Just How Vulnerable Is Biometric Security?

Were you fortunate enough to receive a new smartphone or iPad/tablet computer for Christmas?

The latest surveys suggest that roughly half the UK’s population now have access to a tablet computer, with somewhere between 12 million and 13 million sales in the lead-up to the Festive Season alone. Indeed, overall sales have increased by 50% in the past year.

These really are mind-boggling statistics.

For their part, end users love the functionality provided by the hardware and software within these super gadgets, some of which was once the imaginary preserve of story-telling Hollywood directors looking to wow us all on “The Big Screen” by virtue of their futuristic predictions. Now, though, that once futuristic functionality has become reality.

In today’s society, items such as smartphones and tablet computers — ubiquitously employed across both the social and business spectrums — really do contain biometric-focused software that enables the user to be recognized by, say, their unique fingerprint pattern.

How well does such security software work in the real world, though?

Apple’s new iPhone 5S — an absolutely superb piece of kit, by the way – includes the much-discussed Touch ID fingerprint recognition system. Germany’s Chaos Computer Club claimed to have bypassed this access control function less than a day after the handset’s official release last September. Apple maintains that Touch ID is wholly secure.

On a research mission
At present, the Tabula Rasa Consortium — itself backed by EU research and innovation monies — is on a mission to identify just how well security software stored in smartphones and tablets is working.

The Tabula Rasa Consortium is made up of 12 separate research and industry partners from seven countries (five EU Member States plus Switzerland and China) that have worked together for three years now in researching as many biometric vulnerabilities as possible. The aim is to facilitate effective countermeasures as part of “a new breed” of safer, more secure biometric systems.

Kickstarted back in November 2010, the project is led by Switzerland’s Idiap Research Institute. Also involved is the University of Southampton, the University of Oulu in Finland, the University of Cagliari, and Spain’s Universidad Autonoma de Madrid.

Then there’s EURECOM (the French engineering and telecommunications research centre), Morpho (also in France, and a recognised global leader when it comes to biometric solutions), Starlab (Barcelona), the Chinese Academy of Sciences, KeyLemon (a Swiss-based company offering secure access solutions based on face and spoken recognition, more of which anon) and BIOMETRY (another Swiss firm providing “multimodal simultaneous biometrics with random challenge response”).

Last, but not least, Italy’s Centre for Science, Society, and Citizenship is also taking an active role.

One element of the study programme has seen the realization of a “Spoofing Challenge” whereby researchers from around the world were invited to develop their own attack plans and attempt to fool a variety of biometric security systems.

The Tabula Rasa Consortium’s website states that in practice, such direct attacks are performed by falsifying a given biometric trait and then presenting this fake data to the biometric system. An example would be an attempt to fool a fingerprint-based biometric security set-up by copying the fingerprint of another person and creating an artificial (or “gummy”) finger, which can then be presented to falsely gain access.

It’s a massively important issue that directly impacts not only on those companies in the high security field but also SMBs keen on forming and selling biometric technologies in emerging areas.

Interestingly, those taking part in the Tabula Rasa Consortium’s project to date have shown that there are many different ways in which to attack biometrics. For instance, one participant made effective use of make-up to “spoof” a 2D facial recognition set-up and was duly successful in being recognised as the victim.

Meanwhile, other participants have employed devices like masks or used photographs in their bid to beat the biometrics.

Detecting signs of “liveness”
Serious research necessarily costs serious financial backing, and big finance is squarely behind the Tabula Rasa Consortium. The EU has ploughed no less than euro 4.4 million Euro into the project, used in tandem with a separate euro 1.6 million Euro investment by the Consortium itself to fund the extensive research and testing required.

It’s money well spent. By evaluating the vulnerability of biometric systems to spoofing attacks, effective countermeasures are already being realised that, for example, detect signs of “liveness” (such as blinking and perspiration) and thus help further improve the security of biometrics.

On a hugely positive note, five newly worked countermeasures have now been transferred to biometric-focused companies for ongoing development. The aforementioned KeyLemon has already integrated a face recognition software countermeasure developed by way of the Tabula Rasa project into a final solution for market.

By extension, according to a recent European Commission statement the Tabula Rasa Consortium project is expected to create jobs for European SMEs as the study results are further integrated within commercial biometric solutions.

Dr Sebastien Marcel — head of the biometrics group at the Idiap Research Institute, and co-ordinator of the Tabula Rasa project — suggests there are other security benefits to be derived.

“As well as more secure devices and information,” stated Marcel, “the improved software will offer quicker log-ins to IT equipment and faster more accurate border control and passport verification.” That’s welcome news for governments and key authorities alike.

Dr. Marcel firmly believes that “many different organisations” will be interested in the Tabula Rasa project’s ongoing research, among them technology companies, banks, the manufacturers of mobile devices, and even online service providers.

IFSEC International, the leading security event that caters for the whole buying chain, will feature the latest developments in access control and biometrics. Taking place from June 17-19 at ExCeL London, IFSEC International will showcase solutions from leaders in the industry.

Biometric security solution providers, value-added resellers, and systems integrators are key groups that make up the distribution channel serving the end user marketplace and IFSEC International is the only destination to meet them.

Registration for IFSEC International 2014 is now open. For more information and to register visit www.ifsec.co.uk.