You have to love the way these guys draw attention to potential security issues. The Chaos Computer Club (CCC), has included a piece of thin rubber film that contains the fingerprint of the German Minister of Interior, Wolfgang Schäuble, in their recent issue of Datenschleuder.
CCC is at it again – offering copies of the German Minister of Interior, Wolfgang Schäuble\'s fingerprint.
Wolfgang Schäuble is backing the use of biometrics and data collection citing the cause of national security. In 2007, he announced the launch of the second generation of e-passports that included two fingerprints, along with the customary photo.
“Each individual’s fingerprints are unique. This technology will help us keep one step ahead of criminals. We want to make it impossible to enter the Schengen area using a counterfeit passport. With the new passport, it is possible to conduct biometric checks, which will also prevent authentic passports from being misused by unauthorized persons who happen to look like the person in the passport photo,” Schäuble said.
Starbug Krissler, of the CCC, did some research and after a bit of time was able to replicate the German Minister of Interior’s fingerprint. (http://tinyurl.com/dycmx)
Starbug, as you may remember, helped Karsten Nohl with the MiFare research that led NXP to create the MiFare Plus after it was discovered that weak encryption and obscurity were the only solid layers of security the MiFare Classic offered.
When asked how the original fingerprint was obtained, Karsten told The Tech Herald “From a glass that was used by the secretary during a university-invited dinner!” The prints were tested, and proven to fool biometric scanners. The CCC is also seeking other fingerprints focusing on German officials. A complete list was sent out over the weekend with the CCC magazine.
Today’s fingerprint scanners are much more advanced than their earlier counterparts. Scaled down, and produced for mass market consumption, you will often see them on laptops as a security feature. Lenovo (T43, T60), Toshiba (M400), Fujitsu (T4220), and HP (8710p) all offer them. There are smaller external readers as well that are USB attached, and placed on the desktop. The actual fingerprint identification process differs slightly between products and systems.
The basis of identification, however, is nearly the same. Standard systems are comprised things. A sensor which scans the fingerprint, a processor which stores the fingerprint database, lastly there is software which compares and matches the fingerprint to the predefined database.
The most common method for distinguishing fingerprints is based on small details. These details are interruptions to the lines upon the fingertips, such as endpoints, bifurcations, whorls, or islets. To identify a human fingerprint, information about the type, position, and orientation is required. This is based on a ten to twelve point scale. Different law enforcement agencies will require a different point scale. Some software, for that matter, will also use a different scale but the standard is ten points.
The aim of the stunt, according to Karsten, who was talking to me on Starbug’s behalf, “On the positive, this will hopefully convince the secretary to not rely too heavily on the secrecy of fingerprints and understand that this identification feature can easily be faked. This also has implications on how law enforcement operates,” he said. The negative is, as you would guess it. Criminals will try to focus on biometric cracking.
“One possible scenario; a thief can break into computers that use fingerprints instead of passwords. This threat is worsened lots by the fact that everybody leaves fingerprints on his/her own laptop,” Karsten said.
In truth, the “hack” only took a little money to pull off, so it is within reach for anyone interested.
This CCC stunt, while not related, comes at an interesting time. Recently at Blackhat Europe, Matthew Lewis of Information Risk Management gave a talk where he explains a new creation, Biologger. Biologger is a biometric keylogger.
Lewis said during his Blackhat talk that, “an attacker could configure Biologger in several ways -- for sniffing biometric devices in a domain; as an inline wire tap or proxy device; for ARP poisoning; and as a memory-resident keylogger on a host.” The problem, he says, is getting it on to a network.
“Biometrics can work incredibly well under the right circumstances. It is just important that proper security controls are placed around biometric systems, as the biometric component alone cannot be relied upon for security,” Lewis said.
View blog reactions
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)