Lately i found myself thinking about the Biometric Authentication (that is finally gaining a good popularity).
I might be old-school and more password-centric compared to other professionals, but hear me out:
When a system containing passwords is breached (if the developer have some good sense) all the password are encrypted and salted. Even if you have access to quantum computing and you can decrypt everything in no time i can always change the password. And back to step 1. I’m secure again (more or less).
Then, i thought, what happens if a system containing fingerprints, retina or facial features get breached ?
I mean. I have no interest in encountering Mike Tyson for having my facial feature changed nor chopping my finger off and replace them with one of somebody else (same applies for the eye, fun fact: only recently has been done a full eye transplant. And i doubt that eyes are easily available).
So, i decided to dig more about how this authentication method works.
How it works ?
Well, at moment there are few principles/guidelines to follow when comes to Biometric stuff:
- Templating When you register your bio information (again: fingerprint, retina, facial features) the system in use will capture from it some unique characteristics converting them into a digital template. By “digital template” is meant a purely mathematical representation of it.
- Encryption The template mentioned above then get encrypted before being saved. Wich encryption algorithms are used to do it are solely on developer discretion (not a very nice news to know…as far as im concerned some asshole is using md5)
- Hashing Not widely adopted, but in some cases the encrypted data might go under hashing ensuring some extra level of protection
- Secure Storage Where and how those data are stored depends solely to who built the system.
- Matching Process to wich the system compare the biometric data it retrieved with what he had stored. Ensuring security and privacy
Luckily, today, accompanied to biometric data there is still some sort of MFA that should anyway mitigate some risks.
Some Maths
According to the method used (fingerprint or facial recognition for example) different approach are used. I clarify:
- Fingerprint Recognition
- Minutiae Points I wont bother on what this is (google it you lazy ass!) but we are talking of ridge endings and bifurcations. So this things involve the coordinates, orientations and other characteristics of these points.
- Vectorizing Each fingerprint can be represented as vectors. And each vector can correspond to a specific pattern of the fingerprint
- Facial Recognition
- Eigenfaces We can define them as a set of eigenvectors that comes from the covariance matrix of the initial set of proposed facial images. (for more info: google it ! you lazy ass! otherwise this article would be a book !)
- Feature Points By feature points we indicate stuff like distance between the eyes, nose width and other stuff. In math terms it involves the ratio and distances between those feature points.
Now, let’s imagine we have a very nice fingerprint with 3 minutiae points, represented by their coordinate (x,y) and orientation (θ):
Minutiae Point 1: (x1, y1, θ1)
Minutiae Point 2: (x2, y2, θ2)
Minutiae Point 3: (x3, y3, θ3)
It’s math representation (with feature vector) then is:
F=[x1,y1,θ1,x2,y2,θ2,x3,y3,θ3]
And is thanks to this vector that we can store the essential information about the fingerprint.
Now, when comes to faces, the math is a bit more complicated. But i’ll try to break it down in most easy way as possible.
I think, please comment if i’m wrong, that we could represent a face as a linear combination of eigenfaces. Let’s assumeVi be the weights associated with the i-th eigenface, and Ei be the i-th eigenface:
Face = V1 ⋅ E1 + V2 ⋅ E2 + … + Vn ⋅ En
The weight of Vi is the math representation of the face.
NOTE i truly hate math and i’m not very good at it. So, if you see an error feel free to comment/contact me and say “jackass ! you made this error! *show error and solution*
Can we hack biometric auth ?
Yes and No. Nothing regarding IT is 100% secure. 100% is an utopia.
Recently there was a very nice work from the company Blackwing hired by MORSE (Microsoft Offensive Research & Security Engineering) that tested the security of Windows Hello fingerprint authentication and relative hardware provided on various laptop (Dell Inspirion, Lenovo, ThinkPad and Microsoft Surface).
Somehow they managed to found some flaws not in Hello per-se but in the embedded fingerprint sensors.
The fingerprint sensors comes from: ELAN, Synaptics, Goodix and the ones made in series on Surface Pro X, ThinkPad T14 and Inspirion 15.
The information about Blackwing works on this regard has been quite vague and with various (very well known ) sources kinda discordant between them. So, here’s what i got so far:
- .The SDPC (Secure Device Connection Protocol) is well made and not used in some cases (like Synaptic devices that instead use a custom TLS stack) and when used (still, in some cases) the builder of the sensor totally misunderstood some of the protocol objective.
- With a raspberry you can lunch a MiTM attack on those sensors.
- Blackwing has been able to break some flaw in the TLS stack of Synaptic
- They discovered that in some devices the communication happens in PLAIN-TEXT (oh, goddammit)
- Ability to make on some sensors the enumeration of valid IDs
So, again, security will always be an utopia. But we can make things decidedly harder for a potential attacker
I”m kinda sad discovering that some company that build security related product use plain-fuckin-text for transmitting important informations. But is still not the worst i’ve seen so far.
Final Conclusion and personal thought
Here i tried to present in a simple way how biometric authentication work and how certain people are able to bypass it.
I’m not saying to not use biometric data, on the contrary. Use it !
Everything that will make the life of an attacker more hard is always welcomed.
If you know me then you already know what i think of some corporation (i.e. google, samsung, apple…) and i’m not fond at all of the fact that they have my personal biometric datas. I’m really not.
But at least i made a conscious decision of accepting the fact that something so valuable (for me) is in their hand. Why ? Cause of the extra security layer they provide me to defend myself against some unknown asshole that tries to get my datas. (in the next days will come an article dedicated on why your data are important).
As always,
Stay Safe !