A pair of security researchers demonstrated a spoofing method for palm vein authentication at last month’s Chaos Communication Congress in Leipzig, Motherboard reports.
The method involved the use of an SLR camera with its infrared filter removed, allowing the researchers, Jan Krissler and Julian Albrecht, to image their own vein patterns. Having taken 2,500 images over the course of a month, the researchers honed in on one particular image, and used it to make wax models of their hands that featured fabricated versions of the same vein patterns.
Vein detection is often touted as a powerful anti-spoofing measure, since it theoretically requires a live individual; additionally, vascular patterns cannot be detected by the naked eye and require specialized, if not expensive, imaging technology. With respect to the latter issue, Krissler told Motherboard via email, “It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them,” suggesting vein patterns can be surreptitiously captured without much difficulty.
While the spoofing method is unlikely to affect many everyday consumers, partly due to its complexity but also because palm vein authentication is relatively uncommon in consumer-facing contexts, an adversary with sufficient resources and time could use it to breach the more sensitive settings in which palm vein authentication tends to be deployed.
January 4, 2019 – by Alex Perala