Security researchers in Germany have found that they could bypass palm vein biometric based security systems using hand-shaped wax models. One of the researchers, interviewed by Motherboard, says that he was "quite surprised that it was so easy," after considering the claims of security companies, and the fact that such systems have been adopted by the BND (Germany's signals intelligence agency) HQ in Berlin. The last time HEXUS reported upon palm vein biometric security was back in 2013 when Fujitsu built its own contactless system into one of its workstation laptops.
Last week Jan Krissler (AKA Starbug) and Julian Albrecht demonstrated the bypassing of palm vein scanners at Germany's annual Chaos Communication Congress. Both Fujitsu and Hitachi palm scanners (95 per cent of the market) are able to be bypassed using a relatively simple, logical way of faking a human palm.
The way the hackers forged an implemented a palm vein fake is as follows:
- They look photos of palms using a converted IR enhanced SLR camera (and found it is possible to resolve palm veins from up to 5m away from the subject).
- Images were used to make a wax model of the user's hand
- Under the wax of the manufactured hand the vein details were printed on a substrate
- The wax model could bypass palm vein security solutions from Fujitsu and Hitachi
Of course the first successful hack took quite a lot of trial and error. The pair of researchers "took over 2,500 pictures to over 30 days to perfect the process and find an image that worked," reports Motherboard. However, with this knowledge and practice behind them it would probably be much faster and quicker to repeat the feat. The Verge reckons now that the method has been proven "other researchers will likely build upon it to create a process that’s more efficient and reliable".
Krissler and Albrecht have contacted both Fujitsu and Hitachi about their findings. In a statement to Heise Online, Fujitsu downplayed the hack, questioning its practical application out of the laboratory.
Krissler has a track record for biometric hacking; in 2013 he bypassed Apple's Touch ID within 24 hours of its launch in Germany, he demonstrated similar skill in faking the German defence minister's fingerprint and has more recently, demonstrated vulnerabilities in iris scanning technology. The hacker explained pragmatically that bio-security is "always an arm race". It wouldn't be surprising if Fujitsu and Hitachi update their scanning systems in the wake of this news, despite playing it down.