Make-up and fake fingers – staying ahead of the online spoofers

Identification using facial features or fingerprints – known as biometric identification – was once seen as a way to a password-free future. However, they have proved all too easy to dupe – the fingerprint scanner on Apple’s iPhone 5S was hacked within days of its launch using just a photograph.

The EU-funded TABULA RASA project is coming up with ways to make biometric identification resistant to attack.

‘The aim of the TABULA RASA project is to study the vulnerabilities of biometric systems in the context of spoofing attacks ... and in case of vulnerability, to develop counter measures to detect those kind of attacks,’ said Dr Sébastien Marcel, the project coordinator.

The three-year project set up the Spoofing Challenge where researchers developed new ways of attacking biometric systems. One successful attack involved the attacker using make-up to look more like the person she was trying to fake.

Researchers drew up a list of known spoofing attacks using experts, scientific papers and online sources, and those that were easiest to replicate were chosen for further research as these posed the most realistic threat.

They recreated the attacks and recorded the data, which they then used to develop countermeasures to beef up biometric authentication systems such as face, fingerprint and voice identification software.

Flat face

They found, for example, that photographic spoofs on facial recognition systems can be identified by detecting how three-dimensional the face is. The flatter and more two-dimensional the face appears to be, the more likely it is to be a spoof.

The project also studied the effect of combining biometric identifiers to increase security. For example, a real finger can have moisture on it and blood running under its surface. Producing a fake finger to fool moisture and blood-flow sensors can be costly and time-consuming, making the spoofing attack more difficult and perhaps less likely to happen.

‘It can be hacked, but is it worth it?’ said Dr Marcel.

He gave the hacking of the iPhone 5S’s fingerprint scanner as an example. While the method used to hack it was ‘nothing new’, it took days to do, by which point the owner could have locked their phone remotely. ‘You also have to steal the phone,’ he added.

Many of the countermeasures developed during the project are sold commercially by TABULA RASA’s industrial partners. This flow of information and innovation goes both ways, as the industrial partners on the project provide information on commercially available biometric systems and vital market insight for researchers.

Network security

Outside of biometric authentication, other EU-funded projects are developing new detection and protection techniques against computer viruses. The MALCODE project identifies a virus by the instructions it carries out on a computer. By detecting the virus at such a low level, the software bypasses many of the virus’ ways of fooling a system, such as encrypting its code.

In addition to researching attacks on individual computers, the EU funds projects investigating and improving the security of communication networks.

Control systems for critical infrastructures, such as power grids, are rapidly moving from offline custom networks to more standardised online solutions.

“

‘The aim of the TABULA RASA project is to study the vulnerabilities of biometric systems in the context of spoofing attacks.’

‘Unfortunately this technological trend introduces new security issues, since in the new scenario critical infrastructures are increasingly exposed to cyber threats,’ explained Prof. Salvatore D’Antonio, project manager for the INSPIRE project. Researchers on the project developed a system that prioritises important instructions for a critical infrastructure over other network traffic in the event of a fault or cyber attack. This means that network performance is not compromised for the critical infrastructure, even if the total capacity of the network is reduced by a fault or attack on part of it.

Similar to INSPIRE, the TClouds project developed a ‘cloud of clouds’ to make healthcare data and power-grid commands sent through the cloud more resilient to cyber attacks. Using the system, a user can access multiple clouds containing identical information, so that if one cloud is compromised by a cyber attack or simply stops working, another cloud can take over.

New EU projects, such as Privacy-Preserving Computation in the Cloud (PRACTICE), aim to create tools to make user data stored in the cloud unreadable by cloud providers, adding another layer of privacy to cloud computing.

The problems facing online security and biometric authentication research are similar, as Dr Marcel explained, ‘It’s a bit like the virus-antivirus industry – the more attacks and countermeasures to those attacks you develop, the more you realise that you can find more attacks.’