Researchers spoof biometric palm vein recognition system with inexpensive fake

Security researchers at Chaos Communication Congress in Leipzig, Germany have demonstrated a successful spoof attack on a hand-vein biometric reader using a modified camera and a fake hand made out of wax, reports Motherboard.

Jan Krissler, also known as Starbug, and Julian Albrecht created the fake by removing the infrared filter from an SLR camera, and taking 2,500 pictures over 30 days to capture a useable image of veins under the subject’s skin. Krissler says the photos can be taken from 5 meters away. They used the image to create a vein pattern in a model hand made out of wax, which was accepted by the biometric system.

Vein recognition is used for access control at the new headquarters of Germany’s signal intelligence service, the BND.

“It makes you feel uneasy that the process is praised as a high-security system and then you modify a camera, take some cheap materials and hack it,” Krissler told Motherboard. He also said he was surprised by how easy it was to make the spoof successful.

The researchers shared their findings with Fujitsu and Hitachi, both of which declined to comment.

“Biometrics is always an arm race,” Krissler says. “The manufacturers improve their systems, the hackers come and break it and then it goes back on.”

The market for vein recognition biometrics is expected to grow by 27 percent CAGR by 2021.

Article Topics

access control  |  biometrics  |  Chaos Computer Club  |  palm biometrics  |  palm vein  |  spoofing