This is part of the VPNCity Best Practices articles where we will explain along the way the “What”, “How” and “Why” the best practices will improve your security and privacy in your day-to-day life while helping you understand the technology, dispel the myths and give you the tools to understand why your personal privacy and security is in your hands. This part concentrates on biometrics, legislation, protection and why you should not use biometrics.
Biometrics are utilised on many smart devices for authentication, typically either fingerprint/TouchID or facial scanners. Biometric identification is being offered as a convenient alternative to a PIN code or pattern unlock. However people do not understand the risks of using biometric data to unlock devices as the practice is not as secure a PIN code.
Whilst this seems unusual as a fingerprint is unique to every person and a face is very hard to replicate, it is very easy to fool a smart device into unlocking by using biometric information.
People can hack your fingerprints
Because of the oils in our skin, we leave fingerprints everywhere: door handles, railings, computer screens, cups and in my case, my glasses. A lot. As such, we are leaving copies of our fingerprints everywhere and this is why Forensic teams look so intently for fingerprints at a scene. The FBI’s Integrated Automated Fingerprint Identification System includes tens of millions of prints not related to criminal activity, collected from military personnel, government workers, and other innocents. And Government files are not always secure. The 2015 data breech at the US Office of Personnel Management included 5.6 million fingerprints.
In 2008, the Chaos Computer Club was able to replicate and use a German politician’s fingerprint proposal to implement biometrics. They did this as a protest and an example that biometric data was insecure. The group used a high resolution photograph to recreate his fingerprint. In 2013, they did it again but used latex to create a fake finger to open a lock. More recently, the approach has been repeated with playdough and PVA glue, highlighting just how easy it is becoming to recreate physical prints.
At the 2015 Black Hat convention in Las Vegas, a couple of security experts demonstrated a number of hacks for fingerprint locks. They built an app that mimicked a phone’s unlock screen; when used by the victim, it could approve a financial transaction. They pre-loaded fingerprints onto the phone, enabling access. They showed it was relatively easy to rebuild a fingerprint from the file used to store it. And they hacked the scanner itself, allowing them to grab fingerprint images whenever used.
Laws of the Land
Depending on where you live and local legislation, protections will be different (if they exist at all).
In the US, citizens are protected by the fourth and fifth amendment. You cannot be forced to unlock your smart phone unless you are arrested, there is probable cause, Police have a search warrant, or you consent to a search, willingly. You have some protection against self-incrimination and unlawful search and seizure. Within the US, Police cannot force you to unlock your device in the absence of all of the above. However, that will happen only if you are using a PIN or a password.
If you are using a biometric authentication like a fingerprint or facial scan, the Police can force you to look at your phone or touch the TouchID sensor. The courts have also granted search orders to Police officers to enable access to a device using biometrics. The position is that a fingerprint is “physical evidence”, akin to a physical key, which can be gathered as evidence or demanded by court order. Moreover, fingerprints are readily available because they are routinely collected as part of basic Police and legal procedures. And because fingerprints are physical and not “testimony”, they are not protected by the Fifth Amendment’s clause on self-incrimination. However, if you refuse to unlock your phone, there can be consequences.
Within the UK, citizens have fewer protections as Police can utilise Section 49 of the Regulation of Investigatory Powers Act 2000 (RIPA). This means that Police are able to request disclosure if the reason is to prevent or detect crime, if it’s in the interests of national security or if it is in the interests of the economic wellbeing of the UK. This definition can be applied very widely to the extent that it can cover any crime, no matter how minor. Refusal to comply with a notice served under s49 of RIPA can result in a maximum sentence of two years imprisonment, or five years in cases involving national security or child indecency.
It is within the realm of possibility that law enforcement agencies could force or coerce manufacturers to include back doors to devices for harvesting prints through fingerprint locks. In other parts of the world Police brutality is real, just to different degrees.
You can change your password. You can’t change your Biometrics
In the worst case scenario and you privacy and/or security is breached, you change your password or PIN code, the issue is resolved. If someone hacked or replicated a fingerprint, that data would always exist and would allow the system to be accessed over and over. Fingerprints are forever. Once a person or collective have them, they can be reused repeatedly or sold to other malicious entities. This is particularly disturbing when you consider how many government organisations collect fingerprints and the increasing number of private firms using it for authentication.
For transparency, I do not use biometric data to unlock any of my smart devices and opt to use PIN codes for security.