Martin Kákona, January 2001
About two years ago I was given my first fingerprint sensor. It was a simple optical sensor and I was supposed to test its quality. Results of my tests were unfavorable. I found out it was easy to log in with the sensor but I had problems to log off. It was necessary to wipe the glass surface after I logged in because otherwise the fingerprint remained on the sensor and repeatedly logged me into the system. So the user had to observe the log-in procedure and always wipe the sensor to remove the fingerprint. Following this negative experience I did not pay attention to biometrics for a quite a long while, lacking the interest and time to test other devices. Last year, however, I felt concerned to hear that several well-established companies introduced on the market chips for fingerprint sensors and launched commercial sale of attractively priced solutions for fingerprint-based log-in systems. This made me get back to the issue and investigate quality of these solutions.
To look into it, I borrowed several sensors and tried to outsmart them. When I reviewed principles used by the latest sensors I found an improved optical sensor with a thin plastic layer on the prism, i.e. instead of using glass -liquid boundary to visualize the papillary lines it used deformation of the plastic layer due to pressure exerted by the papillary terrain. As a result, this principle eliminated the problem with the traces of sweat remaining on the sensor even after the finger had been removed. It also seemed interesting to me that the finger is actually sensed three-dimensionally so the device cannot be fooled with a two-dimensional fake fingerprint. I decided to investigate how realistic fake fingerprint I need to outwit the sensor.
I tried the following:
Next, I was about to get a stamp. I was willing to pay several hundred crowns to get a fake finger, to the maximum extent similar to the real thing. However, when I saw the printed fingerprint image it occurred to me that the laser-printed fingerprint also has a certain depth. Laser printers actually apply a powder on the paper which agglomerates with it, partly penetrating the paper and partly protruding above its surface. So I simply tried to fool the sensor with the printed fingerprint. I was surprised to find out that the printout logged me in! I did not invest a crown of my own money and managed to produce a fake fingerprint on a piece of paper which the sensor failed to distinguish from the real finger. And I only used standard equipment available in my office. I did not use any special software. I used Power Point to redraw the bitmap into vectors (by the way I am not going to do it next time because the program simply is not suitable for drawing) and I did not use anything, hard to obtain or anything which might look suspicious.
The experience made me think about what actually the biometric sensor is supposed to do for the computer. I put aside for a while my technical thinking and read several leaflets advertising fingerprint sensors to log-in into IBM PC computers. Mostly, the leaflets insisted that with the new sensors users no longer needed to remember any passwords. Only a few manufacturers offered combined solutions with chip card readers. Apart from a fingerprint, these solutions also required a PIN to be entered due to the ambiguity of the biometric information. The fact is that biometric methods fail to provide always unique, repeatable information that may be used as a PIN or encryption key. In biometrics the measured fingerprint is compared with a sample fingerprint stored in a database and the result is a level of agreement with the sample, which enables it to decide whether the sensed biometric parameters belong to the given person. But back to the leaflets. The most important commercial argument was the absence of a password. The manufacturers claim that users tend to forget their passwords or write them down on the bottom of the keyboard or directly on the screen. Biometrics should therefore be used in computers not only for the purposes of identification (as it is currently used in criminal investigation practice), but also for the authentication of users. Moreover, the authentication should be entirely automatic. The sensor is supposed to automatically distinguish the actual finger from its imitation.
So I looked for a method capable of testing authenticity of the finger placed on a sensor. The best solution I could think of was a capacitor sensor. It seemed to me that it would be very difficult to simulate the capacity and conductivity of a hand. So I borrowed a sensor based on this principle.
This time I saved my time and to get a bitmap I used the so-called "window affinity" instead of software. Some of you may still remember this method from your school years.
Since I was determined to have a stamp made with my fingerprint on it I also wanted a better quality fingerprint. I approached the Criminology Institute in Prague where I also learned something useful about dactyloscopy. Although this article is not supposed to deal with this topic I would like to mention here at least one interesting fact. Fingerprints on paper (e.g. when you sign a contract or read a book) may be taken from the paper in reasonable quality even after several tens of years!
It was also interesting to see the procedure of ordering and getting the stamp. I came to a stamp shop with my pattern and asked the lady if I can get the stamp. She asked: „When do you want to have it done? Do you want only a printing block or a whole stamp?“ I said I wanted only a printing block tomorrow. The she wrote an order which said: „Based on a fingerprint, 1:1.“ I paid an advance of 50 CZK and the following day 57 CZK. All went smoothly and I totally lost my confidence in official seals. My advice to you is to keep talking to the authorities until your confidence comes back.
It was slightly more difficult to make the sensor accept the stamp. I originally intended to simply spit on the stamp and place it on the sensor. To achieve similar conductivity on the stamp surface I wanted to replace sweat with saliva. It really worked great. Unfortunately more than I wanted. The liquid got into the grooves between the lines and I obtained an inverse image of the fingerprint. I did not feel like getting an inverse stamp. I felt too proud to go to the shop again and ask for the same job, only with the inverse pattern. So I tried several other methods to make the stamp surface conductive. Eventually, the solution I found was simple. I applied a fine graphite layer on the stamp. The result was perfect and the price of my fake finger only slightly exceeded 100 CZK.
The problem of the tested sensor was that the finger capacity was measured within a certain raster, each raster segment separately, while the finger’s capacity related to the ground was not considered. The sensor only measured skin surface resistance, disregarding the other body parts. The sensor had another nasty feature: it registered any conductive liquid on its surface. It occurred to me to use this phenomenon and increase conductivity of a fingerprint which remains on the sensor even after the finger is removed. I found out that in a usual office environment water vapors may condensate on traces of sweat present on the sensor surface. In simple words, I only needed to breath on it. The traces of sweat became visible for the sensor and it responded as if the finger had been placed on it again by the authorized person!
Now try to picture the following scenario. A person who is not supposed to know some secret information comes to the office as the first one in the morning and, to make the things perfect, cleans the sensor on his/her colleague’s computer with a suitable cleaner. I used a regular screen cleaner for the purpose. There is nothing strange about having a screen cleaning spray on your desk. Later, the colleague gets to the office, logs in and starts working. After a while he leaves to get his morning coffee – he put the kettle on while booting his operating system. He actually does it the same way every day. He is very dutiful and never forgets to lock the desktop with Ctrl+Alt+Del. However, he never bothers to wipe his fingerprint from the sensor. His computer is provided with a capacity fingerprint sensor and its manufacturer insists that the sophisticated technology is capable of distinguishing between a real finger and its imitation. Meanwhile, the attacker breathes on the sensor, logs into the system and copies the data as fast as the operating system allows.
I can imagine that defenders of biometrics will object that the described situation does not exactly correspond to practical situations or that I have not tested the right devices. An unbiased reader, however, will concede that it is at, least, suspicious to offer for several thousands of crowns a sensor that may be outsmarted for free.
I have not described here all procedures I have used for testing and I have not listed all the tested devices. Quite intentionally, as I only wanted to point to the risks associated with commercial biometric products and not to favor some companies at the expense of others. If any manufacturer believes its product is better than what has been described here and decides to lend it to me, I will be happy to dedicate my time to test its quality.
In conclusion, I would like to apologize to the readers that this article fails to answer the question asked in its title.
I would like to thank to the employees of the Criminology Institute in Prague who helped me to take my fingerprints and provided me with instructions in dactyloscopy.
Explanations of Some Terms:
Papillary lines are continual comb-like tubercles separating grooves on fingers, palms and soles.
Marcants are irregularities on the papillary lines (discontinuities, branching and junctions).
Optical sensor usually uses a prism. Sweat on the finger surface alters the refraction index in the points of contact with the prism.