The spoof lab

NexID maintains its own spoof lab, a veritable ground zero for any and all manner of biometric recognition experiments. It’s here that Cornett and the rest of the NexID team test not only spoof materials and methods, but sensor and scanner products as well.

The team uses the spoof lab in a number of ways. “We do vulnerability analyses on any of the devices that we can get our hands on,” says Cornett. “This helps us to learn things about different fingerprint technologies. It’s a great marketing tool for when we talk to a manufacturer because we can tell them what spoofs work on their products and provide a solution.”

When a sensor manufacturer comes to NexID, they do so with the knowledge that their product will be put through the paces to find any anomalies that would leave their product susceptible to presentation attacks. Each set of analyses is a one-off process, with every company and every product yielding different results.

“When we deploy our technology onto a platform or sensor, it’s a custom implementation,” says Cornett. “Its custom because over time we have learned that the differences and nuances between devices – even within the same brand – are different enough that the classifier needs to be tailored to that product.”

It’s these subtle nuances that make presentation attacks so dangerous. These nuances also make the work being done at the NexID spoof lab an ever-evolving process.

There are, however, a few standards that hold true for each of NexID’s vulnerability analyses. First Cornett and his team need a dataset of around 10,000 images to conduct a proper analysis, and for every deployment NexID conducts an image collection or data set generation. “The live images are fairly easy to collect in a short period of time, but the spoof images are terribly onerous to mass-produce and then scan in using the target device,” says Cornett.

Thankfully, NexID has begun to see patterns develop in the materials being used. “We have about 50 different recipes that we use at our spoof lab,” says Cornett. “For every device we work with we use as many as a dozen different materials to make our spoof prints, but most of the time we can get by with using half a dozen spoof materials to comprehensively test a target device’s vulnerabilities.”

The other primary focus of NexID’s spoof lab is to decipher the next method of presentation attack. In essence, stay one step ahead of the spoofer. “We’re like an anti-virus company in that respect, we’re trying to outthink the bad guys and discover and test different materials or technologies that they might use,” says Cornett.

Executing a presentation attack

An effective presentation attack requires a tailored approach. How durable does the material need to be? How many times will I have to use it? Is the sensor capacitive, that is, does the spoof mold need to be moist? It’s an involved process that requires great attention to detail.

Cue the “average Joe” argument.

Obtaining the necessary spoof materials is easy, almost as easy as it is to find the recipes on the Internet. Moreover, when the standard list of spoof materials includes consumer products like wood glue, gelatin, Play-Doh, latex paint, caulk and wax, the odds seemingly favor the spoofer. The choice and effectiveness of materials will often depend on the underlying technology of the fingerprint sensor in the target device.

Even execution is a relatively straightforward practice. “Prowess in making good molds takes some time; you have to get the knack of it,” says Cornett speaking from experience. “Learning to effectively lift latent prints takes some time and practice, but we can get a good latent print off of a drinking glass or iPhone screen in under 30 seconds.”

What, then, would an actual presentation attack look like? Unfortunately, by the very nature of the topic the best attacks go undetected, but Cornett explains the general approach.

“Even if you had a van out front of the building with all your spoof making supplies – computers, molds, imaging equipment, etc. – you’re not going to be able to grab the target device, return to your van to make molds to conduct the attack and get back inside to replant the device in less than an hour; you’re going to have to make two trips,” explains Cornett. “On the first trip, you would lift the latent print and take it back to the comfort of your lab where you would build and test an array of spoofs. The second trip would be to return for the actual target device and presentation attack.”

Cornett’s response to the claim that the average Joe won’t be able to do this?

A capable spoofer is not going around trying to snatch phones from everyday people, he explains. “The perpetrator is someone more sophisticated, who is going after a high-value target – government official, politician, corporate executive, etc. – someone who’s data is worth going through that trouble to obtain.”

Unfortunately, where there’s a will, there’s a way. “Nearly every sensor manufacturer is vulnerable,” claims Cornett. “Some are better protected than others because they’ve deployed their own spoof detection technologies, but 85-90% of the products shipping in the field today are highly vulnerable.”

The mobile frontier

At the expense of beating a dead horse, Apple’s Touch ID sensor marks a new age in biometrics. Many believe the future for biometrics lies in the mobile sector, with consumer electronics poised to lead the way. But the shift to mobile also means presentation attacks will evolve, begging the question, what will the future of mobile biometrics hold?

“Historically our customers have been the manufacturers of peripheral devices that are controlled by PCs, laptops and servers, and the original development of our software was targeted to that platform,” says Cornett. “With those initiatives, computing resources were very plentiful, but with the move toward the mobile and general embedded markets – door access terminals, payment terminals, etc. – we have had to begin re-architecting our application to achieve the same or better performance with much fewer resources.”

Cornett is referring to not only a pinch in computing resources but image quality as well.  “Our initial attempts to port to those platforms have either required too much execution time or they required us to strip out some of the liveness detection and live with a higher error rate.”

The re-architecting efforts are progressing, bringing the occupational memory down dramatically. “We’re confident that we will maintain the same or better performance on the mobile platform in the future,” says Cornett.

On the academic side of the coin, the work being done by Schuckers and the folks at Clarkson stresses the importance of progress as well as understanding.

“I encourage the field to put in place as many factors as possible for presentation attack detection, but I also think we need to recognize that the biometric itself has vulnerabilities just like any other security measure,” says Schuckers. “We need to be aware of what those vulnerabilities are, look at the way we’re using biometrics and assess those vulnerabilities.”

 

Advancing spoof materials create new breed of attack

The technology behind presentation attacks is undoubtedly evolving and the majority of materials remain common, everyday consumer products. According to Cornett, however, a new generation of spoof materials may already exist.

He explains that when you take the mold-making process a step further with the advances in 3D printing, the presentation attack takes on a new level of danger. One particular feature of the fingerprint that may be overlooked in practice is the moisture that is naturally secreted by skin’s pores. This is one of the key elements that makes capacitive-touch sensors tick, and as Cornett explains, spoofers may soon have a way around this as well.

“We’re talking to a couple of 3D printing companies and encouraging them to come up with a poly-hydrogel material  –  think a semi-porous gummy bear  –  that can absorb and diffuse liquid,” says Cornett. “Imagine printing a 3D finger with image properties similar to a real finger that also has the ability to diffuse saline or oil solutions.”

Accounting for the smallest details like pore moisture makes the art of the presentation attack a seemingly simpler feat. NexID, however, sees it as an opportunity to further deter attack.

“If you can create a spoof to that caliber and then develop a countermeasure to that with software, then you would be hard pressed to find a bad guy with that level of ability,” says Cornett.