Prison Pulls Plug on Fingerprint Lock
Biometric systems are entering the mainstream of security and access control as the technology improves and system costs come down. All security applications are challenging, and one of the toughest environments is correctional facilities where you can find a large population of people who have time on their hands and mischief on their minds. Some, perhaps, with experience defeating security systems.
In a recent article, The Scotsman reported that gates using biometric locks in a Scottish prison had been rendered wide open by the prison population due to a fault in a biometric locking system [Members only – log in to read the full Scotsman article here]. Prisoners were able to access high-security areas within the facility before the problem was brought to the attention of a prison official by a resident informant. While no prisoners were in a position to escape from the facility, their freedom of movement endangered the safety of inmates and staff.
This particular system used a biometric locking system where a guard would enter a PIN number followed by a fingerprint scan. Both the PIN and correct fingerprint are required and typically the PIN is used to select a pre-enrolled fingerprint to make a one-to-one match to the current scan.
While fingerprint sensing and fingerprint matching are imperfect sciences, state-of-the-art systems are more than capable of uniquely identifying the prison population and prison visitors, let alone the prison staff. And if the system is set up to verify that an enrolled fingerprint matches the current scan, as the PIN & scan system suggests, the accuracy should be very high indeed.
The nature of the failure in this case was not reported, but it must have been a fundamental flaw because prison governors decided that it was more economical to return to using keys rather than fixing the biometric system. We don’t know what happened at the Scottish prison, but we can take a look at ways that a biometric security system can be circumvented.
In an emergency situation a guard can be in danger if they are unable to open a door. Prisons have redundant systems to controller locks. So doors can usually be opened at a guard’s request, but requesting that a door be unlocked takes time. A system could be designed with a ‘secret code’ that would open the door based only on the PIN number.
If a secret code is overused in non-emergency situations, prisoners would be able to discover it by observing the pattern as a guard types in the numbers or by looking for worn or overused keys. Prisoners may even put a tracing substance, like dust, on the keypad to see which numbers were entered. Once four digits are known there are at most 24 permutations to guess. Some PIN readers digitally scramble the numbers on the keypad to prevent this type of detection.
An even more straight forward method for a prisoner to learn a PIN code would be for a guard to share the code with a trusted inmate. Whether by eavesdropping, direct communication, or simply guessing, it would be difficult to keep a secret in this environment.
Identity Theft, or at Least Borrowed
Identity theft is usually associated with the illegal use of another individual’s identity to obtain cash or credit. In the case of access control, the identity can be used to open doors. If the PIN is known, all that left is to produce a fingerprint.
The type of fingerprint detection used in the prison was not specified, but the Scotsman reported that the fingerprint sensor has a glass cover, suggesting an optical scanner. Optical scanners are more rugged than other sensors, such as capacitive, but have the drawback that they can be fooled by an image of a fingerprint or a print left on the glass. Residual fingerprints can be enhanced with a dark powder and pulled on clear adhesive tape to create an image that may fool an optical sensor.
Successful residual fingerprint attacks on capacitive sensors have also been reported. Some methods are as simple as blowing on the detector and letting humid breath enhance the capacity of a latent print. Other methods involve enhancing a residual print with a conducing powder, like graphite, and pulling it with tape.
It is not difficult to find a clean print left behind by someone. For example, the fingerprint scanner itself would be an excellent place to look for a high quality print left by a legitimately enrolled person. Some sensor designs require the person to swipe their finger over the sensor surface so that no prints are left on the detection surface.
State-of-the-art systems can be equipped with ‘live’ detectors to verify that a living finger is present. Liveness detectors look for things like temperature, a pulse, perspiration, blood-oxygen, or sub-dermal imaging in a finger. Other life detection techniques use software based algorithms that are trained to recognize fake or dead fingers. Unfortunately, liveness detection is not easy and adding detectors makes systems more expensive. There is concern that some of the life detection methods can also be fooled.
Another way that a biometric security system can be made less secure is to lower the threshold used to determine a match. Matching algorithms use a mathematical ‘goodness of fit’ calculation along with a pre-selected rejection criterion. The goal is to accept the correct fingerprints and reject the wrong ones. There are two types of errors that the system can make, either accepting the wrong print or rejecting a legitimate one.
Some systems give the end-user the ability to adjust the threshold level to suit their environment and operating conditions. If the threshold is set too low, however, similar prints will start to be judged as ‘close enough’ even if they are scanned from a different finger or even a person. A poorly designed system can even allow a threshold to be set so low than any fingerprint will pass.
In a situation where the delay due to a false rejection of a fingerprint scan can be dangerous, such as in a prison, it might make sense to hedge the cutoff in favor of a more generous acceptance standard. But it wouldn’t be necessary to lower the cutoff to the extent that the likelihood of a false acceptance is significant.
A More Secure System
The concept of using a single biometric, like fingerprints, is seductive. It is accurate, convenient, durable, and difficult to fool. In principal, using only biometric measures for identification should be achievable and it is one of the goals for biometric identification. But as a fairly new technology, biometric-only systems invite the danger of a complete failure due to poor design or clever attacks.
Biometrics combined with a credential, such as a security badge, are much more secure. These systems require that the enrolled person has both a physical credential and the matching biometric. The biometric, in this case, does not grant access. Instead the biometric is used to validate that the credential is being presented by the correct person. The credential is actually used as the key to gaining access.
If a biometric identifier can be reliably faked then a security badge could be defeated by presenting the corresponding badge rather than entering the corresponding PIN. But unlike the biometric-PIN method, which requires you to have the fingerprint and know something, the biometric-badge system requires you to have the badge. This is much more secure because, while there is no way to know if the PIN was improperly learned by someone, it is easy to notice a missing badge. So if a badge is missing it can be deauthorized and a new badge issued, thereby making the lost badge useless for access.
* indicates mandatory field