Threat Category: Authentication: User to Device
ID: AUT-7
Threat Description: Older biometric systems were subject to spoofing, through methods such as printed pictures of faces and fingerprints lifted from other places.
Threat Origin
Liveness Detection to Fight Biometric Spoofing 1
iPhone 5S Touch ID susceptible to fingerprint spoofs 2
Exploit Examples
Why I hacked TouchID (again) and still think it’s awesome 3
CVE Examples
Not Applicable
Possible Countermeasures
To reduce the opportunity for an attacker to conduct a biometric spoofing attack, physically secure the device (e.g., lock it in a secure container) when leaving it directly unattended.
To prevent an attacker able to successfully conduct a biometric spoofing attack against the device from automatically gaining access to sensitive data, implement multi-factor authentication mechanisms for sensitive apps or services.
Mobile Device userConsider devices in which multi-factor biometric authentication mechanisms transform the biometric data using an additional factor (e.g., password or cryptographic token).
EnterpriseConsider devices in which multi-factor biometric authentication mechanisms transform the biometric data using an additional factor (e.g., password or cryptographic token).
To prevent an attacker able to successfully conduct a biometric spoofing attack against the device from automatically gaining access to sensitive data, implement multi-factor authentication mechanisms for sensitive apps or services.
References
J. Trader, “Liveness Detection to Fight Biometric Spoofing”, blog, 22 July 2014; http://blog.m2sys.com/scanning-and-efficiency/liveness-detection-fight-biometric-spoofing/ [accessed 8/25/2016] ↩
SRLabs, “iPhone 5S Touch ID susceptible to fingerprint spoofs”, YouTube video, 25 Sept. 2013; www.youtube.com/watch?v=h1n_tS9zxMc [accessed 8/25/2016] ↩
M. Rogers “Why I hacked TouchID (again) and still think it’s awesome”, blog, 23 Sept. 2016; https://blog.lookout.com/blog/2014/09/23/iphone-6-touchid-hack; [accessed 8/25/2016] ↩