Hackers have bypassed one of the most complex security systems

Experts in the field of computer security, spoke about how hackers can easily circumvent the authorization system based on scanning and analysis of the subcutaneous blood vessels. How this is done, the researchers of biometric authentication systems shared at the annual meeting of the Chaos Communication Congress, traditionally held from 27 th to 29 th December and gathered around themselves experts in computer hacking from around the world.


Recent years, devices and security systems increasingly rely on so-called biometric methods of authentication, when access to computer systems use software and hardware to scan the unique physiological characteristics of the person. Examples of such systems can serve the same fingerprint scanner, FaceID or technology that is used in the iPhone to grant access to the device on the user’s face features. One of the most modern and sophisticated methods of biometric security is the so-called identification vein patterns of the palm, which, as the name implies, scans the size, shape and arrangement of subcutaneous blood vessels in the hand of the user. But as it turned out, the hackers were able to bypass it.

Biometric security system — not a panacea

Held this week in Germany annual world Congress of hackers researchers of digital security told how they managed to create a wax-up the artificial hand and fool with it a system scan of subcutaneous blood vessels.

“The irony is that such an authorization method is positioned as upscale and advanced security system. But you only need to slightly modify a normal camera, use some pretty cheap materials, and then without problems to hack it,” says Yang Krissler, better known in hacker circles under the pseudonym “starbug”, who, along with another expert on hacking computer systems, Julian Albrecht, conducted a study of the identification method according to the pattern of the blood vessels.

Method of identification on the map of blood vessels uses algorithms to compare the pattern of veins on the hand of the user contained in a database of reference information about this man. According to the latest German media reports, such a system is used, for example, in the new Berlin office of the Federal intelligence service of Germany.

A couple of the slides that were shown by Chrisleroy during his presentation

One of the features of the authorization system based on the method of scanning of subcutaneous blood vessels, which distinguish it from the method, shall we say, more traditional system of fingerprint scanning is that the hacker is more difficult to calculate structural features map of the blood vessels of the user beneath the skin. If we are talking about fingerprints, get them a duplicate much easier. For example, the sample print can be obtained from the traces left on objects they touched people, either through high-quality photos of fingers.

Krissler, and Albrecht created your simulator the palm on the basis of photographs of their own hands. To receive the sample card blood vessels they used a conventional SLR camera with removed the infrared filter.

“Quite enough of images of hands taken from a distance of about 5 meters. To create less suspicion from the victim such images can be easily obtained, for example, at a press conference this man,” says Kessler.

A total of 30 days research Krissler and Albrecht received more than 2,500 photographs of hands, taking in the end the most successful options for maximum efficiency. After that hackers were cast from wax models of hands, and then struck to the surface map of the blood vessels.

“When we first lied to the authorization system, I was very surprised how it is simple,” adds Crisler.

The findings of their work, Kessler and Albrecht shared with companies Fujitsu and Hitachi. According to Krissler, Hitachi is very interested in research and even sent its employees to discuss its details. Fujitsu, in turn, has not responded to the message and requests.

It should be understood that, Krissler and Albrecht was engaged in this study only about a month. Thus, if sufficient funding and resources probable enemy could repeat the results of these studies by transferring them to the new scale. Fear adds to the fact that objects that are protected by such safety systems typically include large multinational corporations, and government including military organizations that can be of great interest on the part of States opponents.

“Biometrics is an ongoing arms race. Manufacturers are trying constantly to improve their security, but hackers always go back and try these systems to crack” — sums up Kessler.