Vein authentication, a biometric security method that scans veins in the hand, has been broken Motherboard. Using a fake hand made of wax, Jan Krissler and Julian Albrecht demonstrated how they were able to bypass scanners from Hitachi and Fujitsu, which they claim cover about 95 percent of the vein authentication market. The method was demonstrated at the annual German Chaos Communication Congress.
While fingerprint prints can often be left on surfaces just by touching them, vein patterns cannot, and as a result are considered much more secure. However, this was not a problem for the researchers, who were able to copy the vein design of their lens from a photograph taken with an SLR camera modified to remove its infrared filter.
30 days and 2,500 test photos.
Although building the wax hand eventually only required one photograph and a build time of 15 minutes, getting to that point took 30 days and more than 2,500 test photos. Even the demonstration was not entirely planned; The researchers had to place one of the scanners under a table to prevent the light from the room from interfering with the stunt. However, now that the method has been shown to work, other researchers are likely to build on it to create a process that is more efficient and reliable.
Vein authentication is not currently used on any conventional smartphone. Instead, it is more commonly used to control access to buildings like Germany’s signals intelligence agency. In a statement provided to Heise online, a Fujitsu spokesperson tried to downplay the implications of the hack, saying that it could only be successful under laboratory conditions and probably wouldn’t work in the real world.
This isn’t the first time that Krissler, also known by the alias Starbug, has overlooked important biometric security technology. In 2013, Krissler bypassed Apple’s Touch ID 24 hours after its launch in Germany and the following year he was able to build a fingerprint model of the German defense minister. It has also demonstrated vulnerabilities in iris scanning technology using an infrared image and a contact lens.