Biometric identification is in the palm of every modern smart phone users' hands. People can unlock their devices with their face, eyes or fingerprints. Businesses have adopted biometric identification techniques for entry into offices and secure areas. Getting unfettered access to systems is the goal for hackers. As a result, the possibility of biometric data being hacked could pose risks to people and organizations.
There is a scene in the movie Minority Report where Tom Cruise's character gets his eyeballs replaced to fool retinal detection. The grizzly scene is an example of a technique to sneak past security and evade detection. Spoiler alert: swapping our eyeballs is not a technique that is currently used by hackers to steal identity.
In today's world, biometric authentication is all around us. The methods used by hackers to circumvent detection and impersonate do not approach the extreme level of eyeball replacement, but creative methods to get past checks are being used and developed.
Biometric Identification Evolved
Tracking by biological means has happened since the dawn of time in an analog way. The footprints of animals provided hunters clues to find game. In the past 150 years, fingerprints have provided law enforcement with methods to identify people and solve crimes. Even your drivers license has biometric data on it: your height, weight, hair and eye color.
Recently, several trends have converged to make biometric-related issues more important. The convergence of cheap and widespread sensors, increased computing power, advanced algorithms and massive amounts of data being collected is bringing about a new era of biometrics. There are new questions, opportunities and challenges to consider.
Biometrics is currently being used to verify people using these means:
- Facial Identification
- Retina Scan
- Voice Analysis
- Palm Vein Identification
- Hand Geometry
These techniques are also available but have not been as widely adopted:
- Brain Waves
- Walk Style
- Iris Scan
Using biometrics to verify identity is popular because it is convenient and reliable.
Methods to Hack Biometric Identification
There are risks for every method of identification verification. The reward from imitating others is enough to draw the attention of hackers looking to profit from deception. A hacker needs to access biometric data and then use that data to their advantage.
Breaching Data Collection and Storage
Experian said to "expect hackers to take advantage not only of the flaws found in biometric authentication hardware and devices, but also of the collection and storage of data."
Tampering with biometric data during collection might involve social engineering. If the person who is providing biometric data like a fingerprint or eye-scan in the first place does not record it accurately, then future authentication is invalid. If a person is recording the biometric data, that person is also susceptible to being used to facilitate biometric deception. Having the initial data point falsified in some way leaves an open door for future illicit entrance.
After collection, the data is transferred and stored. If a store of password data is breached, the remedy is to require password changes. Biometric data cannot be changed. Keeping data encrypted and secure is paramount for organizations.
Fooling the Biometric Validations
The end-result of having data compromised upon collection, storage or transfer is using that data to fool the devices itself. The success of this method depends upon how the identity is verified. The ability to hack the phone and facial recognition of the ubiquitous iPhone can serve as proxy for other systems. People have replicated fingerprints using advanced technology and unlocked phones. Nobody has demonstrated a successful hack of Face ID.
Another example of another biometric hack comes the mobile phone world. The Samsung Galaxy S8 had its iris scanner hacked. Samsung said the hack required "The unlikely situation of having possession of the high-resolution image of the smartphone owner’s iris with IR camera, a contact lens and possession of their smartphone at the same time.”
Researchers have demonstrated that voice recognition can be hacked if the perpetrator has 100 5-second sentences. After obtaining a sample, they can feed the sample into a computer program to replicate speech. Chinese researchers have also demonstrated the ability to send ultrasonic messages to voice recognition tools like Amazon Alexa.
Biometric hacking has not resulted in any large public breach thus far. The examples have come from researchers or people in controlled and specialized situations. However, the fact that examples have surfaced underscores the vulnerability.
Biometric hacking is not widespread at the moment. Taking an extra precaution to require a passcode or two-factor authentication in conjunction with a biometric check can make process more secure.