Vulnerability with regard to biometric systems


23 févr. 2014 (il y a 7 années et 5 mois)

400 vue(s)

Vulnerability with regard to biometric systems

1] Definition of the term ‘Biometric System’

A biometric system includes all of the hardware, associated software and interconnecting
infrastructure to enable the end to end biometric process. If the bio
metric process is an
integral part of a larger system, then this definition extends to any part of the larger system
that holds relevant user data, such as directories and transaction logs for example. In
addition, in such a system the process extends to
the point after which authentication is
complete and no longer required for the larger system to function.

2] Definition of the term ‘Vulnerability’

In the context of this paper, vulnerability refers to the potential for the biometric system and
ated data to be compromised, either by design (i.e. fraudulent activity), usage error,
accident (including opportunistic fraudulent activity as a result), hardware failure or external
environmental condition. In addition, it takes into account the vulnera
bility of the protected
benefit as a result of the biometric process being compromised, whilst not specifically
covering this area.

3] High level categories.

The following represent suggested categories for further discussion and development.

robustness of the user facing devices.

The biometric device, together with any other equipment at the user interface should
be designed and implemented in such a way so as to render it resistant to either direct
physical attack or deterioration as a result

of environmental conditions. If the device
and associated equipment at the user interface are attacked, then ideally, it should not
be possible to acquire any biometric data or associated transmission protocols as a
result. The device should also ideally

sense any ‘tamper’ activity and report this back
to the central system accordingly.

The degree to which a device and its interconnections are open to attack, coupled to
the possibility of acquiring relevant data or other information as a result, will sug
a measure of vulnerability. The consequences of individual and / or multiple device
failure on the rest of the system should be taken into account for risk assessment
purposes in the normal manner.

Security of physical connectivity between authenti
cation points and the host system.

This may consist of a simple direct link between a biometric device and a host
controller, such as a personal computer, or it may consist of a more sophisticated
proprietary network wherein multiple devices are connected
directly to a single host
controller. In the latter instance, the situation may be further complicated by the
presence of repeater ‘nodes’ or similar network devices. If any of these wired
connections or associated network devices are deliberately interr
upted or ‘tapped’ at
any point between biometric device and host, then the possibility of the attacker
acquiring either personal biometric data or system related protocol information, will
suggest a measure of vulnerability. If all such data is encrypted
at source, then the
relative robustness of this encryption should be taken into account accordingly.
Depending on the application and physical environment, physical protection of such
data links may be provided (for example armoured conduit and secure fix
ings), in
which case the relative resistance to attack and environmental deterioration of this
physical protection must be taken into account when assessing vulnerability. In
addition, the probability of such a direct attack within a given environment /
erational situation should be considered.

Security of third party networks.

If a third party network is utilised as part of the overall biometric system, for example

using the Internet to connect remotely to corporate networks. Then the end to end
ection between host controller and back end application server should be
carefully considered. For example, if authentication is undertaken at the host
controller, what information is passed back through the gateway to the application
server and what is t
he possibility of capturing this information by ‘monitoring’ the
connection? If authentication is undertaken at the back end server, then how is the
biometric data passed between the host controller and authentication engine? A
combination of generic dat
a security methodologies and protocols (SSL, IPSEC,
VPN’s etc.) coupled to proprietary (biometric system) data security methodologies,
may suggest a measure of relative vulnerability, although this may be hard to
quantify until sufficient experience is gai
ned in this respect. The ability or
willingness of third party suppliers (ISP’s) to guarantee integrity and security of data
may also be viewed as a contributory factor towards vulnerability. Wireless networks
should also be included within this category,

especially the implications of ‘sniffing’
data thus transmitted.

Security of back end authentication engine and associated interfaces.

The possibility of the back end authentication process (in a networked situation)
being compromised by the passing of

illegal data may represent a point of
vulnerability. This category should include the interfaces between the authentication
engine and the directories, databases or other components that accept a decision
result accordingly. For example, is it possible
to bypass the authentication process
by seizing control of such an interface and simply injecting the desired result?
Similarly, how does the authentication engine verify that it is receiving bona fide live
transaction data and not being fed a data stream

from another source? The possibility
that the authentication engine and its associated interfaces could be fooled in this
manner will suggest a measure of vulnerability in this context.

Security of processes within host controller

Assuming that the bi
ometric device is connected to the host controller via one of the
established generic buses, then what is the possibility that data could be extracted
covertly from within the host? For example, code could be written to monitor the
FIFO buffers on a seria
l port and copy the data streams to another application for
subsequent analysis without the host application (or user) being aware that this was
happening. If this were to occur, what is the possibility that biometric data and
transmission protocols could

be captured, or where applicable, encrypted data could
be unscrambled? If data streams were captured covertly in this manner, the
infiltrator will of course have time to carefully analyse the resulting data offline. This
possibility will suggest a measur
e of vulnerability accordingly.

3.6 Inherent biometric device performance.

The likelihood that a biometric device can be fooled by an impostor naturally
contributes directly to vulnerability. Such impostor attempts may be undertaken via
live samples

from the wrong person, or perhaps via ‘dummy’ appendages such as
false fingers, hands and so on. The accuracy of manufacturers claimed performance
figures and the environment / methodology under which they were arrived at will
have a bearing on perceived

vulnerability. Actual vulnerability will be harder to
quantify under real world operating conditions and will depend upon a number of
factors including system settings. A measure of vulnerability to attack in this manner,
with a given biometric device, s
et up in a particular way and within a particular
environment would perhaps be assisted via independently verified performance
indexes, undertaken against an agreed evaluation criteria. Such criteria may be
different from that used for general testing

r example, if working on the premise
that many devices can be fooled under certain conditions, then what does it take to
compromise the device in this way and what is the probability of this happening
under representative operational conditions? Furthermo
re, can this be quantified in a
repeatable like for like manner?

Overall authentication procedures

In many instances, the provision and verification of a biometric sample will represent
just one part of the overall authentication process. If the proce
ss consists of multiple
stages, for example, user ID, password and biometric, then the vulnerability of the
weakest link should also be taken into consideration. For example, are users given
the option to use a password as an alternative to the biometric?

Many systems allow
for this on a user by user basis. The biometric software package itself may be
vulnerable in this respect, if someone with administrator rights can change these
settings, or if the settings are stored in a directory or database which
itself could be
compromised. The overall authentication procedures should therefore be evaluated
for vulnerability in themselves, irrespective of the biometric authentication
performance . The possibility of configuring or reconfiguring user accounts eit
her in
the approved manner or fraudulently may represent a measure of vulnerability. This
may also be application specific, depending on the technology utilised.


The actual overall vulnerability of a biometric system or biometric end to en
d process, is typically
made up of several areas of variable risk. If any of these areas are omitted within vulnerability
assessment, then an unrepresentative conclusion will result. The difficulty lies with the number of
variables involved (just some of

which are covered above) and the relative difficulty of quantifying
these accurately. Perhaps an answer lies in breaking down the component parts of a given system
architecture and being able to apply consistent measurement / evaluation criteria accordin
gly. An
agreed methodology for summing the relevant component ‘scores’ of a given system and arriving at a
vulnerability index figure would perhaps facilitate a meaningful vulnerability measurement.

At the present time, such a methodology is not in place a
nd it may require a considerable amount of
work before this point is reached. In the meantime, it is suggested that describing vulnerability in
relation to the biometric device itself (based upon either manufacturer supplied performance figures
or indepen
dent tests ) does not necessarily provide an accurate overall assessment of operational
vulnerability. To what degree this is important to the end user will naturally depend upon the
application in question, but an understood and repeatable method of desc
ribing and evaluating overall
vulnerability would certainly be desirable.

Julian Ashbourn

September 2000