Biometrics are becoming increasingly commonplace tools in User Access Control (UAC) systems. Fingerprint scanners are now present in even mid to entry-level smartphones – putting this technology firmly at, well, our fingertips. Fingerprints, palm vein images, face scans, iris scans and so on are often employed as the ‘something you are’ in a multi-factor authentication scheme. But do they really offer as much assurance about a user’s identity as you think?
Protecting systems, data & users through the science of security.
In this article, I want to explore the areas we need to think carefully about when considering biometrics as part of a security solution. A good place to start is spoofing. Might this be the primary threat? As these sensors become commoditised, so the methods for spoofing them become more widely known. Take, for example, the ruse of fooling fingerprint scanners using data from a photograph. Research into such attacks, including their detection and countermeasures, are well-established. This will drive improvement in the design of the systems to mitigate the threat.
Attacks will increase in complexity in response, but we should arrive at a point where success is beyond the capabilities of many attackers. For example, synthetic fingers may need to be made from expensive materials that more accurately replicate the physical properties of the human finger.
Overall, we can expect to see an improvement in the integrity of the Human Machine Interface (HMI), driven by this arms race. When these attacks become too complex, the attacker may begin to explore other vulnerabilities in a system that were previously ignored when there were easier approaches.
The fundamental problem
What then, is the fundamental problem here? Essentially the biometric device is merely a sensor that is sampling the physical world and transferring data to a processing unit. That processor determines whether the data samples are from a real and present person, and eventually who that biometric measurement identifies. Sensing chips either perform this processing themselves (so called ‘match-on-sensor’) or send the data to a separate processor to perform a ‘match-on-host’. This transfer is typically performed over a Low Pin Count (LPC) bus, such as I2C or SPI… and this is a problem.
The simplicity of these buses makes them appealing for the electronics engineer. There are only a few relatively low-speed PCB traces to route, and typically only a couple of external discrete resistors are required to act as pull-ups. Unfortunately, this simplicity is the same reason that this is an easy attack vector against a system. Tools to record and analyse the data ‘sniffed’ from the bus are inexpensive, and the data lines can be probed without much difficulty by tapping PCB pads where the resistors are.
Consequently, this interface must be cryptographically protected to maintain its integrity, and the sensor must be authenticated by the processor. Without these safeguards in place, an attacker may alter data in transit – creating either false positives or false negatives – or mimic the sensor entirely.
Matching the captured data against enrolled biometric data implicitly requires that the enrolled data or ‘template’ be stored, whether that’s local to the device or in some remote storage such as a database server. This ‘data at rest’ is another attack vector for an attacker, who may alter it to serve their needs.
Write access to the data provides further attack methods, potentially enabling valid users to be locked out, or invalid users to be added in. Wherever this data is stored, we must be able to trust it at the point of use and we should consider the implications of keeping it secret. Again, we see that integrity and authenticity are important, but also the value of confidentiality.
Some simpler solutions
So, aren’t there any simpler solutions than cryptographic techniques? Well there are some, but they have limitations that make them less valuable than a well-designed cryptographic protocol.
Creating tamperproof, tamper-resistant, or tamper-evident devices that protect the LPC interface can place a costly design burden on the hardware or be incompatible with the use case for the device. It’s reasonable to assume that the determined and motivated attacker will reduce these efforts to tamper-evident at best.
Further, when trusting a device is required at a distance, there’s no mechanism for proving a connected device hasn’t been tampered with. Even the best tamperproof design can’t protect the component supply chain from counterfeit (insecure) sensors. Nor can such passive security techniques be used to verify the trust in the sensor in the device.
In contrast, cryptographic techniques provide a toolkit enabling digital trust to be established between components on a device, and from the device to external systems. The details of how this works are beyond the scope of this short article but are nothing new. For example, such techniques are used to verify the authenticity of Trusted Platform Modules (TPMs), which are common in laptops and servers and provide a secure root of trust.
The market can be confusing
These requirements are easy to state but finding sensors that meet them is difficult in a marketplace where technical terms are used liberally. For example, some products claim to support 'encryption' on the bus, but in practice this is little more than data scrambling/obfuscation with a secret known to every device.
Other manufacturers refer to how their sensors 'use TLS' (Transport Layer Security, a technology most commonly associated with securely browsing the web). But without mention of the cipher-suites employed, or access to publicly visible Certificate Authorities that can be used to verify the authenticity of the sensor, this offers little peace of mind.
At this point you may be wondering what options you have, and what might be the best choice of biometrics sensor solution for your product. Like all applications for security technology, the answer depends on the threats you face and the level of risk you can accept. Ultimately, we are trying to achieve Trust. Trust that you are talking to a real sensor.
Trust in a sensor can be achieved by authenticating it both during manufacture (verifying that the supply chain wasn’t attacked), and during installation and use (to detect unauthorised replacements in the field). Performing a match-on-sensor removes the need to send confidential information over the LPC interface to the host, but the authentication requirement remains to ensure that false matches aren’t injected onto the bus. If confidentiality of the result is not a concern, this may be enough.
An economical solution
Where such a solution is not available, removing the LPC interface by building a custom system-on-chip that incorporates the biometric sensing may be best. This an economical solution for high volume or high value applications, where the cost of developing the solution can be justified.
Get in touch
If these approaches aren’t viable, then it may be that you need to add other methods for user identification in combination with, or possibly instead of, the biometric sensor. This may be the only way to increase your confidence in security to an acceptable level.
At Cambridge Consultants, our breadth of experience in user experience, product design and digital security enables us to consider all the factors that contribute to effective security – and balance that with usability and functionality. Get in touch to discover how we can help create a product that meets your security needs.