Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

Mythbusters beat "unbreakable" fingerprint door lock

Mythbusters beat "unbreakable" fingerprint door lock

  • Comments 13
  • Likes

My good friend Jamie Sharp sent me this link today. It's amazing: watch how Adam and Jamie easily defeat a fingerprint lock the manufacturer claims has never been broken. As if to snub the claims, they break it three times! Supposedly it monitors pulse, sweat, temperature, and other attributes. First, Adam obtains an impression of a fingerprint already present on the reader and creates a latex copy that he adheres to his own thumb. Initial attempts fail, but when Adam licks the latex, the door opens. Next, Jamie tries a ballistics gel copy of the fingerprint. Sure enough, the door opens right away. Adam remarks that some cheap computer fingerprint reader was actually more difficult to hack than the "unbreakable" door lock! Finally, Adam tries the simplest of all attacks: a photocopy of the authorized fingerprint. No warmth, no pulse, only a lick -- and again, the door opens.

Biometrics is identity, not authentication. Authentication requires a secret of some kind, like a PIN or password. Anything you leave behind, like the fingerprint Adam lifted from the reader, can never be used as a secret, and thus can't be considered authentication.

Comments
  • Huh? What happened to the three factors? Anybody who watches CSI knows biometrics aren't secret, but that doesn't matter, because biometrics derives its strength from uniqueness, not secrecy. And tokens/smart cards get their strength from possession. Are you really suggesting that passwords (the only secrets we use) are the only (and presumably strongest) authentication mechanism out there? As with any of these factors, it is crucial to have a system that effectively implements uniqueness for biometrics (and secrecy for passwords, and possession for tokens). This one didn't, in the same vein as many other authentication mechanisms (hint: know of any techniques for breaking Windows passwords?).

  • This story, along with the story about the car thieves who cut off the owner's fingertip in order to retain the "key" to his car (http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm), underscore the idea that a biometric factor is something you _have_, NOT something you _are_.  It's just that a biometric factor is not as easy to lose as another possessed factor (smartcard, SecurID token, etc).

  • Pete, please read my article linked in the second paragraph. Identity and authentication are separate components; the number of factors is orthogonal to this important concept. Authentication, the proof of a claim of identity, requires a secret known by the security principal (the human) that can be validated by the system. Secrets come in many forms; PINs and passwords are only two examples.

    (Plus, uniqueness isn't so strong as some people think. Not every biometric is guaranteed unique: there is no proof, for instance, that fingerprints exhibit this characteristic. How would you know, other than by observing the fingerprints of every person who has ever lived and will ever live?)

  • Steve, I agree with you on the fact that biometrics and authentication is written down in seperate chapters in the book "how god wants us to authenticate"...

    But - if you see all this breaking stuff from a different side: Why is biometrics so popular today when it is so weak? For me, who lifes in the European Union, my politician tell me every week that we all need more biometrical information in our IDs. The other side of this is that when it gets to the photographer to take new pictures for the ID renewal, for example, we are forbidden to make a happy face on that picture. This is because the software for face recognition isn't as good as it should be (at least this is what they are telling us).

    So back to your point: I believe that an accesscontroll like the fingerprint reader is allways as good as the software and hardware behind this. And that is under development.

    So do you see a chance that - one day - we will have a (what you would called) "protected" room, with a unbreakable accesscontroll on the front door who makes the use of biometrical information?

  • Does God need authentication? Now there's a question to ponder! :)

    About your last question... "unbreakable" isn't achievable. For something to be truly unbreakable, it would have to be perfect: and since all sofware is created by flawed, fallible human beings, perfect software is unattainable. "Unbreakable" is a code word. If a manufacturer ever uses that word to describe their product, that's a signal to you that you should look someplace else.

    Biometrics is popular today because politicians are spineless. It's got that "cool factor." The perceived threat of terrorism and the fear it generates has created an opportunity for governments to make a lot of noise doing something very visible, in an effort to make everyone feel safer. In fact, it will do nothing to increase security. Biometric passports, to use one example, won't thwart terrorists (check this out). Here's another axiom of security science: identity does not equal intent. Just because you have solid proof of someone's identity, doesn't mean you have any idea what's going on in that person's head.

    The reality is that terrorism, for all the press it gets, is rare. You're far more likely to get struck by lightning, or squashed by a bus, or hit by a stray bullet, than to be killed by a terrorist. Why don't governments do more to protect us from those threats?

    You want to stop the terrorists? Then you need to do the difficult and invisible things: investigate their activities and disrupt their funding. Look at what happened in the UK: the "liquid bombers" were thwarted by good old-fashioned police detective work! This is the only way to keep a population secure. With the exception of hardened cockpit doors, none of the stupid security theater implemented after 11 September 2001 has done or will do anything to deter future acts of violence.

  • > Does God need authentication?
    J... this might be a question I can't answer and I believe that every person on this beautiful planet (including me) has a different opinion on this ;)

    Ok, back to serious. Maybe "unbreakable" was the wrong word but the meaning behind this was that that it hasn't to be perfect - it just has to be "unbreakable" for humans*

    So according to your thesis that we do not live in a perfect world where there exists a room that is 100% secure from accessing by unauthorized humans* let me try to sum up my understanding of your point: Biometrics is just a big bubble filled with hot air?

    I agree with you that politicians use this subject to sell to the people a "feeling of protectness". And in real world, this might be much more dangerous than everything else.

    Down here in germany, when we had this discussion some years ago about getting biomethrics in our IDs, the CCC - a popular and legal german hacker organization - was one of the first organizations who claimed that this is <A href="http://www.ccc.de/epass/" target="_blank">insecure</A> (sorry, most part is in german language). In october 2004 they published a paper about building up a <A href="http://www.ccc.de/biometrie/fingerabdruck_kopieren?language=en" target="_blank">perfect fingerprint</a> (video is available on the german site). By now the politicians didn't care about this.

    > Just because you have solid proof of someone's identity, doesn't mean
    > you have any idea what's going on in that person's head.
    True words too, here we have the mother of all questions: how can we solve this problem?

    On the one side, a company has to trust his employees, on the other side, if one of them decides to mess up with this company because of the wrong colored curtains in his office, the company is helpless. So how protect humans from theirselfs? Forbid "free" speech, forbid "free" minds, forbid revolutionary ideas? Put a rational and logic thinking computer in place to check up our bad minds? Who then will be responsible about what mind is good and what is bad?

    Maybe the CEO of Pepsi would like to see that this computer fetches all thoughts on an ice cold Coke and replace them with a Pepsi product?!?

    Nice to think about this but hard to find an answer...

    > The reality is that terrorism, for all the press it gets, is rare.
    This alaways depends on how you will define terrorism for yourself. Thanks to god, terrorism in the way I would define it is far-far away from where I live. But if you ask people living in Israel or for example Kosovo, they might tell you different.

    Protecting from lightning or getting squashed by a bus is more easily for ourselfs to do than protecting from terrorism. Don't want to get hurt by a lightning? Seat yourself into a car whent it comes to a thunderstorm. Don't want to get squashed by a bus? Look to the right and to the left before crossing the street. Don't want to get involved into a terroristic impact? I guess this is impossible for a "normal" guy like me...

    Most kind of terrorism I know of is what I would called a "global terrorism":

    > Look at what happened in the UK:
    You mean <a href="http://www.ft.com/cms/s/cbed2e12-28b5-11db-a2c1-0000779e2340.html" target="_blank">this</a>? When reading the FT article, it says that there were more than one security agency involved. I guess that there is more behind the political curtain than we all could imagine in our wildest phantasies. It is a good practice that normal people like me (and I guess that you are one of us too?!?) don't get to know every single detail of their "security impelemton"...

    But beside all this terorism, the problem of protecting this room from unauthorized access still exists :)

    *) humans -or- tools that humans might use to gain unauthorized access to a secure information

  • > Biometrics is just a big bubble filled with hot air?

    When pitched as a form of authentication, that's correct. But when considered as identity, and combined with a secret, then it can be very effective.

    > here we have the mother of all questions: how can we solve this problem?

    I don't have the answer to that. I'm simply pointing out that identity can't be a substitue for intent -- yet the (aviation, at least) security community seems to think that identity and intent are correlated. It is a serious question, yes.

    > Thanks to god, terrorism

    I have my own thoughts here. There is a correlation, yes, but to advance to causation involves reliance on superstition. My views, shaped by science, are very much in the minority and would be considered heretical by some. This is probably not the forum for discussing that :)

    > terrorism...is far away...ask people living in Israel or for example Kosovo, they might tell you different

    I often wonder if the people "running" these places truly want to eliminate terrorism. It certainly provides a ready excuse for maintaining or introducing totalitarianism.

    > the problem of protecting this room from unauthorized access still exists

    Right on! But the science is the same. It doesn't matter whether you're protecting a nation from its enemies, an airplane from a hijacker, or an information system from an attacker, the science behind the security is exactly the same. Enumerate threats, assess risk, and apply appropriate mitigating technologies and processes -- while avoiding all forms of security theater.

  • > and combined with a secret, then it can be very effective.

    Back to scientific, proving (just the) identity by using biometrics does not seams to be a good idea by now. When I see the links you provide and hear people talking about how easy it is to fool this technique, than I think it is better to talk about "Biometrics RC1" ;)

    > It is a serious question, yes.

    How does a system work that can't trust the user who are working on it?

    > This is probably not the forum for discussing that :)

    > I often wonder if the people "running" these places truly want
    > to eliminate terrorism. It certainly provides a ready excuse
    > for maintaining or ntroducing totalitarianism.

    It has always been exiting to me to hear scientific point of views. So if you like contact me at woller(at)w-mail.org.

    > an information system from an attacker,

    By the way, your book arrived here two days ago. I saw you and Jesper at "IT's Showtime" and I thought that I have to give it a try :)

    > the science behind the security is exactly the same.
    One concept to answer thousands of different security threads?

  • > One concept to answer thousands of different security threads?

    Yes.

  • Microsoft saugumo ekspertas Steve Riley savo blog’e pateikė nuorodą į video, kuriame gerai žinomi mitų...

  • Steve Riley points to Mythbusters' successful attempts to breach biometric security - okay, so it's not

  • Authentication is an interesting component of network security. In order to be granted (or denied) access

  • PingBack from http://savion.yourstoriessite.com/unbreakablelock.html

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment