Schneier on Security
A blog covering security and security technology.
« Why Surveillance Cameras Don't Reduce Crime |
| Sybase Practices Dumb Security »
April 1, 2005
Security Risks of Biometrics
From the BBC:
Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.
The car, a Mercedes S-class, was protected by a fingerprint recognition system.
What interests me about this story is the interplay between attacker and defender. The defender implements a countermeasure that causes the attacker to change his tactics. Sometimes the new tactics are more harmful, and it's not obvious whether or not the countermeasure was worth it.
I wrote about something similar in Beyond Fear (p. 113):
Someone might think: "I am worried about car theft, so I will buy an expensive security device that makes ignitions impossible to hot-wire." That seems like a reasonable thought, but countries such as Russia, where these security devices are commonplace, have seen an increase in carjackings. A carjacking puts the driver at a much greater risk; here the security countermeasure has caused the weakest link to move from the ignition switch to the driver. Total car thefts may have declined, but drivers' safety did, too.
Posted on April 1, 2005 at 9:12 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
this type of physical security only forces the attacker to rethink their strategy. Do they:
a. go for the lower hanging fruit?
b. change their attack?
If they really want to get something they will. For example if they are disregarding lower hanging fruit the defender is SOL.
As for the defender... here is a little advice: don't carry a firearm if you aren't wearing a vest.
(Something you often see generic bank security guards carrying and not wearing a vest- and sometimes they aren't even real firearms... which is even worse... )
This makes a really good point. Many people have predicted that this would happen.
A solution to this would be to check if your finger's still attatched. How this can be done is another question.
Maybe if we could make a machine that could analyze someones blood ;-). There must be some way to make sure that's a unique key....
There ARE ways of determining if the finger is still attached - temperature, sweat, etc.
It's the same with iris recognition (movements, reaction to light variation, etc.)
I don't understand why people would only implement PART of those security systems, thus putting the user in danger. Do the whole thing properly or don't do it at all if it's too expensive. Biometrics are still a good way to IMPROVE security if it is implemented properly.
Supposing such a system which detects an attached finger, we would still have to tell the thieves about it BEFORE they chop our fingers off - those Sci-fi movies sure did a great job at teaching us the (wrong) notion that chopping body parts off do fool security systems (anyone seen Minority Report?).
I mean, I believe the point is not about the security system working or not, but how does it affects the one it should be protecting, right?
This gives new meaning to road-rage phrase "I gave them the finger".
Bruce, you say "what interests me about this story is the interplay between attacker and defender."
Well, that and the surrounding, if not systemic, issues in this story. Even when you set aside the context of rich/poor and public/private issues the play is actually more interesting than the actors.
First of all the car is obviously extremely valuable and sought after. The article says it "is worth around $75,000 second-hand on the local market, where prices are high because of import duties."
Second, the car manufacturers foolishly raise the value of the asset (rather than protecting it) by requiring two-factor authentication (something you have and something you are). In other words the value of the human body is now inextricably ADDED to the value of the car. Was this done for convenience or billed as a security measure? I'll give them the benefit of the doubt and vote the former, hopefully for obvious reasons.
It seems that the risky situation would be common sense for an accountant, but perhaps Mr. Kumaran was unaware of his Vulnerability wandering around alone outside his car or the Threat to drivers of fancy cars in the suburbs of Malaysia. Maybe he thought surveillance cameras were watching...
RISK = Asset x Vulnerability x Threat
So this is how I would state the situation to be considered: person with extremely valuable asset perhaps unwittingly is completely exposed to a known hostile and resourceful threat.
Doesn't really matter if biometrics are to blame for the added value or just extra bling-bling. The point is that we need people to better understand the risks they run, or we need a better method of ensuring safety/trust.
Well if the biometric system was designed correctly and the user read the manual they should have known that there would probably be a state of duress in which a user could start the vehicle with a different finger which would allow the carjacker to think he got away with the car... only to realize that a mile away the car disables itself, locks the doors and sounds the alarm. The user would still have their finger and the bad guy would be penalized.
allowing a state of duress in a system is one of the best ideas when it comes to protecting a user in a high security posture. let the bad guy into something he thinks is the real deal, giving the victim enough time to get away safely and at the same time letting everyone know there is a bad guy inside.
I know you were jesting about the blood, but it reminds me a movie I saw which had a biometric system that analyzed a person's DNA... (disregard for a moment the fact that it's not yet feasible for access control)
What they would do in the movie is the person wishing access would pick a hair and put it into the machine.
Oh boy, each of the people in the access list is walking with 10k keys, loosely attached to his scalp! Bold men would be the most secure :-)
On a more serious note, a biometric measure that can be detached from a person's body cannot be seriously considered. That's why I like technologies like IR reading of facial blood vessels - they have the added bonus of not working when the person is no longer alive.
So what is supposed todo in this cruel world ? Not to use luxurius thing ? Not to save anything valuable ? Live with simple thing
So when is this security measure worthwhile?
If you could save $50/month on insurance, would you tolerate a 1/100,000 chance of having your finger chopped off?
If the benefit is high enough and the risk is low enough, there is a point at which this would be a worthwhile system.
How often do fingers get chopped off? Rarely, I'd think, given that this is an international news story. As unpleasant as this sounds, it does seem that it's uncommon enough to really not worry about.
I've thought about how you could make this work, and I do have an idea:
1. The system must be optional. There must be no way of figuring out if you've got it or not.
2. The sensor itself must be invisible - my PDA has a fingerprint sensor that looks like a simple thin line. You could easily integrate that into all models.
3. Confirmation must only be given upon successful validation. No negative confirmation.
4. The car works for two hours without your finger, then stops. Or, perhaps, it's configurable.
Liveness sensors won't work because they'll just keep you prisoner till the car gets to wherever they want it to be.
I think we are assuming too much to say that the biometric device was solely meant as a preventative control. I could be wrong, but it seems to me that the luxury car companies intend these devices more as a convenience to drivers, which replaces the hassle of managing/carrying traditional keys.
If the system is meant as a serious security control, then it makes far more sense to me as a detective one rather than preventive. In other words the wrong finger would send an alert that would initiate a serious of subsequent controls.
A California law enforcement operation has been using this method fairly successfully: the police install a camera, signal, and remote control in a desireable parked car and leave it on surburban streets with the doors unlocked. When someone steals the car, they record a few minutes on camera, remotely lock all the doors, disable the ignition, and then quickly drive up to arrest the thief.
We should try to help steer Bruce away from the "Oh no! Failed security! Run for the hills!" and instead drive him to suggest alternate methods or solutions to the problem.
"We should try to help steer Bruce away from the 'Oh no! Failed security! Run for the hills!' and instead drive him to suggest alternate methods or solutions to the problem."
I think conventional keyed carlocks are working just fine. They keep the honest out, and we know that nothing will keep the dedicated dishonest out.
I think Lojak is just about the cleverest anti-theft device for cars ever invented.
"I think Lojak is just about the cleverest anti-theft device for cars ever invented."
It is really only clever since it relies mostly on "security through obscurity". The major component of their security model relies on hiding their transponder in a variety of places. If these places are disclosed at the time of theft, then it can be bypassed and removed in a timely fashion... maybe not 60 seconds, but maybe 65...
May I add something to this serious discussion? Mercedes Benz offers a immobiliser called "Keyless Go". It operates with RFID, I think, and it comes handy in size of a credit card, opens the door when you approach the car and deactivates the immobiliser when you get in. (That's basicaly what I've learned from the German website.) As far as I know, DaimlerChrysler doesn't offer something like a fingerprint recognition system at all. Anyway, I do agree that this story is about the interplay between attacker and defender.
not sure if this is a case of life imitating art or vice versa but this is something that i've seen on tv a few times. most recently on "alias" except that it was an eye instead of a finger. but i think that they had an episode a while back where they used a finger.
and to think that at various times in my life i've owned cars that were such junk that i didn't even lock them! i guess that i'm glad that i can't afford a big benz.
Can't the same thing be said for all security measures? Say access to your bank account is protected by a password and a SecurID token. I'm the ringleader of a ruthless gang bent on taking your money. To get your security token we'd either kidnap you or break into your house in the middle of the night. To force you to reveal your password we'd put a gun to your head. If you were smart and know that we can't kill you (since only you know the password), we'd resort to torture. Afterward, we'd kill you to eliminate a potential witness. It's nothing personal. Just a way to get around the countermeasure that is the criminal justice system.
Just an FYI SecurID tokens support a PIN of duress. Just in case your scenario happens the attackers are let into an environment but at the same time silently alert that the account has been entered upon duress.
Ok not the finger, or blood, or eyeball, how about brain waves? No brain waves, no access! That should keep the idiots off the road, and if the car is stolen, who cares? Further if the system determines there are confused or diminished brain waves, the car won't start and that should keep the drunks of the road. Another up side, the car is worthless to anyone other than the owner with the proper brain waves. A down side, if you really do loose your mind, your going to walk home.
Interesting thread. Israel, great points about the "PIN of duress". I've always thought this would be a great idea for ATM cards. Give users a normal pin and an "I'm being robbed" pin. There's no way for the thief to know which one was used, but additional countermeasures are set in motion - this could go from video/photos, to police alerts or a "system off line" message.
Regarding the biometric measures: I agree with Davi in that this is more a convenience rather than a security system. And making sure the finger/eye/body-part is attached, does nothing to improve the security of the system. It merely improves your chances of keeping your body parts attached. The thief can still force you to open the car at gun point.
In the UK, car audio had removable faceplates to cut down on theft. The catch was, unless one took the faceplate when leaving the car, the insurance company could refuse to pay because one hadn't mitigated the risk.
Since "we" know about this coercion countermeasure, wouldn't it be safe to assume that the attacker knows about this now too? He could say something to the victim to the effect of "Don't try to do X or I'll paint the wall with your brains" Also assuming that the attacker actually has the means to detect the "silent alarm" and isn't just bluffing, wouldn't that bring us back to square one in terms of the action one would be willing to take under duress? The whole point of a silent alarm is to tip off the authorities without suffering the repercussions. Then again, I guess it would be in the attacker's best interested not to actually follow through with the threat since it raises the risk of alerting the authorities and doing so after the alarm has been tripped would be pointless for any other purpose aside from pure retribution. But the mere threat of violence against the victim may still be sufficient to convice the victim to acquiece to the attacker's demands.
It's called Gattaca. Very interesting movie. The title is made only of letters used to represent nucleotides in the genetic code.
How are you claiming this is secure? In our recent experience, anything involving RFID is a security problem, not a solution. At the current level of technology these devices don't seem to have enough computrons to do good crypto, and doing radio security applications without good crypto is madness.
Yes, we knew this was going to happen. We warned them. And yes, the biometrics industry has gone so far as to create readers with "liveness detection". Why weren't they used? Because at present the biometrics industry has an inordinate number of snake oil salesmen who present biometrics as a panacea for security applications, when in fact it is just another tool in the kit, one that has to be applied as carefully as any other in order to be useful. In this case, I doubt the car manufacturer did any sort of security analysis at all. It doesn't solve any existing problem with car security, and as we have just observed, introduces a number of others instead. The planning process was more likely "fingerprint readers!?! Cool!!".
IMHO the current generation of fingerprint readers are useful only as cheap second factor in an existing password system to stop LCD users from doing dumb things with their passwords. In pretty well every other application I have seen they lower security rather than raising it. Most fingerprint readers have independently measured EER of 5%; the best ones allegedly get down to about 0.2%. That means that when the system is set to a sensitivity such that it only randomly locks you out one time in 200 (say, 3 times a year), a crook has a 1 in 200 chance of stealing your car just be swiping his finger on the reader and seeing if it works by luck. That's just by trying your luck, not a spoofing attack. That's totally unacceptable. The idea that a system with such high EER and easy spoofing attacks might be suitable for a luxury car is ridiculous.
I think we should speak up more about some of the extravagant exaggerations being made by the less ethical biometrics salesmen. In the meantime, we should disseminate information about the "gummy finger" attack. It might help to prevent some dismemberments.
@Roger, re @Ryan and Julie
You wrote "In this case, I doubt the car manufacturer did any sort of security analysis at all. It doesn't solve any existing problem with car security, and as we have just observed, introduces a number of others instead."
The purpose of adding a secondary security measure to cars (additional to the key/immobiliser) is to prevent theft with stolen keys. This is now a severe problem in the UK; two family friends have had cars stolen by use of keys found by housebreaking and we get regular warnings from the police on this. There have also been attacks against drivers exiting cars, to steal the key and car.
PINs and biometrics have been tried and, as we know, both have problems. However, this particular slur on the car manufacturer goes too far, and is also beyond reason - surely car manufacturers consider nearly everyting reasonably carefully.
Elsewhere, you do make good points, in particular of biometrics being part of the available toolkit.
You are also right to raise the issue of "snake-oil salesman". They are somewhat prevelent in biometrics at the moment, though they can of course be found everywhere. And why? Because the credulous, gullible and searchers after "silver bullets" can also be found everywhere. However, the evidence makes me think we have more of a problem just now than with car manufacturers alone, and it's in the detail as much as in the philosophy.
PIN of duress is impractical for use with large consumer groups. It is reliant on the honesty of the consumer.
It is too tempting for the consumer to use the duress PIN to fake a theft. A robber might even encourage the victim to participate in the "theft" by offering a 20% cut!
@PacoBell & Greg
Security as a whole is based on preserving human life. A security system that has a duress posture will do its best to make sure that the attacker does not know the user entered a duress code. It is a policy that could mean anything, but that it understands that the user is no longer under self-control for their actions. This could allow the user to live. It may also assume there is a gun to their head and their family is trapped in an attacker's safehouse. It is just on the extent of the measures that have been set by this policy. It is another logical step when things hit the fan. This could activate extensive tracing and logging, things not normally activated for normal alarmed postures. It certainly doesn't meant that law enforcement will be kicking down the door in less than 5 minutes. It more means hey this user is under personal physical attack and needs to live.
The other problem with the pin of duress is that it's patented (http://msnbc.msn.com/id/4086277/).
Don't get me started on the ills of our patent system.
Hmmmm, anyone patent the "finger of duress" yet?
I have to say, sometimes you really make me smile. I mean, let's take a look at these two statements:
"I think conventional keyed carlocks are working just fine. They keep the honest out, and we know that nothing will keep the dedicated dishonest out."
So keys, like simple passwords, are the answer? Really, after all the password bashing you do, how could car keys be so different? Is it the value of the asset that you are factoring? Do you drive a '79 Pinto by any chance?
"I think Lojak is just about the cleverest anti-theft device for cars ever invented."
Odd, a second ago you seemed to say that keys are sufficient to prevent casual theft. So Lojack is for more the more serious criminal?
It's a detective control, so I give it high marks (per my posts above and example of a sting operation), but it still has its share of issues. In fact, I am surprised you haven't already noted one of these issues and posted a "Lojack a waste of money" blog entry yet. Without exposing too much detail here are a couple things to consider:
1) Lojack does not prevent auto theft directly -- it's silent and a radio-based homing device. So it's suitable for sting operations, but some people do not really want their car back after it has been red-lined and driven through hedge-rows. Moreover, if you do not realize your car is missing the system might not be activated. Ever use a parking garage while you are away on an extended trip? Or consider this: it takes about 1hr for a car thief to nab and strip a car clean. So it's really best at recovery from amateurs and petty joy riders as opposed to the villans in the link you provided.
2) Easy to defeat the radio signal. Or, as the classic example goes, the radio signal only shows up after the car has been transferred to a container and is on its way out of the harbor. Again, unlikely to significantly reduce risk for very valuable assets.
3) They're sometimes setup with some kind of "secret" for the ignition called an interlock, which uses a switch or lever (e.g. rear defrost button). Might seem like a good idea, but it's just like any kind of secret that can't be changed or modified...people either tell everyone or disable it.
3) Installed after-market and often improperly with damage to the vehicle or with sensors in the wrong place. The Lojack is probably only as effective as the guy with the hammer and drill...who verifies the install?
3) Global Satellite Tracking, although expensive, has some advantages (other than cost) over Lojack such as alarm integration and a remote engine kill option.
Bottom line is that Lojack and keys are just two of many controls that can be used to secure a car. Layers of the onion, right?
As I mentioned above, I think we all look to you (as an "expert") for creative suggestion on how to address risks, not how to depress ourselves with hopeless tales of misfortune and weak security.
Incidentally, do you advocate Lojack or are you just saying that it is hypothetically useful as a detective control?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.