In rather unsurprising fashion, it took the hacktivist community all of two-days to effectively spoof the Touch ID fingerprint sensor on Apple’s new iPhone 5S. This short period of time along with the overwhelming popularity of the mobile device has led to a renewed debate amongst biometrics stakeholders that begs the question, What, if anything, can be done to improve the technology?
Germany-based Chaos Computer Club is the group that claims to be behind the now infamous Touch ID spoof, and boasts a veritable laundry list of biometric attacks spanning different fingerprint sensors as far back as 2004. So that’s it then, biometrics is broken, everyone can go home, right?
Not so fast.
Groups like Biometrics Institute Vulnerability Assessment Expert Group (BVAEG) are already working to better inform the mainstream public of the truth surrounding biometrics technology.
The Biometrics Institute Vulnerability Assessment Expert Group is a subcommittee of the Biometrics Institute and consists of many of the experts in this area from around the world, says Isabelle Moeller, CEO at the Biometrics Institute. Tje group’s mission is to raise awareness of the need for vulnerability detection to be included with biometric devices, to promote standards, enhance privacy protection, performance measures and testing and to help facilitate the dissemination of new research or findings in this area.
Chaos Computer Club’s latest spoof job on the iPhone 5S is, though effective, anything but a straightforward process for the average Joe, an important detail to consider when questioning Touch ID’s security. “The iPhone fingerprint spoof uses a number of steps including laser printing the fingerprints in high resolution onto transparent film, etching onto a printed circuit board and using a latex material to make a fake fingerprint,” explains Tsutomu Matsumoto from Yokohama National University and member of BVAEG. “The current attack requires the lifting and processing of a high quality latent fingerprint at high resolution in order to make a successful spoof. These factors should be considered when assessing this attack’s impact under realistic usage scenarios.”
Moreover, spoofing is not a new concept within the greater biometrics landscape. “Such attacks are well known and studied,” says Ted Dunstone, chair of the Biometrics Institute Vulnerability Assessment Expert Group.”
There are a wide variety of technologies, both software and hardware that can be used to detect spoofing attacks like the one that has befallen Touch ID. The international community is addressing this emerging area of technology through an ISO/IEC standards project that will develop data interchange formats and testing principles for software and hardware used to combat biometric spoofing, otherwise known as spoof detection or presentation attack detection.
The simple fact of the matter is that every security measure, even the old stalwart password/PIN has its flaws, something that BVAEG and the Biometrics Institute are so keen to convey.
As part of that effort, The Biometrics Institute is imploring biometrics equipment manufacturers to be proactive in adopting spoof detection technology to maximize the chance of successfully rejecting a spoof. The Institute also recommends that government agencies and high-level decision makers be more aware of the need for appropriate biometric vulnerability testing and certification.
Inclusion in the world’s most popular mobile device, the iPhone, means that biometrics technology has taken center stage with the mainstream public. With this new level of attention now focused squarely on the biometrics industry, one thing remains clear; the work towards public acceptance is ongoing.
As market analysts peer into their crystal ball, biometrics seems to be a mainstream inevitability, with Apple’s Touch ID all but paving the way. In the meantime, however, dismissing an ambitious bit of technology like the Touch ID sensor is if nothing else, premature.