Assessing Vulnerabilities of Biometric Readers Using an Applied Defeat Evaluation Methodology

Access control systems using biometric identification readers are becoming common within critical infrastructure and other high security applications. There is a perception that biometric, due to their ability to identify and validate the user, are more secure. However, biometric systems are vulnerable to many categories of attack vectors and there has been restricted research into such defeat vulnerabilities. This study expands on a past article (Brooks, 2009) that presented a defeat evaluation methodology applied to high-security biometric readers. The defeat methodology is represented, but applied to both fingerprint and back-of-hand biometric readers. Defeat evaluation included both physical and technical integrity testing, considering zero-effort to adversarial complex attacks. In addition, the evaluation considered the whole device and not just the biometric extraction and storage device. The study found a number of common vulnerabilities in the various types of biometric readers. Vulnerabilities included the ability to spoof optical readers with another person’s extracted print, use of inanimate objects to enrol and validate, defeat of live detection and the ability to by-pass the biometric reader. Optical sensors appeared the least secure, with capacitive the most secure. An awareness of the vulnerabilities and limitations of biometric readers need to be propagated, as such readers should not be considered high-security by default. As this study demonstrated, most of the readers had some inherent vulnerability that was not difficult to exploit, in particular, from an insider’s perspective.