Security Research Centre, School of Computer and Security Science, Edith Cowan University
Place of Publication
Perth, Western Australia
David Michael Cook
Biometric access control systems are becoming more common and may be considered high-security, due to their ability to identify and validate that the person is who they purport to be. Therefore, such biometric systems are often installed into critical infrastructure facilities as a means to gain high security protection. To date, there has been considerable research into the effectiveness of biometric devices to recognise valid users and reject invalid users, and to develop standards for interoperability. However, biometric systems are vulnerable to many categories of attack and there has been restricted research into such defeat vulnerabilities.
This article presents an approach that applied a defeat evaluation methodology to three high-security biometric fingerprint readers. Defeat testing included both physical and technical integrity testing, considering zero-effort to adversarial complex attacks. Physical defeat testing resulted in the attackers being able to gain entry into the internal circuitry of all three readers, with two readers having their tampers bypassed and access gained to the output relay door locks. Technical integrity testing resulted in one of the readers being defeated with an enrolled 2-dimensioal fingerprint spoof and one reader being spoofed by a 3-dimensional fingerprint overlay, with all live finger monitor being defeated. These results indicated a number of significant vulnerabilities in the three biometric readers, raising concern with such systems being applied within critical infrastructure.