Using a Fake Hand to Defeat Hand-Vein Biometrics

Nice work:

One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example.

But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.

"It's enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them," Krissler explained. In all, the pair took over 2,500 pictures to over 30 days to perfect the process and find an image that worked.

They then used that image to make a wax model of their hands which included the vein detail.

Slashdot thread.

Posted on January 11, 2019 at 6:38 AM • 37 Comments

Comments

0lafJanuary 11, 2019 8:49 AM

"In all, the pair took over 2,500 pictures to over 30 days to perfect the process and find an image that worked".

So for now this is firmly in the "possible but not probable" category of risks.

Even if hand vein authentication became commonplace it would stop most trivial attacks against the reader since the effort to recreate a 3D hand is beyond the knowledge a casual attacker or at least beyond their work threshold.

Impossibly StupidJanuary 11, 2019 9:59 AM

@0laf

So for now this is firmly in the "possible but not probable" category of risks.

That's not the right conclusion. They used off the shelf parts and worked out a process from scratch. It's a strong enough proof of concept that it should worry anyone who is serious about security. A dedicated attacker with a high-value target will likely have more resources to do an even better job in the future.

It's just another example that (most) biometrics are of limited value when it comes to authentication. They really should be under the umbrella of "something you have" rather than "something you are". Unless some biological systems are engaged in a full challenge-response process, the bits offered by a scan of some readily available body part are of low quality, at best.

Rickroll's Law :January 11, 2019 11:16 AM

Anything that can be imaged can be spoofed, I think that's what this is building towards.

SocraticGadflyJanuary 11, 2019 11:22 AM

Per Impossibly, right ... with 3D printers becoming more common and cheaper, that part won't be hard. The photography part isn't hard, either; just time and patience, and skill with a camera and photoshopping.

de la BoetieJanuary 11, 2019 12:01 PM

There's a small but active community of IR SLR users already, and conversion is well known or can be done from a service. Taking pictures with long lenses is not a big challenge either.... And in fact, video might be even more effective to pick up the correct moment.

So no, not a big technical challenge, likewise the 3d imaging part.

The reason biometrics is being pushed so hard is because it allows control of serfs, despite it being terrible for anything other than convenience.

JamesJanuary 11, 2019 12:06 PM

Fun fact - hand vein recognition is a very old concept indeed. There was a researcher called Andy Green working at Kodak Limited's labs at Headstone Lane in Wealdstone, N. London in the mid to late '80s that had a working prototype of this.

It even got demonstrated on the BBC's popular science TV programme, Tomorrow's World, where - of course - the presenters muffed the demo and explained the idea only partly correctly.

Clive RobinsonJanuary 11, 2019 12:15 PM

@ Olaf, ImpossiblyStupid,

As one of the researchers Jan Krissler notes,

    Biometrics is always an arm race

As I've mentioned before getting on for half a century ago when I was quite young not even a teenager, I worked out how to make what were 3D finger prints using the red wax from outside of Edam cheese, light oil as a mould release and rubber solution glue to make the fake skin.

And when some time after as an engineer I worked for a company that made early finger print readers. My boss and others were not ammused when I demonstrated to them their new "high security" sensor was not secure in the slightest to a very low tech attack. And surprise surprise I ended up in having to find a new job fairly quickly. As there were not "hacker" events back then I had no real way to get the message out, and they sold product they knew to be "not upto claims" for eye watering prices.

So the obvious next step for these researchers or other researchers is to make a "glove" that can be worn by someone with a smaller hand (unless scaling makes no difference to the scanner which is quite likely).

With the next step for the manufactures of these vein readers is "signs of life" it's not that difficult to read not just pulse but oxygen saturation using IR light.

Thus having designed a glove getting it to apparently have blood flow with "oxygen" would be a response. However I suspect first time around they won't need to have actual fluid flowing through veins just a layer under the veins image layer.

At the end of the day bio-metrics are a bit of a joke. Even DNA testing can be fritzed in one way or another. The last time I looked and that's quite a while ago only a certain type of eye scan had not yet shown signs of being easily attackable.

Clive RobinsonJanuary 11, 2019 12:25 PM

@ Zaphod,

I imagine a 3D printer will help tremendously.

It's not the way I'd think of going. I'd be thinking about making "layered surfaces" that were flexable and stretchable to make a glove.

The veins don't have to be tubes they can just be holes in the layers that then sit ontop of a "fluid layer" that you can pump an appropriate artificial blood into to fake circulation.

In fact you might not even need to make a glove, for some bio-metric readers just a "patch" might surfice.

I'm of the old school methodology of,

    Keep it simple, but not so simple it does not work.

That way your investment in time and resources is minimized.

KevinJanuary 11, 2019 12:56 PM

The whole concept of using vein patterns for security is absurd.
The patterns of my veins are identical to my mother's, and my siblings' are exactly the same except one is shifted slightly towards the fingers, the other one is shifted slightly away. Yes, we compared many years ago (when we were all very lean and the veins were super easy to see).

The best you can hope for with a system like this is to identify what family you belong to.

I don't see this as any better than a handkey access device that only check the lengths of your fingers, like they use for safety deposit box access and in some datacenters (you can put the opposite hand in upside-down and it will work). I'm confident those can be fooled with a stiff paper cut-out.

Jon (fD)January 11, 2019 2:15 PM

@ de la Boetie (et. al.)

As an aside, "video" isn't what you want. Even fairly low-end 'pro-sumer' DSLRs can shoot several hundred frames per second, with much higher resolution than video.

J.

DavidJanuary 11, 2019 3:38 PM

@Jon (fD)

So when you stitch those "several hundred frames per second" together, and show them in quick succession, what do you call the result? eh? eh? :)

The difference between a "video camera" and a "still camera" has been pretty well blurred ever since the digital age began with those things... It's just about what kind of optimizations vs compromises you are interested in, based on the end result you want.

I suspect the original poster was saying it's easier to use lots of similar frames taken in quick succession, to extract the vein data from a variation of views over a short period of time... whether you technically call that "a video" or "several hundred frames per second" makes little difference at that point.

StefanJanuary 12, 2019 7:41 AM

The video recording of the presentation from 35c3 can be downloaded from here: https://media.ccc.de/v/35c3-9545-venenerkennung_hacken (includes English and French translation).

Apart from the DSLR pictures, they also set up a Raspberry Pi with its video camera; it's small enough to install in a hand dryer. Unfortunately, they didn't get around to actually trying that out in one of the bathrooms of the fairground, but in their preliminary experiments, the RPi camera without the IR cutoff filter worked really well to create spoofed images for the finger vein detectors.

DavidJanuary 12, 2019 9:11 AM

I live in a country with a fingerprint biometric in the national identity card and most over 60s have found their prints are no longer readable.

Impossibly StupidJanuary 12, 2019 12:06 PM

@Clive Robinson

As one of the researchers Jan Krissler notes,

Biometrics is always an arm race

I maintain that that is a false premise. Biometrics that only amount to a scanned data "key" are an inherently flawed foundation for security, because there is no secrecy that can be maintained. It's like that time when the set of TSA lock keys was photographed, or whenever API keys get leaked via shared source code. It's then only a question of how that key data gets used for an attack. Just because the biometrics cheerleaders only see the obvious shortcomings in retrospect doesn't make it an arms race.

vas pupJanuary 12, 2019 1:43 PM

@Clive:
"Even DNA testing can be fritzed in one way or another."
That is why they should not be accepted as the only and 'crown' evidence in criminal cases as well.
One bird does not bring the spring.

Jon (fD)January 12, 2019 4:22 PM

@ David

So when you stitch those "several hundred frames per second" together, and show them in quick succession, what do you call the result? eh? eh? :)

You don't. You inspect each frame individually.

I suspect the original poster was saying it's easier to use lots of similar frames taken in quick succession, to extract the vein data from a variation of views over a short period of time... whether you technically call that "a video" or "several hundred frames per second" makes little difference at that point.

Indeed.

J.

WaelJanuary 12, 2019 10:45 PM

@0laf,

3D hand is beyond the knowledge a casual attacker or at least beyond their work threshold.

BND's concern goes beyond the casual attacker.

@Kevin,

The whole concept of using vein patterns for security is absurd.

Good summary.

@Impossibly Stupid, @Clive Robinson,

umbrella of "something you have" rather than "something you are".

I understand what you're saying, but I don't agree. You have a fingerprint (but you are not the fingerprint,) you have DNA, (but you are not the DNA.) These are partial representations of some supposedly unique1 characteristics of a carbon unit, not "what you are", per se. What does the reclassification you propose achieve?

Just because the biometrics cheerleaders only see the obvious shortcomings in retrospect doesn't make it an arms race.

No. It goes way deeper than that. Idiots, who have no business whatsoever to be involved in security, come up with the most absurd ideas. Lassitude, impudence, and sheer lunacy are their stock-in-trade. The strange thing is NSF partially funds them! I don't know which is dumber: to use a vein map or to scan a heart! Don't get me wrong! There are valid situations to use biometrics as the only aithentication mechanism, but this requires an extended discussion.

the BND, Germany’s signals intelligence agency, uses vein authentication in its new headquarter building in Berlin.

We're doomed. What do you think @Rolf Weber? I know you're following ;)

[1] And strive to be hard to mimic, simulate, or reproduce. Which is another topic: physics vs. math. They often say: trust the math. I have yet to hear: trust the physics ;)

Clive RobinsonJanuary 12, 2019 11:54 PM

@ Wael,

I have yet to hear: trust the physics ;)

That is because as has been noted on the past,

    In physics you get taught a succession of lies, each more acurate then the previous one...

What many people forget is "maths is not reality, reality is way more messy. Maths is a tool by which we try to describe the world in terms of sets and logic. We of course fail in this endeavor, but it is the journey not the destination from which we learn the most.

WaelJanuary 13, 2019 12:32 AM

@Clive Robinson,

maths is not reality, reality is way more messy [...] journey not the destination from which we learn the most.

Absolutely! You're starting to sound like Joseph Campbell, though, who I don't agree with. But the way you put is more inline with what I agree with -- The difference between a scientist and a philosopher ;)

Clive RobinsonJanuary 13, 2019 12:50 PM

@ Wael, Impossibly Stupid,

You have a fingerprint (but you are not the fingerprint,) you have DNA, (but you are not the DNA.) These are partial representations of some supposedly unique characteristics of a carbon unit, not "what you are", per se.

As Dame Stella Rimington DCB noted when she was the Director of MI5, and I'll put in your wording,

    You have a paper with an identity on it, but you are not the paper or the identity.

And as I've pointed out a few times here,

    You have a role(s) but you are not the role(s).

It's this last point that brings up the absurdity of "identification" if not "perversion" by bureaucracies, that are both lazy and inept, they want you to be what you clearly are not. That is they want you to be --as the old TV series[1] had it-- a "number" not a "person".

People are even when very young multifaceted, infact they have as many facets as they do activities and have acquaintances. It is a form of "Social armour" to protect the inner person, generaly the more guarded a person is or the more compartmentalized they organise their life the more likely they are to have had reason to be. The trick being to appear open whilst actually being extreamly guarded, to the point of having in effect facets that are more like entirely seperate personalities or lives. Thus an extention on the "work life", "home life", "friend life" etc roles but with stronger segregation.

Unfortunatly this "you are a number" perversion is not just consigned to bueracrats. We are now having it forced on us by non-neurotypical types who are found in the high tec industry. Who have because of their view-point made it considerably easier for other non-neurotypical types in the marketing and similar industries to make us "numbers to profit from" thus push hard against any attempts to be "individuals with multiple roles/faceted.

For instance take most peoples primary interface to the Internet, the web browser, you can kind of set it up for multiple users if you want to go through the pain and complications which can mean having entirely segregated users to the point two or more cheap tablets might be easier.

Likewise on OS's that have some sense of individuality --*nix etc-- where "multi-user" is considered the norm at the OS level it can still be quite hard seting browsers up for "roles" in browsers without getting undesired leakage. But other systems --such as MS OS's-- where the underlying OS is not multi-user orientated leakage across users is almost a given at various levels.

What some of us want and every one needs is computers that can provide clean seperation at all levels including the desktop, so that the user remains in the driving seat with regards their multiple identities (life roles) and the segregation (or overlap) they desire or don't desire to have between the identities.

Look at it this way, if you have multiple financial accounts such as current, savings and credit accounts you may not want financial institution A that has an account your salary geys paid into being aware that you have another account at institution B where "another" of your income streams from online trading or property rental come into.

If you make the mistake of using MS OS's, and browsers in modes most users can change them too from the standard interface, then the chances are your online banking accounts will become known to all the financial institutions. Likewise those of any other family member etc who uses the computer.

The designers and developers could change this behaviour, but for various reasons including financial they are unlikely to do so.

Humans unless they have certain issues are not monofaceted / monoroled, anyone beleving that they are or worse should be is trying to destroy the cohesiveness of society even though they might not have that intention or be aware of what damage they are causing. Whilst others think "society will adapt" I'm very far from certain it can, and still be a society we would recognise as such or wish to live in.

But getting back more on target the issue with bio-metrics is their "singular use" that is let us say less than stellar, in fact it's pretty abysmal in many cases. Where it gets strong though is where you use multiple bio-metrics all at the same time. Currently few people do this prefering to go for one bio-metric that they thay have been told is strong... Where as going for three or four biometrics at the same time would probably[2] be better than any single bio-metric.

Like many "marketing led" product marketplaces bio-metrics tend to be well lubricated in snake oil.

[1] The late 1960's television series "The Prisoner" staring Patrick McGoohan, who also co-created it. On the surface it might now be considerd SiFi for it's --still-- futuristic themes. It appears as a quaint idilic village with the residents leading a collectivised utopian yet almost entirely pointless existence. However nobody uses their name just a number which hides much about them including if they are too prisoners or guards or worse. It quickly becomes clear that "No 6" is being held a prisoner in what might be a "guilded cage". He is being in effect tourtured psychologicaly to get information out of him. Brcause he was some kind of intelligence officer who having resigned in anger gets gassed in his flat and wakes up in the village. His intent is not to give out information and escape, he comes up with all sorts of plans and involves others in the village quickly causing disruption. So it has many interlaced themes and is often quite dark for adults. At it's base it is about the fight between individualism and collectivism, where the collectivism has behind it evil intent and few if any morals, whilst maintaining a vener of urbanity and sophistication that is suave in it's reality. It's famous tag line is "I'm a name not a number", which half a century on is still in "common parlance".

https://en.m.wikipedia.org/wiki/The_Prisoner

[2] It's actually not that easy to say what the real false positives and negatives are on "identity" because of all the extra crap like "signs of life" being used to distort the figures on both false positives and suprisingly false negatives. Put simply the manufacturers include the "signs of life" successes in with the actual bio-metric when it makes things look better but treat them seperatly when they fail... Thus if you present your hand and the system says you are not alive that gets put down to a "signs of life" fail not the bio-metric... You actually have to get hold of "academic study" results, but there are two issues. Firstly the studies are few and very far between. Secondly they are rarely on "new bio-metric systems" due to costs and often availability (same as it is with the mechanical "unpickable locks" that lock companies push, that later turn out to be fairly easy to pick like nearly all mechanical locks and more than a few electronic locks).

Clive RobinsonJanuary 13, 2019 1:33 PM

@ Wael,

You're starting to sound like Joseph Campbell, though, who I don't agree with.

I'm assuming you are talking about Joseph "J" Campbell --not either "A" or "B"-- and his monomyth from the 1940's.

When I first heard about it the thought "bleeding obvious" crossed my mind and I did not go any further with it.

Mind you somebody saw me reading a Terry Prattchet book before Xmas, it was "Dodger" which is not one of his usuall genera. Based on my description she recomended I might like "The watchmaker of filigree street" by Natasha Pulley. I guess I might have to have atleast started it before I next see her.

P.S. Although I'm an engineer, and as I've mentioned before, did not get around to finishing the PhD journey, I do like to occasionaly see myself as a "failed scientist", it kind of evens the playing field ;-)

WaelJanuary 13, 2019 2:41 PM

@Clive Robinson,

What some of us want and every one needs is computers that can provide clean seperation at all levels including the desktop, so that the user remains in the driving seat with regards their multiple identities (life roles) and the segregation (or overlap)

We're in the passenger seat, and soon we'll be in the trunk (boot) of the car.

Where as going for three or four biometrics at the same time would probably[2] be better than any single bio-metric.

Already happening. Several products include that already.

I'm assuming you are talking about Joseph "J" Campbell --not either "A" or "B"-- and his monomyth from the 1940's.

Correct Joseph..

did not get around to finishing the PhD journey, I do like to occasionaly see myself as a "failed scientist", it kind of evens the playing field ;-)

Neither have I, although I tried. Used to bother me, but no more. It's not meant to happen -- was not written for me.

Clive RobinsonJanuary 13, 2019 5:30 PM

@ Wael,

On seeing,

... and soon we'll be in the trunk (boot) ...

My brain read it as,

    ... and soon we'll be in for the boot ...

Which has a whole different meaning in the UK.

Sorry to hear you also went down the same journy.

My troubles started because I wanted to do something original of my own choosing, not some "adviser / readers" research for them. Put simply by the time I found an advisor who was not just prepared to do it but also was at an entirely different University time had effectively run out as my life had had to move on.

How I found the prospective advisor, is one of those little accidents in life. I was at a Xmas party organised by a company with interest in the academic market, to get colaboration to bid for EU grant funding. Well one of the people there was a rather cute Russian girl, who had just finished her PhD. Any way I got chatting to her, as I knew a few words of Russian and we setled in on quite a chat. When I mentioned my lack of luck finding a PhD advisor and why she started to laugh, and then said that her advisor at UCL called it "academic masturbation" which kind of surprised me. So I said he sounded interesting and would like to meet him. At which point she said "come" and waved to me to follow, across the other side of the room to a group of people. She addressed one of them by his christian name pointed to me and said that I had a masturbation problem" which caused more than one drink to be spilled. Thankfully she immediatly explained the problem I was having re an advisor. Well he smiled and said "it happens" and gently asked a few questions and I explained what it was I had wanted to do, and the problems I was having. He then said it sounds interesting and asked some much more indepth questions about my MSc and why I wanted to do what it was I wanted to do. Any way I thought it was still a social chit chat and when he asked if I was still up for it, I explained that I now had a house and a mortgage etc and needed to work. He then got out his card and said "Give me a ring we might be able to sort something out". It was only on reading his card I realised who I was chatting to.

Anyway I did follow up and started in on it then the company I was working for moved and I ended up taking redundancy and the new job etc just did not allow the time etc which put an end to it.

Bearing in mind this was in the 1990's the subject I wanted to research was "Fault tolerant distributed partial databases".

Put simply the idea was that a large database did not have to be on a single server or cluster but could be around the world. Each server would only contain a partial image of the database and there would be different images on diferent servers but with a broad overlap so that the whole database was duplicated three or more times.

This was, back then kind of beyond leading edge, now more than a quater of a century later it's what the likes of Google and Co do fairly routienly...

As for the Russian Girl I went out with her a few times and they were fun times, then two things happened at the same time I damaged my dodgy leg again and ended up in a cast from the foot to above the knee which kind of put me out of action, and I discovered she was married to somebody who lived within walking distance of my front door... I used the leg as an excuse to cool the relationship down and then tactfully break the relationship off... It's something I've regreted quite a few times since, when I've bumped into her, even in her fourties she is still striking and good fun and doing rather well for her self.

WaelJanuary 13, 2019 5:50 PM

@Clive Robinson,

My story is too dull to share.

Sorry to hear you also went down the same journy.

In the grand scheme of things, it's really insignificant. A journey, nonetheless!

Clive RobinsonJanuary 14, 2019 4:31 AM

@ Wael,

In the grand scheme of things, it's really insignificant.

Hmm...

As I've mentioned befor it's a matter of viewpoint.

As the earth is effectively a convex ball it's fairly close to being a sphere.

Now where ever you stand on a sphere you are by definition at your zenith. The implication of this is there is a plane beneath your feet, normal to your zenith.

Thus every body else on earth must if they are likewise standing there have their zenith beneath your plane. Thus,

    From your POV everyone is beneath you ;-)

There you are you now have mathmatical proof you are not, insignificant in the general scheme of things :-D

Does that make you feel better?

WaelJanuary 14, 2019 6:02 AM

@Clive Robinson,

Does that make you feel better?

Your attempt does :) I don't want anyone benieth me. I meant one journey out of billions of possible ones. And we don't know which will work out the best. To not achieve what one desires may not be as bad as another branch. I heard a saying once: if we knew the alternative, we'd still choose the current reality. Like I said, it really does not bother me. I'd tell you if it did ;)

The skull currently feels like a balling ball. The good news is I got my drive partitions fixed :)

Clive RobinsonJanuary 14, 2019 11:00 AM

@ Wael,

The good news is I got my drive partitions fixed :)

Hmm I vaguely remember you said something about BSD on your system, I didn't clock it had fritzed the drive.

What's the file system you are using?

For a while BSD was not hot on journaling file systems and still favourd the old style fsck prog.

I realy need to get back into BSD on PC hardware with a graphical head rather than embedded systems, and serial terminal.

But I still hanker for Debian with SysV init not that pile of bit rot Red Hat came up with ;-)

WaelJanuary 14, 2019 11:26 AM

@Clive Robinson,

AMD system with four drives. Two MacOS, one Mint Linux, and one FreeBSD 12 (UFS, not ZFS which gave me hard time in version 11.) Didn't makeup my mind on the fourth drive (which had legacy (not EFI) Windows 7 in a past liftime, before I trashed my partitions. But I have windows on a virtual machine on a different computer.

Bootloader is Clover EFI. It looks like this now. I need to fix the Mint icon so it does not look likr Ubuntu (which I dumped after they changed their GUI.)

Ahem...

I don't want anyone benieth me.

I don't want to see anyone beneath me (it's not coming out right, still. lol)

feels like a balling ball

Bowling ball.

Clive RobinsonJanuary 14, 2019 8:32 PM

@ Wael,

Ahem...

Yes, I put them down to either your harsh mistress or some time of the year maladie giving you the "balling"[1] feeling.

[1] it you google "definition balling" it pops up "ball" with three definitions, I'll let you look and possibly cringe ;-)

WaelJanuary 14, 2019 8:56 PM

@Clive Robinson,

Yes, I put them down to either your harsh mistress or some time of the year maladie

The former, of course!

I'll let you look and possibly cringe ;-)

I cringed when I saw your response. Knew you won't pass the opportunity and let it go. Thought I'll pre-empt it and correct it, but it didn't work.

Clive RobinsonJanuary 14, 2019 11:35 PM

@ Wael,

Thought I'll pre-empt it and correct it, but it didn't work.

I was going to let you get away with "liftime" and "likr" as I could not think of a way to make it entertaining...

But I could ask,

    What's wrong with your "e's" you're dropping to many at a time

But not only won't I --hrnce no quetion mark-- I'll stop at this point as otherwise you could quite fairly claim that I'm being mean.

WaelJanuary 15, 2019 1:57 AM

@Clive Robinson,

I --hrnce no quetion mark--

This is a deliberate typo. Won't comment on it, as I don't accept charities ;)

What's wrong with your "e's"

Almost! Add a "y" and an "e", and your question would be legitimate. I won't answer it, though.

you could quite fairly claim that I'm being mean.

You1 and a handful of others have a free pass to be mean with me. But remember that I'm like a camel or an elephant: I don't forget and I keep score ;)

[1] You got a free pass here. No expiration date. The ones who have a pass are those that can take heavy-duty humor and are able to reciprocate. @Ratio is (was?) another one.

Jon (fD)January 16, 2019 6:00 PM

@ Clive Robinson

"Thus every body else on earth must if they are likewise standing there have their zenith beneath your plane. Thus,

From your POV everyone is beneath you ;-)"

I've stood in my backyard and watched the ISS (International Space Station) fly over. They were not beneath me.

Although you may have a point that the astronauts were not 'on earth' at the time.

J.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.