Vein authentication hacked with fake wax hand

Two security hackers have managed to bypass a vein authentication security system by using a fake, wax hand, according to a Motherboard report.

Security researchers, Jan Krissler and Julian Albrecht, constructed a fake hand made out of wax to show how they were able to circumvent a vein authentication scanner created by both Hitachi and Fujitsu, which they claim makes up 95% of the systems used in the vein authentication market.

The researchers showcased their new technique at Germany’s annual Chaos Communication Congress.

Vein authentication

Vein scanning systems, like many other biometric technologies, use a computer to scan and verify a user’s veins by scanning the shape, size, and position of a person’s vein inside their hand.

The researchers were able to successfully copy a person’s vein layout from a photograph captured with an SLR camera that had its infrared filter removed.

This enabled them to craft a wax model of the user’s hands that included their veins.

“It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them,” Krissler told Motherboard.

“…when we first spoofed the system, I was quite surprised that it was so easy,” he added.

Although the whole process took around 15 minutes, getting to that point took the researchers a total of 30 days and over 2,500 test images for them to replicate the vein patterns.

According to Motherboard, Krissler and Albrecht contacted Fujitsu and Hitachi to inform them of their findings, but only Hitachi agreed to the presentation of their new technique of bypassing biometric security technology.

Fingerprint scan

This isn’t the first time that Krissler was able to get past security scanners. In 2013, he was able to circumvent the fingerprint scanner from Apple within 24 hours of its introduction in Germany.

A year later, he demonstrated how he was able to construct a model of the German defence minister’s fingerprint.  He was also able to detect flaws in the iris scanner on the Samsung S8.

According to Heise Online, a Fujitsu spokesperson said that this method could only work in a laboratory and not in the real world.

Related Posts