Palm vein security bypassed using wax hand models

by Mark Tyson on 31 December 2018, 13:31

Tags: Fujitsu (TYO:6702), Hitachi (TYO:6501)

Quick Link: HEXUS.net/qad2zq

Add to My Vault: x

Security researchers in Germany have found that they could bypass palm vein biometric based security systems using hand-shaped wax models. One of the researchers, interviewed by Motherboard, says that he was "quite surprised that it was so easy," after considering the claims of security companies, and the fact that such systems have been adopted by the BND (Germany's signals intelligence agency) HQ in Berlin. The last time HEXUS reported upon palm vein biometric security was back in 2013 when Fujitsu built its own contactless system into one of its workstation laptops.

Last week Jan Krissler (AKA Starbug) and Julian Albrecht demonstrated the bypassing of palm vein scanners at Germany's annual Chaos Communication Congress. Both Fujitsu and Hitachi palm scanners (95 per cent of the market) are able to be bypassed using a relatively simple, logical way of faking a human palm.

The way the hackers forged an implemented a palm vein fake is as follows:

  • They look photos of palms using a converted IR enhanced SLR camera (and found it is possible to resolve palm veins from up to 5m away from the subject).
  • Images were used to make a wax model of the user's hand
  • Under the wax of the manufactured hand the vein details were printed on a substrate
  • The wax model could bypass palm vein security solutions from Fujitsu and Hitachi

Of course the first successful hack took quite a lot of trial and error. The pair of researchers "took over 2,500 pictures to over 30 days to perfect the process and find an image that worked," reports Motherboard. However, with this knowledge and practice behind them it would probably be much faster and quicker to repeat the feat. The Verge reckons now that the method has been proven "other researchers will likely build upon it to create a process that’s more efficient and reliable".

Krissler and Albrecht have contacted both Fujitsu and Hitachi about their findings. In a statement to Heise Online, Fujitsu downplayed the hack, questioning its practical application out of the laboratory.

Krissler has a track record for biometric hacking; in 2013 he bypassed Apple's Touch ID within 24 hours of its launch in Germany, he demonstrated similar skill in faking the German defence minister's fingerprint and has more recently, demonstrated vulnerabilities in iris scanning technology. The hacker explained pragmatically that bio-security is "always an arm race". It wouldn't be surprising if Fujitsu and Hitachi update their scanning systems in the wake of this news, despite playing it down.



HEXUS Forums :: 22 Comments

Login with Forum Account

Don't have an account? Register today!
I have some sympathy with Fujitsu, etc, on this, and bear in mind I'm somewhere closer to the cynic/paranoid end of the spectrum re: asoects of internet security.

To achieve this “hack” the researchers appear to need to take photos, using a converted infra-red camera, of a user's palm.

Maybe I'm too cynical, but I think most users not only the paranoid, might be just a bit suspicious of someone saying “stick your hand in here, palm down and open, while we take a picture” and, ummm …. decline. Firmly.

If their hack had a way of bypassing neefing access to the user's palm, or some innocuous way of getting that, they'd hsve a point.

But so far, all they seem to have demonstrated is a basic weakness, which is if you can get to the original biometric spurce, whatever that is (fingerprint palm, iris, whatever) AND copy it, then that biometric security is blown open.

But they haven't.

Yet.
Saracen999
But so far, all they seem to have demonstrated is a basic weakness, which is if you can get to the original biometric spurce, whatever that is (fingerprint palm, iris, whatever) AND copy it, then that biometric security is blown open.
Probably wouldn't take much - Fake readers, piggybacking data sources, perhaps the usual virusy-trojan things you are tricked into clicking that then install data harvesters in your computer and pass on your scans….
Once one of these systems is compromised, wouldn't you have biometric data of basically everyone using that system anyway?

With a password you can at least try to use a different password for every place you visit. But the palm of your hand (or iris, or fingerprint) is much more difficult to change.
Waswat
Once one of these systems is compromised, wouldn't you have biometric data of basically everyone using that system anyway?

With a password you can at least try to use a different password for every place you visit. But the palm of your hand (or iris, or fingerprint) is much more difficult to change.

Not necessarily - properly implemented, biometric systems will only store something akin to a hash of the data, from which you cannot recreate the original input. That doesn't stop someone simply lifting fingerprints or iris photographs though. Assuming these traits uniquely identify an individual for security purposes can be a fairly dangerous assumption to make for that reason. And as has been show, some rubbish implementations of e.g. fingerprint scanners can be fooled with something as simple as one printed on a piece of paper.

Ttaskmaster
Probably wouldn't take much - Fake readers, piggybacking data sources, perhaps the usual virusy-trojan things you are tricked into clicking that then install data harvesters in your computer and pass on your scans….

Again, a properly-made biometric device won't expose raw biometric data to the host computer.
watercooled
Not necessarily - properly implemented, biometric systems will only store something akin to a hash of the data, from which you cannot recreate the original input. That doesn't stop someone simply lifting fingerprints or iris photographs though. Assuming these traits uniquely identify an individual for security purposes can be a fairly dangerous assumption to make for that reason. And as has been show, some rubbish implementations of e.g. fingerprint scanners can be fooled with something as simple as one printed on a piece of paper.



Again, a properly-made biometric device won't expose raw biometric data to the host computer.

So, what you're saying is that the cake is real but we only expose it as a lie to the host so they can't re-create its deliciousness.

Gotcha.