An Investigation Into the Vulnerability of
the Siemens ID Mouse Professional Version 4
Aaron Ligon
Siemens Corporate Research
September 6, 2002
Links updated: 2008-02-24
Introduction
Reports of the Unreliability of Fingerprint
Recognition Security Devices
Recently, two groups have reported that they
were able to gain unauthorized access to many systems using fingerprint
recognition devices for security. This is obviously of great interest and
concern in regards to the Siemens ID Mouse Professional. The following
are summaries of the two reports from the Internet publication ExtremeTech.com
and a research group led by Tsutomu Matsumoto at Japan’s Yokohama National
University.
ExtremeTech
http://www.extremetech.com/article2/0,3973,13919,00.asp
ExtremeTech.com recently published an Internet
article, "Body Check: Biometric Systems Defeated," in which they tested
eleven biometric security devices, including the Siemens ID Mouse Professional.
The authors claimed that it was easy to, "Outwit the ID Mouse with simple
tricks." They went on to outline several different methods with which they
claimed to gain unauthorized access to a system protected by the ID Mouse.
Latent Print Reactivation
ExtremeTech.com claimed that the latent prints
left on the ID Mouse's sensor could be successfully reactivated to gain
unauthorized acceptance in three ways:
-
Blowing lightly on the sensor.
-
Placing a water-filled plastic bag on the
sensor.
-
Brushing graphite powder on the sensor and
applying pressure to an adhesive film on top of the powder.
The authors claimed intermittent success with
the first two methods but stated a near 100% success rate with the third.
Lifting and Moving Latent Prints
ExtremeTech.com also claimed that the latent
prints left on other surfaces than the mouse could be lifted using a fingerprint
kit and placed on the ID Mouse sensor to gain unauthorized access. The
remote prints were first brushed with graphite powder and then lifted from
the surface with an adhesive. This lifted print was then placed on the
ID Mouse's sensor with light pressure. Using this method, the authors again
claimed a ‘Very high’ success rate.
Tsutomu Matsumoto
http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.html
Although Dr. Matsumoto’s report did not
directly test the security of the Siemens ID Mouse Pro, it involved very
similar devices and as such warrants interest in any investigation of ID
Mouse security. In his report, Dr. Matsumoto outlined two procedures that
he used to create gelatin ‘gummy fingers’ that possessed the same fingerprint
geometry and minutiae as a live finger. The report claimed that these ‘gummy
fingers’ could be used to bypass security on all the sensors tested.
Direct Mold
The first method involved using a molding
plastic to create a mold of a live finger. The live finger to be copied
was pressed into hot molding plastic, which was then cooled to create the
mold. This mold was filled with a 50/50 wt. mixture of gelatin and water
and then cooled to harden the gelatin into a ‘gummy finger,’ which could
be used to bypass fingerprint identification systems.
Latent Print Lifting and Photosensitive Etching
The second method outlined in Dr. Matsumoto’s
paper was considerably more complex. With this method, he claimed to be
able to take a latent fingerprint on a remote surface and use it to create
a ‘gummy finger’ that could defeat the listed fingerprint identification
systems. In this process, the latent fingerprint was first clarified using
the commonly known cyanoacrylate fuming method. A digital microscope then
scanned the latent print into a computer. Common photo editing software
was used to further enhance and clarify the fingerprint image before it
was printed onto a clear transparency. This transparency was then used
as a photolithographic mask to create an etching of the fingerprint on
a printed circuit board. This three dimensional etching became the mold
for the gelatin and a gummy finger was created.
Using these two ‘gummy finger’ methods,
Dr. Matsumoto claimed to have successfully defeated all systems tested.
Although the Siemens ID Mouse Professional was not included in this test,
there is good reason to believe that it could be defeated using similar
means.
Testing the Siemens ID Mouse Professional
4
To investigate the accuracy of the results
above and gain an idea of the true security of the ID Mouse Professional,
the following trials were performed:
-
Latent print reactivation through breathing
-
Latent print reactivation with a water filled
plastic bag
-
Latent print reactivation with latent print
powder
-
Print lifting with latent print powder
-
Gummy finger from a live finger mold
-
Gummy finger from a photolithographic PCB
mold
Latent print reactivation through breathing
Procedure
Two types of tests were performed in order
to evaluate the ID Mouse's integrated latent print rejection (LPR) algorithms.
These LPR algorithms are designed to reject any print that is identical
to the previous authenticated one, thus rejecting any latent print reactivations.
In the first type of test, the finger was placed on the sensor to create
a latent print while the ID Mouse's scanner was off. The sensor was then
breathed upon lightly to reactivate the latent print residue. Forty authentication
trials were performed with both the thumb and index finger on both the
normal and extended security modes. In the second type, the finger was
placed on the sensor and authenticated, leaving a latent print identical
to the authenticated one. The latent print residue was then breathed upon
in the same way as in the first type of test. This second method took advantage
of the LPR algorithms due to its setup. By comparing the results of the
two tests, the effectiveness of the LPR algorithms could be examined.
Latent print reactivation with a water filled
plastic bag
Procedure
The procedure for the water filled plastic
bag was the essentially the same as that for the breathing. Instead of
breathing on the sensor, a plastic bag filled with warm water was placed
on the sensor to reactivate the latent print.
Latent print reactivation with latent print
powder
Procedure
The procedure for placing the latent print
was the same as previous two. After the latent print was placed, it was
covered in latent print powder obtained from a fingerprint kit. The powder
was then brushed and shaken off to leave only the powder stuck to the latent
print. Lastly, light pressure was placed on the print with scotch tape
in order to activate the sensor.
Print lifting with latent print powder
Procedure
Latent prints were placed on a transparency
by simply pressing on the surface. These prints were then increased in
clarity and contrast by using a black latent print powder. After brushing
away the excess powder, the latent fingerprint was lifted using scotch
tape. The tape and print were then placed on to the sensor with the sticky
side down and pressure was applied to activate the sensor. The method for
obtaining histograms from the gummy fingers, outlined in the next section,
was also used to compare the match score distributions of real fingers
and lifted prints.
Gummy finger from a live finger mold
Procedure
Starting with a small ball of Sculpey clay,
a mold was made from a live finger. This was done by flattening the ball
of clay and firmly pressing the live finger into it to make a clear impression.
The clay was then baked in an oven to harden it into a finished mold.
Next, a small amount of powdered gelatin
was mixed 50/50 by weight with boiling water to create a sticky gel. This
gel was then poured into the mold and placed in the refrigerator for 15
minutes to harden. Once removed from the refrigerator and pulled from its
mold, the gelatin was a flexible but non-malleable ‘gummy finger.’ The
gummy finger was then cut to size to allow it to fit onto the ID Mouse's
sensor.
Forty authentication trials were performed
with the thumb and the index finger on both the normal and extended security
modes. Also, 20 gummy finger images and 20 real finger images were captured
using the program "Fpproto v9.0 GUI". These were then encoded with fpencoder.exe
to create an .fp file for each image. The .fp files of the
20 gummy finger images were compared to the set of 20 .fp files
from the real fingers and given match scores using fpverify.exe.
From these 400 (20x20) pairings, a histogram was created to show score
distributions for the gummy finger images. The .fp files of the
20 real finger images were then compared, using fpverify.exe, to
another set of 20 .fp files from real fingers images as a control.
These 400 results were also displayed in a histogram to show score distributions
for the real finger images as a comparison for the gummy finger histogram.
Gummy finger from a photolithographic PCB
mold
Procedure
Latent prints were placed on a transparency
by simply pressing on the surface. They were then brushed with black latent
print powder to clarify and create contrast. These latent prints were photographed
with a digital camera. The image from the digital camera was then printed
onto a transparency to create a mask for etching the PCB.
A printed circuit board with a photosensitive
coating was used for the etching. The mask was taped on top of this coating
and the whole board was put in direct sunlight (UV) for 45 seconds to expose
the photosensitive layer. Once exposed, the mask was removed and the board
placed into a sodium carbonate solution to wash away the remaining photosensitive
coating. After a minute, the board was placed into a ferric chloride solution
to etch the areas that had not been exposed to light because they were
covered by the mask. After approximately an hour in the etching solution,
the board was removed and washed with water. The ridge details of the mask
were etched into the board, which could now be used as a mold.
After this point the procedure and trials
were identical to that of the live finger mold method of making a gummy
finger.
Testing Results and Analysis
| Chart Key |
Type of Result |
|
1
|
Accepted |
|
2
|
Print does not match with
database |
|
3
|
Insufficient quality for
processing |
|
4
|
No response from sensor |
Real Finger Control Trials
Data
| Percentage of authentications (Real
Finger Control Trials) |
|
| Normal Security |
92.5 %
|
| Extended Security |
86.3 %
|
| Normal
Security Level |
|
Control |
|
| |
|
|
|
|
|
| Real
Thumb |
|
|
Real
Index Finger |
|
|
| Result |
Occurrences |
Result |
Occurrences |
| 1 |
36 |
|
1 |
38 |
|
| 2 |
3 |
|
2 |
0 |
|
| 3 |
1 |
|
3 |
2 |
|
| 4 |
0 |
|
4 |
0 |
|
|
|
| Extended
Security Level |
|
Control |
|
| |
|
|
|
|
|
| Real
Thumb |
|
|
Real
Index Finger |
|
|
| Result |
Occurrences |
Result |
Occurrences |
| 1 |
34 |
|
1 |
35 |
|
| 2 |
4 |
|
2 |
3 |
|
| 3 |
2 |
|
3 |
2 |
|
| 4 |
0 |
|
5 |
0 |
|
|
|
Latent print reactivation through breathing
Data
| Normal
Security Level |
|
Latent
Reactivation (Breath) |
|
| |
|
|
|
Without
Latent Print Rejection (LPR) |
|
| Thumb |
|
|
Index
Finger |
|
| Result |
Occurrences |
Result |
Occurrences |
| 1 |
2 |
|
1 |
0 |
|
| 2 |
0 |
|
2 |
0 |
|
| 3 |
8 |
|
3 |
0 |
|
| 4 |
30 |
|
4 |
40 |
|
|
|
| Extended
Security Level |
|
Latent
Reactivation (Breath) |
|
| |
|
|
|
Without
Latent Print Rejection (LPR) |
|
| Thumb |
|
|
Index
Finger |
|
| Result |
Occurrences |
Result |
Occurrences |
| 1 |
1 |
|
1 |
0 |
|
| 2 |
0 |
|
2 |
0 |
|
| 3 |
3 |
|
3 |
0 |
|
| 4 |
36 |
|
4 |
40 |
|
|
|
| Normal
Security Level |
|
|
Latent
Reactivation (Breath) |
| |
|
|
|
|
With
Latent Print Rejection (LPR) |
| Thumb |
|
|
Index
Finger |
|
| Result |
Occurrences |
Result |
Occurrences |
| 1 |
0 |
|
1 |
0 |
|
| 2 |
0 |
|
2 |
0 |
|
| 3 |
6 |
|
3 |
0 |
|
| 4 |
34 |
|
4 |
40 |
|
|
|
| Extended
Security Level |
|
|
Latent
Reactivation (Breath) |
| |
|
|
|
|
With
Latent Print Rejection |
| Thumb |
|
|
Index
Finger |
|
| Result |
Occurrences |
|
Result |
Occurrences |
|
| 1 |
0 |
1 |
0 |
| 2 |
0 |
|
2 |
0 |
|
| 3 |
2 |
|
3 |
0 |
|
| 4 |
38 |
|
4 |
40 |
|
|
|
| Percentage of false acceptances (Latent
print reactivation through breathing) |
|
| Normal Security (without LPR) |
5 %
|
| Extended Security (without LPR) |
2.5 %
|
| Normal Security (with LPR) |
0 %
|
| Extended Security (with LPR) |
0 %
|
Analysis
The results show that although it is quite
rare to defeat the ID Mouse by simply breathing on the latent print, it
is still possible. However, it was only possible to defeat the sensor by
reactivating a latent thumbprint. Reactivating latent index fingerprints
was not possible due to their smaller area. In any case, the latent print-detecting
algorithm solves the problem of latent thumbprints by rejecting any print
that is identical to the last accepted print. This means that any latent
print reactivation will be rejected as long as it is the remnant of a previously
accepted print. The only way that this algorithm fails is if the latent
print was made after the previous acceptance. This would require the authorized
user to place his finger on the sensor and create a latent print while
the sensor is off, which serves no useful purpose. However, there is the
still the slight chance that the authorized user would play with sensor
and for some reason leave a latent print that had not been previously accepted
by the ID Mouse. In this case it is possible, although difficult (only
5% acceptance rate on normal security), for a second person to blow on
the mouse and gain unauthorized acceptance.
Latent print reactivation with a water filled
plastic bag
Analysis
The water filled bag failed to get any sort
of response from the sensor, which acted as if nothing had been placed
upon it. Thus it is clear that it is quite impossible to reactivate latent
prints using this method.
Latent print reactivation with latent print
powder
Analysis
The latent print reactivation with latent
print powder was unsuccessful as well. Firstly, putting print powder on
the mouse was incredibly messy. The sensor of the ID Mouse is located in
a depression on the top of the mouse so the print powder became hard to
remove. This caused the captured print images to be of insufficient quality
to defeat the ID Mouse. The next method of using print powder to lift a
latent print from a remote location turned out to be much more successful.
Print lifting with latent print powder
Data
| Normal
Security Level |
|
|
Print
Lifting |
| |
|
|
|
|
|
| Index
Finger |
|
|
|
|
|
| Result |
Occurrences |
|
|
|
|
| 1 |
4 |
|
|
|
| 2 |
2 |
|
|
|
|
| 3 |
0 |
|
|
|
|
| 4 |
34 |
|
|
|
|
|
|
| Extended
Security Level |
|
|
Print
Lifting |
| |
|
|
|
|
|
| Index
Finger |
|
|
|
|
|
| Result |
Occurrences |
|
|
|
|
| 1 |
1 |
|
|
|
| 2 |
2 |
|
|
|
|
| 3 |
0 |
|
|
|
|
| 4 |
37 |
|
|
|
|
|
|
| Percentage of false acceptances (Lifted
Prints) |
|
| Normal Security |
10 %
|
| Extended Security |
2.5 %
|
Analysis
These results are more troubling than those
of the breath test because the rate of false acceptance is higher and the
latent print can be lifted from anywhere. However, only index fingerprints
were used successfully and these latent prints needed to be relatively
oily to work consistently. Also, the sensor of the ID Mouse has a much
harder time reading the latent print powder than it does with a gummy finger.
However, despite the shortcomings of this method, the authorized user leaves
countless fingerprints in the course of a day, so there ought to be a few
good ones that could be used to defeat the ID Mouse.
As can be seen from the histogram, the
lifted prints that were accepted tended to have very high match scores.
However, this was sort of an artificial problem because only the very best
lifted prints were readable, whereas almost any image captured from a real
finger is readable. This artificially inflated the percentage of lifted
prints with high match scores. As can be seen from the sensor output data
on the previous page, the method is still rather inefficient.
Gummy finger from a live finger mold
Data
| Normal
Security Level |
|
|
|
| Gummy
Thumb #2 |
|
Gummy
Index #3 |
|
| |
|
|
|
|
|
| Result |
Occurrences |
Result |
Occurrences |
| 1 |
36 |
|
1 |
32 |
|
| 2 |
0 |
|
2 |
5 |
|
| 3 |
4 |
|
3 |
3 |
|
| 4 |
0 |
|
4 |
0 |
|
|
|
| Extended
Security Level |
|
|
|
| Gummy
Thumb #2 |
|
Gummy
Index #3 |
|
| |
|
|
|
|
|
| Result |
Occurrences |
Result |
Occurrences |
| 1 |
31 |
|
1 |
23 |
|
| 2 |
3 |
|
2 |
15 |
|
| 3 |
6 |
|
3 |
2 |
|
| 4 |
0 |
|
4 |
0 |
|
|
|
| Percentage of false acceptances (Gummy
Fingers) |
|
| Normal Security |
85 %
|
| Extended Security |
67.5 %
|
Analysis
As the data and the histogram show, the gummy
finger worked very consistently. The data doesn't fully capture the effectiveness
of the gummy prints though. Using lifted prints, it usually takes several
tries to get a good working false finger. However, once the molds are made
for the gummy fingers, they work nearly every time. Unlike a lifted print,
the gummy finger is also very difficult to differentiate from a real finger
using only the capacitive sensor.
On the positive side, this method of making
gummy finger requires the cooperation of the authorized user because a
live finger is needed to make the mold. The only way that it could be used
to defeat the ID Mouse would be if the authorized user were compromised.
He could then distribute his fingerprint (in the form of gummy fingers)
to his collaborators to allow all of them access to the system.
Gummy finger from a photolithographic PCB
mold
Data
Due to a lack of proper equipment, these trials
were not completed. Without access to a digital camera or microscope, the
fingerprint images could not be transferred to the computer after being
brushed with powder and clarified. However, this image was substituted
with an image from the ID Mouse sensor in order to test the etching part
of the process. The gummy fingers were then created according to the procedure
by using this mask made from a sensor image. These gummy fingers were not
of the highest quality as the ones made using a live finger mold and they
were unable to defeat the ID Mouse. However, they still produced recognizable
finger images and may well have worked if not for the time and equipment
constraints.
Analysis
This method has the potential for being very
dangerous but it is also by far the most complex of the methods. For someone
with no prior experience, using this method to create gummy fingers would
take at least several tries. Since the process involves so many steps,
each attempt would be quite time consuming. Of course, anyone who is determined
enough can defeat the ID Mouse. However, one must also keep in mind that
it is a relatively low priced security measure and would not be used to
guard any truly priceless information. Any security system using the ID
Mouse is bound to have other flaws that are easier to exploit than the
mouse itself. |