SlideShare une entreprise Scribd logo

Defending Biometric Security

Ned Hayes
Ned Hayes

Biometric exploits are here. Basic overview of attack vectors and how to confront these attacks and harden your biometric-secured systems.

Technologie
1  sur  39
Télécharger pour lire hors ligne
Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™
Biometric Exploits are Here
Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive
Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive The Threats to Biometric Security
Identity Locker Biometric Exploits
Biometric Exploits • Fingerprints • Facial Recognition • Iris Scans
Fingerprints on Device Just asking to be broken: • Insecure storage on device Insecure storage in cloud • On-device enclave easily hacked / not encrypted
Basic Exploit that actually works (on some Android phones) • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
How to Hack Fingerprints • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
Update on Fingerprints The Big Exploit (2018) • Deep Master Print – Philip Bontrager & Academic Team at NYU • A machine learning driven exploit that analyzed a number of fingerprints in order to build a 3D model fingerprint that matches a large portion of fingers used on for secure login on devices today.
Facial Recognition Exploits • Facial scans work by matching characteristics of a face to a template enrolled in a DB. Basic “blocks” on face recognizers are known: • Adding obfuscation and visual confusion • Even wearing a hat and sunglasses can muck up a facial scan • Downside of most facial “obfuscation” hacks is that it can be recognized by other human beings More advanced exploits to fake the results: • Machine learning derived fake faces • AI-driven creation of face from multiple angles • 3D printing of 3D faces, with fake liveliness (hard to do, but academics have proven it’s doable)
How to Stop a Facial Scan: Obfuscation
Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
How to Fake a Facial Scan: 3D Heads • Reproduction of Facial Recog Areas only (higher fidelity)_
Iris Scan Exploits • Iris scans appear to be highly secure, because it is scanning a unique body part under high resolution. However, it can be hacked: • Contact Lens can fake an iris • Upload of a infrared scan of a person’s face (no access to reference data, instead, just an infrared scan of a eye at high rez) • Requires technical expertise • Newer hacks require a scan of the iris – hack of reference data
Iris Scan Exploits • Examples: Eye spy By Chaim Gartenberg @cgartenberg May 23, 2017, 10:37am EDT TECH SAMSUNG CYBERSECURITY Hacker beats Galaxy S8 iris scanner using an IR image and a contact lens 11 Based on name alone, the futuristic iris-scanning feature on the Galaxy S8 sounds like it would be the most secure way to lock your phone. Hacker Jan Krissler, who goes by the name Starbug, shows in a recent video that, despite the impressive technology in unlocking your phone with your eyes, the security system can be beaten with a relatively low-tech hack. As the video shows, Starbug is able to take a infrared picture of a person’s face using the night mode setting on a regular point and shoot camera. Print it out on an ordinary laser printer and it fools the camera by placing a contact lens over the image to give it the appearance of an actual human eye. While it certainly is a little more effort than, say, (https://1.bp.blogspot.com/-rSiTjwXZmT4/VPmbURLovxI/AAAAAAAAiH0/jB3L24BeGO0/s728- e100/iris-biometric-security-system.jpg) Hacker Finds a Simple Way to Fool IRIS Biometric Security Systems March 06, 2015 Swati Khandelwal Biometric security systems that involve person's unique identi cation (ID), such as Retinal, IRIS, Fingerprint or DNA, are still evolving to change our lives for the better even though the biometric scanning technology still has many concerns such as information privacy, and physical privacy. In past years, Fingerprint security system (https://thehackernews.com/2013/09/ nally- iphones- ngerprint-scanner.html) , which is widely used in different applications such as smartphones and judicial systems to record users' information and verify person's identity, were bypassed several times by various security researches, and now, IRIS scanner claimed to be defeated.
Veins / Palm Exploits • Vein / Palm scans were thought to be highly secure alternative to fingerprints • Turns out that these can be hacked as well (with reference data)
Veins/ Palms Exploits
Identity Locker Attack Vectors for Biometrics
Biometric Identity Processing System • Input Data (1) • Input Data (1a) • Reference Data (1b) • Sensor (2) • Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) Structure of this system originally outlined in this format by Starbug, 2014
3 Types of Attacks Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)• Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database
1. Attack Via Input Data • Attack the Input Data (1) • Input Data (1a) • Most Common Attack Vector: Easiest and most accessible vulnerability • Reference Data (1b) • No Attacks recently directly along this vector • But high-fidelity hacks require access to cracked original Reference data Sensor Database (1b )(1a) Software Input Data Reference Data (1a)
2. Attack Via Sensor • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) Sensor Software Preprocessing Database (2) (1b)(1a) Input Data (1a)
2. Attack Via Software • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)
Identity Locker Defending Against Biometric Hacks
Multi-factor authentication • NIRVANA: Multiple biometrics + Identity Face match / PIV-I card check validation by an in-person check with actual human (military grade) • BETTER FOR BUSINESS: Multi-factor authentication which includes but does not privilege biometrics – treats data knowledge as equivalent • Multiple biometrics + PIN/Login / Passcode • PRETTY GOOD SECURITY: Multi-factor biometric security which occurs simultaneously (pretty hard to hack all in sync) • Fingerprints + Facial Recognition + Iris + Audio Recognition • Note: Requires enrollment/login stations capable of handling multiple biometrics BEST BETTER GOOD
High fidelity / Multi-finger enrollment • Most fingerprint systems (on device) only collect and store a few millimeters of a fingertip. • This small sample set is relatively easy to replicate and use in a hack. • To prevent this hack, use a higher fidelity enrollment system that enrolls more area of the finger and more fingers on each hand. VS. Collect much more data, match on many more points
Facial Recognition • Facial recognition systems also operate off a limited template • Adding complexity to the input is useful - ensure you are capturing not only the front face, but also the side, the back, as much movement as possible • Add Liveliness detection + multi-angles • Collect much more data, match on many more points VS.
Software How to Prevent 3 Types of Attacks • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • Harden the Software (3) Preprocessing Matching Database (2) (1b)(1a) Input Data (1a) (3) Sensor
1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) Database (1a) Input Data (1a) Sensor Software
1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) • Add multiple biometrics that login simultaneously (not sequentially) • Require higher fidelity enrollment and more data from each biometric • Add more minutiae as input data Database (1b)(1a) Input Data (1a) Input Data + Sensor Software
2. Add Observation of Sensor Database (2) (1b)(1a) Input Data (1a)• Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Software
2. Add Observation of Sensor • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Database (2) (1b)(1a) Input Data (1a) Software
Software 3. Harden the Software Sensor Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time.
Software 3. Harden the Software • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time. Sensor Preprocessing Database (2) (1b)(1a) Input Data (1a) MatchingMatchingMatchingMatching (3)
Software A Hardened Biometrics System More complicated, but much more secure • Complicate/Harden the Input Data (1) • Includes multiple bio inputs • Enroll at higher fidelity / more minutiae • Provide Observation of Sensor (2) • Includes observational data (actual human ideal) • Harden the Software (3) • Higher threshold for enrollment/login • Includes encrypted template DB • Includes multi-factor matching Sensor Preprocessing Matching Database (2) (1b) (1a) Input Data (1a) (3) MatchingMatchingMatching
Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™

Recommandé

Biometric security
Biometric securityBiometric security
Biometric security
Tanner Stuewe
 
Biometric
Biometric Biometric
Biometric
Vinay Gupta
 
Biometric security using cryptography
Biometric security using cryptographyBiometric security using cryptography
Biometric security using cryptography
Sampat Patnaik
 
Biometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesBiometric Security advantages and disadvantages
Biometric Security advantages and disadvantages
Prabh Jeet
 
Biometric security tech
Biometric security techBiometric security tech
Biometric security tech
mmubashirkhan
 
Biometrics security
Biometrics securityBiometrics security
Biometrics security
Vuda Sreenivasarao
 
Biometrics
BiometricsBiometrics
Biometrics
Alan Leewllyn Bivera
 
Ubiquitous security- is it just biometrics?
Ubiquitous security- is it just biometrics?Ubiquitous security- is it just biometrics?
Ubiquitous security- is it just biometrics?
Siddharth Kishan
 

Recommandé

Biometric security
Biometric securityBiometric security
Biometric security
Tanner Stuewe
 
Biometric
Biometric Biometric
Biometric
Vinay Gupta
 
Biometric security using cryptography
Biometric security using cryptographyBiometric security using cryptography
Biometric security using cryptography
Sampat Patnaik
 
Biometric Security advantages and disadvantages
Biometric Security advantages and disadvantagesBiometric Security advantages and disadvantages
Biometric Security advantages and disadvantages
Prabh Jeet
 
Biometric security tech
Biometric security techBiometric security tech
Biometric security tech
mmubashirkhan
 
Biometrics security
Biometrics securityBiometrics security
Biometrics security
Vuda Sreenivasarao
 
Biometrics
BiometricsBiometrics
Biometrics
Alan Leewllyn Bivera
 
Ubiquitous security- is it just biometrics?
Ubiquitous security- is it just biometrics?Ubiquitous security- is it just biometrics?
Ubiquitous security- is it just biometrics?
Siddharth Kishan
 
Biometric Security Mobile
Biometric Security MobileBiometric Security Mobile
Biometric Security Mobile
Jerry Ruggieri
 
Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learning
Ankit Gupta
 
Biometrics Technology In the 21st Century
Biometrics Technology In the 21st CenturyBiometrics Technology In the 21st Century
Biometrics Technology In the 21st Century
Star Link Communication Pvt Ltd
 
Biometrics ppt
Biometrics pptBiometrics ppt
Biometrics ppt
Raga Deepthi
 
Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)
Bhargav Amin
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - Report
Navin Kumar
 
Biometrics
BiometricsBiometrics
Biometrics
meeravali shaik
 
Biometric Security Systems ppt
Biometric Security Systems pptBiometric Security Systems ppt
Biometric Security Systems ppt
OECLIB Odisha Electronics Control Library
 
Biometrics Pros & cons
Biometrics Pros & consBiometrics Pros & cons
Biometrics Pros & cons
Gagan Gowda
 
Biometrics techniques
Biometrics techniquesBiometrics techniques
Biometrics techniques
jackofhearty1
 
Using (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality OnlineUsing (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality Online
s-mueller
 
Biometric Systems
Biometric SystemsBiometric Systems
Biometric Systems
Sn Moddho
 
Biometric authentication
Biometric authenticationBiometric authentication
Biometric authentication
Abduhalim Beknazarov
 
Biometrics technology
Biometrics technology Biometrics technology
Biometrics technology
Niharika Gupta
 
Biometrics
BiometricsBiometrics
Biometrics
Shubham Singh
 
Biometric Authentication PPT
Biometric Authentication PPTBiometric Authentication PPT
Biometric Authentication PPT
OECLIB Odisha Electronics Control Library
 
Biometrics
BiometricsBiometrics
Biometrics
Priyanka Sharma
 
Biometric
Biometric Biometric
Biometric
Pratish Sardar
 
Biometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febBiometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 feb
Navin Kumar
 
Biometric security system
Biometric security systemBiometric security system
Biometric security system
Mithun Paul
 
Biometrics/fingerprint sensors
Biometrics/fingerprint sensorsBiometrics/fingerprint sensors
Biometrics/fingerprint sensors
Jeffrey Funk
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
Precisely
 

Contenu connexe

Tendances

Biometric Security Mobile
Biometric Security MobileBiometric Security Mobile
Biometric Security Mobile
Jerry Ruggieri
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - Report
Navin Kumar
 
Using (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality OnlineUsing (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality Online
s-mueller
 
Biometrics technology
Biometrics technology Biometrics technology
Biometrics technology
Niharika Gupta
 
Biometric security system
Biometric security systemBiometric security system
Biometric security system
Mithun Paul
 

Tendances (20)

Biometric Security Mobile
Biometric Security MobileBiometric Security Mobile
Biometric Security Mobile
 
Biometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learningBiometricstechnology in iot and machine learning
Biometricstechnology in iot and machine learning
 
Biometrics Technology In the 21st Century
Biometrics Technology In the 21st CenturyBiometrics Technology In the 21st Century
Biometrics Technology In the 21st Century
 
Biometrics ppt
Biometrics pptBiometrics ppt
Biometrics ppt
 
Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)Case study on Usage of Biometrics (Cryptography)
Case study on Usage of Biometrics (Cryptography)
 
Biometric Authentication Technology - Report
Biometric Authentication Technology - ReportBiometric Authentication Technology - Report
Biometric Authentication Technology - Report
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometric Security Systems ppt
Biometric Security Systems pptBiometric Security Systems ppt
Biometric Security Systems ppt
 
Biometrics Pros & cons
Biometrics Pros & consBiometrics Pros & cons
Biometrics Pros & cons
 
Biometrics techniques
Biometrics techniquesBiometrics techniques
Biometrics techniques
 
Using (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality OnlineUsing (Bio)Metrics To Predict Code Quality Online
Using (Bio)Metrics To Predict Code Quality Online
 
Biometric Systems
Biometric SystemsBiometric Systems
Biometric Systems
 
Biometric authentication
Biometric authenticationBiometric authentication
Biometric authentication
 
Biometrics technology
Biometrics technology Biometrics technology
Biometrics technology
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometric Authentication PPT
Biometric Authentication PPTBiometric Authentication PPT
Biometric Authentication PPT
 
Biometrics
BiometricsBiometrics
Biometrics
 
Biometric
Biometric Biometric
Biometric
 
Biometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febBiometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 feb
 
Biometric security system
Biometric security systemBiometric security system
Biometric security system
 

Similaire à Defending Biometric Security

Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
Precisely
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 

Similaire à Defending Biometric Security (20)

Biometrics/fingerprint sensors
Biometrics/fingerprint sensorsBiometrics/fingerprint sensors
Biometrics/fingerprint sensors
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 
Using Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced ThreatsUsing Big Data to Counteract Advanced Threats
Using Big Data to Counteract Advanced Threats
 
It's about biometric system L10A_Savvides_Biometrics.pdf
It's about biometric system L10A_Savvides_Biometrics.pdfIt's about biometric system L10A_Savvides_Biometrics.pdf
It's about biometric system L10A_Savvides_Biometrics.pdf
 
Disrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User AuthenticationDisrupt Hackers With Robust User Authentication
Disrupt Hackers With Robust User Authentication
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
Developing A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response ProgramDeveloping A Cyber Security Incident Response Program
Developing A Cyber Security Incident Response Program
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 

Dernier

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
Overkill Security
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
SOFTTECHHUB
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 

Dernier (20)

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 

Defending Biometric Security

  • 1. Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™
  • 3. Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive
  • 4. Biometric Exploits are Here • Biometric exploits are here now, and they can be pervasive The Threats to Biometric Security
  • 6. Biometric Exploits • Fingerprints • Facial Recognition • Iris Scans
  • 7. Fingerprints on Device Just asking to be broken: • Insecure storage on device Insecure storage in cloud • On-device enclave easily hacked / not encrypted
  • 8. Basic Exploit that actually works (on some Android phones) • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
  • 9. How to Hack Fingerprints • Asdf • Etched PCB & Alumninum Foil (Starbug) • asdf
  • 10. Update on Fingerprints The Big Exploit (2018) • Deep Master Print – Philip Bontrager & Academic Team at NYU • A machine learning driven exploit that analyzed a number of fingerprints in order to build a 3D model fingerprint that matches a large portion of fingers used on for secure login on devices today.
  • 11. Facial Recognition Exploits • Facial scans work by matching characteristics of a face to a template enrolled in a DB. Basic “blocks” on face recognizers are known: • Adding obfuscation and visual confusion • Even wearing a hat and sunglasses can muck up a facial scan • Downside of most facial “obfuscation” hacks is that it can be recognized by other human beings More advanced exploits to fake the results: • Machine learning derived fake faces • AI-driven creation of face from multiple angles • 3D printing of 3D faces, with fake liveliness (hard to do, but academics have proven it’s doable)
  • 12. How to Stop a Facial Scan: Obfuscation
  • 13. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  • 14. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  • 15. Evolution of Facial Recog Exploits * * Original work by Yi Xu, True Price, Jan-Michael Frahm, and Fabian Monrose Department of Computer Science, University of North Carolina at Chapel Hill USENIX Security
  • 16. How to Fake a Facial Scan: 3D Heads • Reproduction of Facial Recog Areas only (higher fidelity)_
  • 17. Iris Scan Exploits • Iris scans appear to be highly secure, because it is scanning a unique body part under high resolution. However, it can be hacked: • Contact Lens can fake an iris • Upload of a infrared scan of a person’s face (no access to reference data, instead, just an infrared scan of a eye at high rez) • Requires technical expertise • Newer hacks require a scan of the iris – hack of reference data
  • 18. Iris Scan Exploits • Examples: Eye spy By Chaim Gartenberg @cgartenberg May 23, 2017, 10:37am EDT TECH SAMSUNG CYBERSECURITY Hacker beats Galaxy S8 iris scanner using an IR image and a contact lens 11 Based on name alone, the futuristic iris-scanning feature on the Galaxy S8 sounds like it would be the most secure way to lock your phone. Hacker Jan Krissler, who goes by the name Starbug, shows in a recent video that, despite the impressive technology in unlocking your phone with your eyes, the security system can be beaten with a relatively low-tech hack. As the video shows, Starbug is able to take a infrared picture of a person’s face using the night mode setting on a regular point and shoot camera. Print it out on an ordinary laser printer and it fools the camera by placing a contact lens over the image to give it the appearance of an actual human eye. While it certainly is a little more effort than, say, (https://1.bp.blogspot.com/-rSiTjwXZmT4/VPmbURLovxI/AAAAAAAAiH0/jB3L24BeGO0/s728- e100/iris-biometric-security-system.jpg) Hacker Finds a Simple Way to Fool IRIS Biometric Security Systems March 06, 2015 Swati Khandelwal Biometric security systems that involve person's unique identi cation (ID), such as Retinal, IRIS, Fingerprint or DNA, are still evolving to change our lives for the better even though the biometric scanning technology still has many concerns such as information privacy, and physical privacy. In past years, Fingerprint security system (https://thehackernews.com/2013/09/ nally- iphones- ngerprint-scanner.html) , which is widely used in different applications such as smartphones and judicial systems to record users' information and verify person's identity, were bypassed several times by various security researches, and now, IRIS scanner claimed to be defeated.
  • 19. Veins / Palm Exploits • Vein / Palm scans were thought to be highly secure alternative to fingerprints • Turns out that these can be hacked as well (with reference data)
  • 22. Biometric Identity Processing System • Input Data (1) • Input Data (1a) • Reference Data (1b) • Sensor (2) • Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) Structure of this system originally outlined in this format by Starbug, 2014
  • 23. 3 Types of Attacks Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)• Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database
  • 24. 1. Attack Via Input Data • Attack the Input Data (1) • Input Data (1a) • Most Common Attack Vector: Easiest and most accessible vulnerability • Reference Data (1b) • No Attacks recently directly along this vector • But high-fidelity hacks require access to cracked original Reference data Sensor Database (1b )(1a) Software Input Data Reference Data (1a)
  • 25. 2. Attack Via Sensor • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) Sensor Software Preprocessing Database (2) (1b)(1a) Input Data (1a)
  • 26. 2. Attack Via Software • Attack the Input Data (1) • Input Data (1a) • Reference Data (1b) • Attack using the Sensor (2) • Attack the Software (3) • Matcher • Threshold Sensor Software Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a)
  • 28. Multi-factor authentication • NIRVANA: Multiple biometrics + Identity Face match / PIV-I card check validation by an in-person check with actual human (military grade) • BETTER FOR BUSINESS: Multi-factor authentication which includes but does not privilege biometrics – treats data knowledge as equivalent • Multiple biometrics + PIN/Login / Passcode • PRETTY GOOD SECURITY: Multi-factor biometric security which occurs simultaneously (pretty hard to hack all in sync) • Fingerprints + Facial Recognition + Iris + Audio Recognition • Note: Requires enrollment/login stations capable of handling multiple biometrics BEST BETTER GOOD
  • 29. High fidelity / Multi-finger enrollment • Most fingerprint systems (on device) only collect and store a few millimeters of a fingertip. • This small sample set is relatively easy to replicate and use in a hack. • To prevent this hack, use a higher fidelity enrollment system that enrolls more area of the finger and more fingers on each hand. VS. Collect much more data, match on many more points
  • 30. Facial Recognition • Facial recognition systems also operate off a limited template • Adding complexity to the input is useful - ensure you are capturing not only the front face, but also the side, the back, as much movement as possible • Add Liveliness detection + multi-angles • Collect much more data, match on many more points VS.
  • 31. Software How to Prevent 3 Types of Attacks • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • Harden the Software (3) Preprocessing Matching Database (2) (1b)(1a) Input Data (1a) (3) Sensor
  • 32. 1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) Database (1a) Input Data (1a) Sensor Software
  • 33. 1. Harden/Complicate Input Data • Complicate/Harden the Input Data (1) • Input Data (1a) • Add multiple biometrics that login simultaneously (not sequentially) • Require higher fidelity enrollment and more data from each biometric • Add more minutiae as input data Database (1b)(1a) Input Data (1a) Input Data + Sensor Software
  • 34. 2. Add Observation of Sensor Database (2) (1b)(1a) Input Data (1a)• Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Software
  • 35. 2. Add Observation of Sensor • Complicate/Harden the Input Data (1) • Provide Observation of Sensor (2) • IDEAL – IN PERSON: Have an actual person observe both enrollments and login (this can be done remotely & off-shore) • RANDOM SCREENS: Randomly audit logins with human observation • AI OBSERVATION: Add layer of observational video and AI to check humans at the enrollment station and actions at station. Check multiple signifiers of actual human activity (voice, movement, approach to station, etc.) Sensor Database (2) (1b)(1a) Input Data (1a) Software
  • 36. Software 3. Harden the Software Sensor Preprocessing Matching Database (2) (3) (1b)(1a) Input Data (1a) • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time.
  • 37. Software 3. Harden the Software • Complicate/Harden the Input Data (1) • Communication Data (1a) • Reference Data (1b) • Provide Observation of Sensor (2) • Harden the Software (3) • THRESHOLD: ideal to raise threshold to accommodate high fidelity logins (adds enrollment and login time obviating some reasons to use biometrics in the first place) • PROCESSING: use hardened pre-processing with templates that provide encrypted matching algorithms / store templates securely • MULTI-FACTOR MATCHING: Match against multiple biometrics simultaneously, not just one input at a time. Sensor Preprocessing Database (2) (1b)(1a) Input Data (1a) MatchingMatchingMatchingMatching (3)
  • 38. Software A Hardened Biometrics System More complicated, but much more secure • Complicate/Harden the Input Data (1) • Includes multiple bio inputs • Enroll at higher fidelity / more minutiae • Provide Observation of Sensor (2) • Includes observational data (actual human ideal) • Harden the Software (3) • Higher threshold for enrollment/login • Includes encrypted template DB • Includes multi-factor matching Sensor Preprocessing Matching Database (2) (1b) (1a) Input Data (1a) (3) MatchingMatchingMatching
  • 39. Defending Biometric Security Identity Locker Ned Hayes, Founder @nedworking / ned@identity-locker.com ™