Schneier on Security

Clive Robinson • November 23, 2018 12:12 PM

@ Bruce,

If this result is robust — and I assume it will be improved upon over the coming years — it will make the current generation of fingerprint readers obsolete as secure biometrics.

As described, the attack methodology is sound, but what it is exploiting is a significant failing of more modern finger print readers.

That is, as a simple approximation, it’s like saying that the string “LLLWLWWLWW” is matched by any other string of the same length with five “W” and five “L” in it “in any combination” but with much shorter strings…

It’s a major failing by those who wrote the software in the scanners, such that it causes users the least amount of problems, not the least amount of security breaches.

Thus improving the way scanners work should “in theory” work against this attack…

Oddly perhaps the software developers are not alone in this way of doing things. Conventionaly fingerprint information was stored by the number of each feature not by the patterns the features form. Rarely if ever is actuall finger print matching produced in court apparently because juries might get confused if shown it… Though from what I’ve been told, when it has been seriously questioned by the defence the prosecution have tried all sorts of tricks to stop entire images being produced… Because when the full image has been produced cases tend to stop at that point (which does not sound like a confused jury to me)…

The reason apparently is that the traditional matching process is the wrong way around. That is there is an image from an object and a suspects finger print on a card. What the analyst tries to do is imagine how the suspects image can be distorted to match that from the object… Thus it appears like reading a polygraph, the result depends on how good your imagination is, rather than something a little more repeatable as science generally asks for…

Clive Robinson • November 26, 2018 12:05 AM

@ Men in Black, VinnyG,

Fingerprints are good for the jury.

Err no they are not, in the UK you will not see fingerprint evidence presented that way in court…

The argument for not doing so that is given, is along the lines of,

The human skin is very pliable and is distorted by both the shape of the object and the resultant directional forces involved with gripping it.

It’s why I said what I did in the last paragraph of my comment of ’12:12′ above in this thread.

Put simply you have two 3D finger tips that have been stretched and distorted in the process of “projecting” into two 2D images. One on the fibgerprint card, and one from the scene of crime object. Each projection has it’s own stretches and distortions, which means the odds of the two images matching by overlay is quite minimal. Worse the projection from the object is likely not only “a partial” it’s also likely to be contaminated in many ways and broken up by the physical properties of the object thus be quite indistinct.

Thus the matching process if you can call it that is primarily to find “certain feature types” that can be counted, and match by counting them…

Because the projection distortion is primarily based on distance, over a very small area of each promenent feature the images will kind of match to the human eye, with the matching quickly getting less and less the further you go from the center of the feature…

But taken over such a small scale area of a given 2D projection the chance that two people have a prominent feature that looks the same after processing / categorisation is very very high (Which is why this “dictionary attack” against certain types of fingerprint readers works).

What a human fingerprint matcher is supposed to do after identifying prominent features,is take them and make a constelation with them, then try and overlay the constelations by “best judgment”. A big problem with this is many fingetprint images are in effect “partials” so you are trying to map only a small piece of a constalation onto another larger constalation (the one on the file card). This is a highly subjective process and very very susceptible to “confirmation bias” as independent testing has shown.

As part of the process those matching fingerprints are also supposed to note any missing or other features to rule out matches. But that can get “accidently” forgotton or put down to “other factors”…

However forensics “labs get paid by results” and it’s a competitive business these days where “market forces” and “throat slitting” are kind of synonymous…

As the police have to pay for it out of their budget you can see why “paid by results” quickly gets a sinister conitation. It’s made worse by the fact that for many crimes the police actually have the right criminal by the “Means, Motive and Opertunity” pre-filter followed by the “Modus Operandi” or “who’s style” filter followed by “who’s flapping their gums” filter. But quite often run the other way starting with “Who’s heard a whisper on the streets” via their pet Confidential Informant (CI).

The simple fact is over four fifths of crimes solve them selves because the criminals “big it up” to friends and ascociates for “respect” or “reputation” and word goes around and thus people “snitch / grass / inform”. There are two reasons why criminals “big it up” the obvious one is “stupidity” which is what we are seeing with these “Proud Boy Rappers” and simillar “what’s me app” smart device “instercrime view apps. The less obvious one is “building your C.V.” that is it’s not quite “you are only as good as your last job” but getting your name known in the right circles to get more profitable jobs or be trusted by others to bring needed skills to your jobs means you need a reputation or legand and that has to be built.

Part of that “building process” gives rise to your M.O. which is where experienced investigators get their “gut feeling” or “who looks good in the picture” for a particular job.

Thus the forensic labs getting fingerprints to test know that with a very high probability they match in some way any way. They also know that fingerprints rarely get called into question in court because judges do not like it happening in their court. Thus the chances they will get caught out doing a shody job on “meal ticket jobs” is very very low. Thus the lab needs a way to sort out “99 percenters” from the ones where they might just get challenged. It’s actually not as hard as it might first appear, evidence has a “chain of custody” thus it’s not overly difficult to work out where a particular job has come from. Secondly a seemingly innocent enquiry about “priority” will give much more information. Oh and just like criminals the police tend to talk to much “to their own” or those they see as “their own”. This latter problem is not helped by the “canteen mentality” in the lower police ranks that fosters the “For us or against us” black and white thinking. If you look back at just how easily journalists have got ahold of leads on the quiet from low rank police officers, it does not take much imagination to work out that the forensic labs would not have similar “leads” about jobs that come in…

Thus fingerprint matching has kind of dropped to the point of “reading entrails” in many cases but nobody tends to realise it.

Moving the whole shoddy process to A.I. is not going to improve things any because of the way we build such systems. That is the training data they will use will be a subset of the existing “criminal records”. As we are finding out when you do this with other criminal databases what you do is actually train the existing failures and biases into the A.I. model, so it “Carries on doing the same old same old as the human system did”… Great for cutting “head count” but as much use as a “chocolate fire guard” when it comes to improving the process on which some peoples very lives depend upon…

In short fingerprint matching like lie detectors and many other “forensic processes” are at best “junk science” at worst a deliberately ploy by some to get recognition, promotion, better pay and new job opportunities…

Oh but don’t “rock the boat” or “break rice bowls” by saying this because you will get “push back” that you will not believe as an honest Police Woman in Scottland found to her cost,

https://www.bbc.co.uk/news/uk-scotland-glasgow-west-16181875

The simple fact is nothing has realy changed in the 21 years since then, other than the introduction of computers… So that the same shody practices are now hidden behind the front of a bunch of 1U, 19″ racks that house the computers that now do the “entrail reading”.

The advantage of course of computers is “nobody is to blaim” it’s spread so thin that well, the usual applies, you get an enquirey that surprise suprise concludes,

All involved must share some measure of responsability, lessons must be learned, new procedures must be put in place, yardy yardy, quack, quack, give us a load of money and resources to do this…

Thus it’s “profitably” booted into the long grass, trebbles all round for the profit sharers, case closed, till the next profitable failing… All is as it’s supposed to be, except for all the victimes who’s lives have been ruined.

Clive Robinson • November 29, 2018 11:17 AM

@ Vas Pup, All

I forgot to mention that in reality the only thing new in the link you posted to is realy,

with a conductive “glue” made of vertically aligned magnetic particles embedded in a polyvinyl alcohol gel

Such glue is kind of the second generation after “zebra strip” developed last century for using small LCD pannels in the likes of what we would now call “Non Smart Phones” such as the Nokia XX10 range.

It just so happens if you look such glues, pastes, resins, and plastics up they have been used for some time now in connecting very very small RFid type chips to thin foil antenas and the like in bank cards, pasports and similar.

The rest of what they have done we were trying to do in the 1980’s in the London Home Computer Robot scene that used to meet at North London Polytechnic. For touch we used the “Hundred ohm foam” used for transporting chips to protect them from static.

Hundred ohm foam was essentialy a plastic foam that had a lot of carbon powder/particles in it to make it conductive. It’s actuall resistance depended on how hard you presed down on it. The more the carbon came into contact the lower the resistance. So what we did was use conductive glue we made to stick aluminium foil on one side then put that up against an etched PCB not very disililar to that you would find under the “poke dead flesh” keyboards in the likes of the Sinclair Spectrum and other low cost home computers.

We even used them as “force feed back” sensors for home made electronic music piano style keyboards such that you could measure the players force etc and some prototype games joysticks etc.

When I look back on it the alternative uses we found for hundred ohm foam were seemingly boundless, for instance it made an effective shield to use to get close enough to those combined IR and Microwave burglar alarm sensors such that they were disabled 😉 it also made cheap anechoic chamber lining for doing EM testing in and you could with care make microwave waveguide attenuators with it.