One of my secret pleasures is reading the hacker quarterly magazine 2600. While the quality of writing might be a bit suspect, there is real joy in the content. There is something about the hacker culture that is fascinating and endearing to mainstream IT and security folks. Whether reading articles titled Facebook Applications Revealed or Hacking the Nintendo WiFi USB Connector, or simply a carefree scan of the infamous Letters section, 2600 delivers insight and bemusement in every issue.
That spirt is alive and well in a German hacker magazine called Die Datenschleuder. A hacker group called Chaos Computer Club (CCC) has captured the fingerprint of a German government minister who is promoting the biometric identification features of the German passport. While this has previously been reported by the rather excellent Vikram Kumar blog, I couldn’t help but trot it out for my own examination.
So, what does the group do with the copy of the print? Well, according to this report, they produce a replica using some kind of silicon printing process that produces a high-quality ridged output. The CCC claim that similar reproductions have been proven to fool over 20 different types of biometric readers.
The minister’s fake fingerprint is then reproduced 4,000 times and distributed with the magazine! Ha! Their point is that fingerprints are not a fool-proof biometric, and once compromised, they are impossible to ‘reset’. You are what you are, a reality that produces a common failing in many biometrics.
Security issues notwithstanding, I think that there is a bigger point to be made here, and that is one of education, leadership and awareness. I was rather harsh on a UK politician a while back for his privacy naïveté, and this falls into the same category. However, in this case, it is not the Interior Minister that deserves the rotten tomatoes — he is clearly acting on the policy and advice of his department. The professionals in charge of identity management and authentication schemes for the government are the real red-faced ones in this case.
Many biometrics have long been under attack for their lack of effectiveness (false negatives and false positives), narrow operating environment tolerances and, in the case of fingerprints, ease of duplication. Even the mainstream ‘science’ show Mythbusters has done an exposé.
Why, then, does a sophisticated national government deploy a security solution that is so certain to fail? Is it just another example of security theatre? Surely there was someone in room playing devil’s advocate and pointing out the weaknesses of such a solution? If so, that voice was clearly not heard, much to the embarrassment of the government in question.
And where are the CIO and CISO for the country in all this? Is this not, ultimately, a failure of IT and security leadership?