Methods for Bypassing Biometric Security
About a month ago, a journalist from Forbes demonstrated the (un)reliability of biometric security in consumer devices. For his test, he ordered a plaster 3D copy of his own head and tried to use it to unlock five different smartphones: LG G7 ThinQ, Samsung S9, Samsung Note 8, OnePlus 6, and iPhone X. The plaster copy was enough to unlock four out of the five tested models. Although the iPhone resisted the trick (it scans in the infrared spectrum), the experiment showed that facial recognition is not the most reliable method for protecting confidential information—just like many other biometric methods.
Representatives of the “affected” companies commented that facial recognition makes unlocking phones “convenient,” but for “the highest level of biometric authentication,” they recommend using a fingerprint or iris scanner.
The experiment also showed that a couple of photos of the victim are not enough for a real hack, since they don’t allow for the creation of a full 3D skull copy. To make an acceptable prototype, you need photos from several angles and good lighting. On the other hand, thanks to social networks, it’s now possible to obtain a large number of such photos and videos, and camera resolution increases every year.
Other biometric security methods also have vulnerabilities.
Fingerprints
Fingerprint scanning systems became widespread in the 1990s—and were immediately attacked. In the early 2000s, hackers perfected the process of making artificial silicone copies from existing prints. By sticking a thin film onto your own finger, you can fool almost any system, even those with sensors that check body temperature and verify that a real, live finger is being scanned, not a printout.
The classic guide for making artificial fingerprints is Tsutomu Matsumoto’s 2002 manual. It explains in detail how to process a victim’s fingerprint using graphite powder or cyanoacrylate (super glue) fumes, how to prepare the photo before making a mold, and finally, how to create a raised mask using gelatin, latex milk, or wood glue.
The biggest challenge in this process is copying a real fingerprint. It’s said that the best prints are left on glass surfaces and door handles. But nowadays, there’s another way: the resolution of some photos allows you to reconstruct a fingerprint pattern directly from a photograph.
In 2017, researchers from Japan’s National Institute of Informatics demonstrated the possibility of recreating a fingerprint pattern from photos taken with a digital camera from three meters away. Back in 2014, at the Chaos Communication Congress hacker conference, the fingerprints of Germany’s defense minister were recreated from high-resolution official photos found in open sources.
Other Biometric Methods
Besides fingerprint scanning and facial recognition, other biometric security methods are not yet widely used in modern smartphones, although the theoretical possibility exists. Some of these methods have undergone experimental testing, while others are already in commercial use in various applications, including retina scanning, voice verification, and palm vein pattern recognition.
However, all biometric security methods share one fundamental vulnerability: unlike a password, it’s almost impossible to replace your biometric characteristics. If your fingerprints are leaked publicly, you can’t change them. This is, essentially, a lifelong vulnerability.
“As camera resolution increases, it becomes possible to capture smaller objects, such as fingerprints or the iris. […] Once you share them on social networks, you can say goodbye. Unlike a password, you can’t change your fingers. So this is information you must protect.” — Isao Echizen, Professor at Japan’s National Institute of Informatics
No biometric security method offers a 100% guarantee. When testing each system, the following parameters are usually specified:
- Accuracy (several types)
- False positive rate (false alarms)
- False negative rate (missed events)
No system demonstrates 100% accuracy with zero false positives and false negatives, even under optimal lab conditions. These parameters are interdependent. For example, you can increase recognition accuracy to 100% by adjusting system settings—but then the number of false positives will also increase. Conversely, you can reduce false positives to zero—but then accuracy will suffer.
It’s clear that many security methods are easily hacked because manufacturers prioritize user convenience over reliability. In other words, their main goal is to minimize false positives.
The Economics of Hacking
Just like in economics, information security also has the concept of economic feasibility. There’s no such thing as 100% protection. But security measures should be proportional to the value of the information itself. The general principle is that the cost of hacking for an attacker should exceed the value of the information they want to obtain. The greater this ratio, the stronger the protection.
For example, the plaster head copy used to fool a Face ID-type system cost the Forbes journalist about $380. Accordingly, it makes sense to use such technology to protect information worth less than $380. For low-value information, this is excellent protection, but for corporate trade secrets, it’s inadequate—so everything is relative. In each case, you need to assess the minimum acceptable level of protection. For example, facial recognition combined with a password—as two-factor authentication—already increases the level of protection by an order of magnitude compared to just facial recognition or a password alone.
In short, any protection can be hacked. The question is: at what cost?