biometric sensors do not work with identifiers, making them vulnerable to this type of attack.

Indeed, rather than solving security issues, biometrics could place systems at greater risk. Manufacturers are addressing issues such as replay attacks but, for those companies that have already implemented systems, upgrades may prove too costly. And solving issues such as revocation may be impossible. But if these issues worry you at work, perhaps you'd best not dwell upon the wider implications. National governments are now deploying biometrics in an effort to increase border control security. The UK government announced in its Science and Innovation Strategy in November that biometrics was on its wish-list of technologies to fight crime and tackle terrorism. According to civil rights groups, the biometric details of more than a billion users could be housed on passports by 2015. Indeed, Germany has already introduced RFID passports. These contain a chip on which a scan of the passport holder's face is stored, and there are plans to include fingerprints and possibly iris scans after 2007. The security industry needs to act now to correct these fallibilities. If we fail, we could find that far more than email access is compromised. Cloning could become rife, making it open season on your bank accounts, health records and...well, your identity!

This article has been provided exclusively to Bankinfosecurity.com by Infosecurity Today Magazine. To sign up to receive Infosecurity Today free of charge, visit www.subscription.co.uk/cc/ist_d.





Around the Network