A rundown through UL's first Hackathon
July 8, 2016 - Breaking biometrics operations, safeguarding security
On the 23rd and 24th of June 2016 the Transaction Security division of UL held a ‘hackathon’ event focusing on Biometric operation and security. For those not familiar with the term, a ‘hackathon’ is not a cyber-criminal sporting event – which I imagine would be a strange combination of boring and terrifying – but instead an event to gather together a group of smart people to work on various technological tasks within a deliberately tight timeframe. Some of these tasks may indeed be to find bugs in systems, but often the aim is to create knowledge or products, rather than to find problems.
During the event, over 30 people from UL offices around the world (including Australia, China, Brazil, England, Ireland, America, and the Netherlands) were given just two days to attempt to implement or break various biometric systems. Six groups were formed and assigned the following cases:
- Create and implement a fingerprint matching / recognition system. Define the characteristics that may influence and/or change the False Match Rate / False Non-Match Rate.
- Create and implement a facial image matching / recognition system. Define the characteristics that may influence and/or change the False Match Rate / False Non-Match Rate.
- Create and implement a cloud based user management module to authenticate users using a heartbeat based biometric authentication system, and integrate this with the UL Self-Test Platform tool.
- Implement a payment scheme ‘Match-on-Card’ biometric standard in the UL Terminal and Card simulator tools, and provide for a live demo of its operation.
- Perform an operational and security evaluation on mobile based based ‘image’ biometric authentication applications. Determine ways in which these applications may be functionally compromised, and/or detail security flaws in the application code/implementation.
- Research and implement current state-of-the-art fingerprint cloning attacks, and attempt to bypass such biometric security on a number of leading consumer and commercial products.
Although UL does have a wealth of experience and knowledge with biometrics, the goal of this hackathon event was to specifically utilize staff who did not have a history in this area. Additionally, the groups were not given their specific cases until a few days prior to the event to ensure that they did not have time to ‘cheat’ with additional research or work beforehand.
The idea was that during the hackathon we would be providing a tangible bound around the difficulty of some types of biometric attacks and implementations, as well expanding our existing biometric knowledge to people not already skilled in the field. To be honest, as one of the organizers of this event, I was a bit concerned that we’d end the second day with little results and a room full of people angry with the hubris of the scope of work we had set for them over such a short period of time.
Turns out, I severely underestimated the abilities of our people and the ease with which biometric systems can be both implemented and compromised. Each and every one of the groups achieved their goals, and ended the hackathon by providing an outstanding presentation to over 100 of their peers in the UL theater room of our Leiden office.
The groups working on the biometric matching algorithms were able to understand and implement the current state-of-art in fingerprint and facial recognition algorithms, and develop an understanding of what may influence the results of these algorithms. This was quite impressive for a group that – unlike others in UL – had no previous experience with biometric systems. The findings from these groups confirmed UL’s existing understanding that that facial recognition can be quite effective when the algorithms are supplied with ‘clean’ data – that is, photographs that are set in the same lighting and context, using the same resolution and compression. Although it may seem unrealistic to expect such similar photographic input, it may be imagined that this could be easily replicated in the cases of biometric passports, or similar types of ‘controlled input’ scenarios. In these ‘best case’ examples, an Equal Error Rate (where the False acceptance rate crosses the False Rejection Rate) was found to be as low as 1%, which is comparable with the fingerprint findings of 0.12% (see below).
However when the two images started to deviate from each other, by supplying different photographs from different times and locations, the group found that the quality of the match would degrade considerably to where the ERR increased to 25%. When interpreting these findings, it is worth considering the conditions the team was working under – it is of course very likely that a Neural Net based matching algorithm developed by the likes of Google over a period of many years is considerably better at matching faces under various different conditions than the system implemented in our hackathon over the course of 2 days by a group that was chosen specifically to have no previous experience in this area. Therefore, any results should really be considered as ‘worst case’, where a matching rate of 1% (in ideal situations) can be seen to be very good indeed!
In fact, based on the findings in the hackathon, the prospect of using facial recognition software to identify and track individuals using only their image is something that is likely to be possible now and a clear certainty into the future as these algorithms and matching techniques improve.
Unsurprisingly the team looking at the matching of fingerprints found that these provided a very good method of identifying individuals, as we expected, and the match of identical fingerprints would often provide slightly different results based on the particular minutia that were selected during the creation of the templates for matching. This team did a great job of working through the maths of the matching algorithms to provide visualizations of the EER to demonstrate the validity of the use of fingerprint images as a method of matching. However, matching is not always the same as identification, which we will discuss further below …
I Heart EMV
Two of the hackathon teams were assigned with producing ‘operational’ demonstrations of biometric matching, essentially integrating two different biometric implementations into existing UL tools; one using a ‘match-on-card’ specification from a payment scheme, and the other using a personal authentication band that relies on heartbeat biometrics to validate the individual wearer. Both of these teams completed a full implementation of the systems, and were able to provide practical demonstrations of the solutions within the two day window.
The team working on the heartbeat authentication band utilized the SDK provided by that vendor to produce a working enrollment and validation system for the UL Self-Test Platform using the heartbeat based ‘Personal Authentication Network’ technology of the band. This was despite the fact that they had to integrate the cryptographic security used by the band, and indeed this team was so successful that they were able to complete most tasks assigned to them within the first day! During the implementation they noted a single false-positive identification of the heartbeat biometric, but were unable to get any official data on the EER for this particular system. However, some academic research that the team located during their ‘hacking’ indicated that the EER may lie around 12%. The actual authentication of the system used in the hackathon was performed on the phone app, with the data transferred from the band to the phone using bluetooth with added application layer encryption for security.
Further research into heartbeat as a biometric, and into the general concept of ‘Personal Authentication Networks’ is warranted, but could not be covered in the time provided by the hackathon.
The other functional team digested and implemented the scheme match-on-card EMV specifications, producing a virtual card using this system in the UL Brand Test Tool (BTT) card simulator and a virtual terminal in the Host Test Tool (HTT) to which this card could complete a transaction. The steps involved in this implementation are outlined in the image below.
The implementation of this system can be compared at a high level to encrypted offline PIN, but with added complexity in the fact that the biometric template transferred between the terminal and the card is larger than a single APDU (a reference template used was 432 bytes, compared to 8 bytes for an offline PIN), and therefore must be chained across two or three commands. However, this is more efficient than transferring the entire image, which in some biometric passport implementations is 15kB is size and requires up to 60 APDUs to be transferred.
During the hackathon presentations, this team was not only able to provide a live demo of the match-on-card system working with the UL tools – and I will leave anyone who has ever presented on-stage to ponder in fear the thought of a live demo created from scratch and demonstrated before 100 people (successfully!) in just two days – but they were also able to, without prior organisation, call on stage the group who had created the fake fingerprints for a live demonstration of their spoofing attack.
How did this new group create the fake fingerprints? Well ….
Fake it ‘Til you Make It
The final groups were tasked with the actual ‘hacking’ of various biometric systems, one looking at phone based systems that used the phone camera to perform either facial or eye based recognition, and the other attempting to bypass various fingerprint recognition systems.
Like all other teams, both of the hacking teams came into the hackathon with no previous experience with biometric systems – which was quite deliberate. Although in UL we do have experts in biometrics already, part of the goal of this process was to determine the difficulty in replicating existing attacks on systems or in determining new attacks. For example, it has been well known for some time now that fake fingerprints can be made using PCB etching techniques to copy a fingerprint taken from an imprint or latent image. However, more recently the creation of fake fingerprints from digital camera photographs have been discussed, and it has remained unclear just how easy these attacks are to reproduce and how the use of ‘liveness’ detection may successfully prevent such attacks. This was a primary goal of the team working with the fingerprint replication, and was met with great success.
For ‘hacking’ of the applications, UL obtained dispensation from the companies that produce these software products, and has subsequently fed back our findings. We believe very strongly in our mission to ‘make the world a safer place’ and responsible testing and disclosure is a large part of this in the field of security testing. These companies are now working on fixing the flaws we have found, making their products more secure. Although we cannot name these companies and products directly, we would very much like to thank them anonymously for their co-operation in this event.
Within the two days provided by scope of the hackathon, the team had produced many fake fingerprints using imprints (hot glue works the best, but be careful you don’t leave your epidermis behind! Play Doh (c) is safer), latent fingerprints on a drinking glass, and fingerprints taken from the images of a person’s hand in a digital photograph. When not using an imprint directly, the team used mainly the PCB etching method of creating the fingerprints and found that wood glue and silicone each worked better for different types of sensors. However, not everything was a success, as many Gummy Bears lost their lives in vain being slow boiled into a morass of sticky disappointment that failed to produce any useful results. Similarly, attempts to replicate the use of laser printed overhead transparencies to create fake fingerprints failed along with the toner in the laser printer that was being used.
The fake fingerprints that were produced worked on all sensors tested – from leading phone brands, through to PC based sensors that are specifically advertised as providing liveness detection (three phones, three PC sensors). Therefore, a clear finding from the group is that replication of fingerprints is indeed very easy – even if you only have access to a digital photograph of sufficient resolution. The implications of this for systems relying on biometrics for security are discussed at the end of this post.
Investigations of image based authentication systems also showed that these can often be easily bypassed. The final team were successful in spoofing both of these, by using simple static images or videos replayed into the phone camera – although the quality of the photo/video was found to be an important factor, with ‘live’ video conference images being less successful than a pre-recorded video of good resolution. With the spoofing part done, they spent much of the remainder of their time digging through the application code, finding a number of potential security flaws and privacy concerns.
It was not all bad news though, as they also found an interesting key obfuscation method that utilized the derived biometric to extract a cryptographic key that was otherwise difficult to obtain from within the application. Defeating this method was beyond the team given the (highly limited) two days they had to perform all of the work, but they did seemed eager to continue working to try to better characterize the objective security provided by the system!
Just the Factors, Mam
Given the wealth of knowledge obtained in the two day hackathon, along with the existing knowledge and experience UL has in biometrics, we will soon be producing a comprehensive whitepaper that covers biometric security. A key take-away from the hackathon is that biometrics, although very convenient, are not necessarily ready to be used as a single factor for even medium security level systems. Implementations that use the device that stores the biometric template as a second factor (such as common phone based solutions, or the scheme ‘match-on-card’ systems) should be favoured over those that store the biometric in an external host, and consideration should be given to the use of a third factor (such as a PIN) for high value transactions or areas which require high security.
Indeed, I know that some people would like to consider biometrics as more of a ‘username’ than a ‘password’ – an ID rather than an authentication mechanism. However, even with our existing knowledge and the findings from the hackathon, I am not so sure. I do not think that UL would endorse a finding that biometrics are insecure, in the same way we would not be happy to say that biometrics are secure. They are a useful tool that should be used only with a full understanding of the threat landscape into which they are being deployed, and a clear understanding of the actual security provided by the biometric system used (which may differ from vendor claims).
For example, I am happy to use my fingerprint to unlock my personal phone (even though it is one of the ones they managed to bypass with fake fingerprints in the hackathon!), but I would not be happy to use my fingerprint as an authentication method to unlock my office, or the work safe. Advances in biometrics are happening constantly, as are advances in attacks, and we need to be constantly aware of what the risks are and how our systems may mitigate these both now, and throughout their useful deployment lifespan.
Of course, I’m happy to talk to you directly about this – I’ll be the one keeping to the shadows wearing gloves, dark glasses, and a hoodie. Just no photos, please.