Home

Biometric Book

Biometric White Paper

User Psychology

Using Biometrics

Specifying Biometrics

Biometric News

Vendors Directory

Other Institutions

About the Author

Vulnerability

 © Julian Ashbourn 2000. This document or any part thereof may not be reproduced in any manner without written permission from the author.

Vulnerability with regard to biometric systems

 

Draft discussion paper

 

1] Definition of the term 'Biometric System'

A biometric system includes all of the hardware, associated software and interconnecting infrastructure to enable the end to end biometric process. If the biometric process is an integral part of a larger system, then this definition extends to any part of the larger system that holds relevant user data, such as directories and transaction logs for example. In addition, in such a system the process extends to the point after which authentication is complete and no longer required for the larger system to function.

 

2] Definition of the term 'Vulnerability'

In the context of this paper, vulnerability refers to the potential for the biometric system and associated data to be compromised, either by design (i.e. fraudulent activity), usage error, accident (including opportunistic fraudulent activity as a result), hardware failure or external environmental condition. In addition, it takes into account the vulnerability of the protected benefit as a result of the biometric process being compromised, whilst not specifically covering this area.

 

3] High level categories.

The following represent suggested categories for further discussion and development.

 

3.1 Physical robustness of the user facing devices.

The biometric device, together with any other equipment at the user interface should be designed and implemented in such a way so as to render it resistant to either direct physical attack or deterioration as a result of environmental conditions. If the device and associated equipment at the user interface are attacked, then ideally, it should not be possible to acquire any biometric data or associated transmission protocols as a result. The device should also ideally sense any 'tamper' activity and report this back to the central system accordingly.

The degree to which a device and its interconnections are open to attack, coupled to the possibility of acquiring relevant data or other information as a result, will suggest a measure of vulnerability. The consequences of individual and / or multiple device failure on the rest of the system should be taken into account for risk assessment purposes in the normal manner.

 

3.2 Security of physical connectivity between authentication points and the host system.

This may consist of a simple direct link between a biometric device and a host controller, such as a personal computer, or it may consist of a more sophisticated proprietary network wherein multiple devices are connected directly to a single host controller. In the latter instance, the situation may be further complicated by the presence of repeater 'nodes' or similar network devices. If any of these wired connections or associated network devices are deliberately interrupted or 'tapped' at any point between biometric device and host, then the possibility of the attacker acquiring either personal biometric data or system related protocol information, will suggest a measure of vulnerability. If all such data is encrypted at source, then the relative robustness of this encryption should be taken into account accordingly. Depending on the application and physical environment, physical protection of such data links may be provided (for example armoured conduit and secure fixings), in which case the relative resistance to attack and environmental deterioration of this physical protection must be taken into account when assessing vulnerability. In addition, the probability of such a direct attack within a given environment / operational situation should be considered.

 

3.3 Security of third party networks.

If a third party network is utilised as part of the overall biometric system, for example using the Internet to connect remotely to corporate networks. Then the end to end connection between host controller and back end application server should be carefully considered. For example, if authentication is undertaken at the host controller, what information is passed back through the gateway to the application server and what is the possibility of capturing this information by 'monitoring' the connection? If authentication is undertaken at the back end server, then how is the biometric data passed between the host controller and authentication engine? A combination of generic data security methodologies and protocols (SSL, IPSEC, VPN's etc.) coupled to proprietary (biometric system) data security methodologies, may suggest a measure of relative vulnerability, although this may be hard to quantify until sufficient experience is gained in this respect. The ability or willingness of third party suppliers (ISP's) to guarantee integrity and security of data may also be viewed as a contributory factor towards vulnerability. Wireless networks should also be included within this category, especially the implications of 'sniffing' data thus transmitted.

 

3.4 Security of back end authentication engine and associated interfaces.

The possibility of the back end authentication process (in a networked situation) being compromised by the passing of illegal data may represent a point of vulnerability. This category should include the interfaces between the authentication engine and the directories, databases or other components that accept a decision result accordingly. For example, is it possible to bypass the authentication process by seizing control of such an interface and simply injecting the desired result? Similarly, how does the authentication engine verify that it is receiving bona fide live transaction data and not being fed a data stream from another source? The possibility that the authentication engine and its associated interfaces could be fooled in this manner will suggest a measure of vulnerability in this context.

 

3.5 Security of processes within host controller

Assuming that the biometric device is connected to the host controller via one of the established generic buses, then what is the possibility that data could be extracted covertly from within the host? For example, code could be written to monitor the FIFO buffers on a serial port and copy the data streams to another application for subsequent analysis without the host application (or user) being aware that this was happening. If this were to occur, what is the possibility that biometric data and transmission protocols could be captured, or where applicable, encrypted data could be unscrambled? If data streams were captured covertly in this manner, the infiltrator will of course have time to carefully analyse the resulting data offline. This possibility will suggest a measure of vulnerability accordingly.

 

3.6 Inherent biometric device performance.

The likelihood that a biometric device can be fooled by an impostor naturally contributes directly to vulnerability. Such impostor attempts may be undertaken via live samples from the wrong person, or perhaps via 'dummy' appendages such as false fingers, hands and so on. The accuracy of manufacturers claimed performance figures and the environment / methodology under which they were arrived at will have a bearing on perceived vulnerability. Actual vulnerability will be harder to quantify under real world operating conditions and will depend upon a number of factors including system settings. A measure of vulnerability to attack in this manner, with a given biometric device, set up in a particular way and within a particular environment would perhaps be assisted via independently verified performance indexes, undertaken against an agreed evaluation criteria. Such criteria may be different from that used for general testing - for example, if working on the premise that many devices can be fooled under certain conditions, then what does it take to compromise the device in this way and what is the probability of this happening under representative operational conditions? Furthermore, can this be quantified in a repeatable like for like manner?

 

3.7 Overall authentication procedures

In many instances, the provision and verification of a biometric sample will represent just one part of the overall authentication process. If the process consists of multiple stages, for example, user ID, password and biometric, then the vulnerability of the weakest link should also be taken into consideration. For example, are users given the option to use a password as an alternative to the biometric? Many systems allow for this on a user by user basis. The biometric software package itself may be vulnerable in this respect, if someone with administrator rights can change these settings, or if the settings are stored in a directory or database which itself could be compromised. The overall authentication procedures should therefore be evaluated for vulnerability in themselves, irrespective of the biometric authentication performance . The possibility of configuring or reconfiguring user accounts either in the approved manner or fraudulently may represent a measure of vulnerability. This may also be application specific, depending on the technology utilised.

Conclusions

The actual overall vulnerability of a biometric system or biometric end to end process, is typically made up of several areas of variable risk. If any of these areas are omitted within vulnerability assessment, then an unrepresentative conclusion will result. The difficulty lies with the number of variables involved (just some of which are covered above) and the relative difficulty of quantifying these accurately. Perhaps an answer lies in breaking down the component parts of a given system architecture and being able to apply consistent measurement / evaluation criteria accordingly. An agreed methodology for summing the relevant component 'scores' of a given system and arriving at a vulnerability index figure would perhaps facilitate a meaningful vulnerability measurement.

At the present time, such a methodology is not in place and it may require a considerable amount of work before this point is reached. In the meantime, it is suggested that describing vulnerability in relation to the biometric device itself (based upon either manufacturer supplied performance figures or independent tests ) does not necessarily provide an accurate overall assessment of operational vulnerability. To what degree this is important to the end user will naturally depend upon the application in question, but an understood and repeatable method of describing and evaluating overall vulnerability would certainly be desirable.

 Julian Ashbourn