vein recognition is in addition to fingerprint and iris recognition is one of the best-known biometric identification method. It comes in the new Headquarters of the Federal intelligence service (BND) in Berlin to use as access control in high security areas of firms, as well as ATMs in Japan. And also, some laptops have a built-in System in place.

It works like this: a Special Scanner to detect light on a Hand or a Finger with infrared light, the unique vein pattern of a human and same with the back of the Patterns.

The error rate is comparable to that of an iris recognition. For an attacker, however, it is difficult, in the pattern of a victim, because you can’t stick unlike a fingerprint or an Iris without Another photograph and place it on a wooden dummy.

hand vein authentication at an ATM

no one knows this better than the Berlin-based security researcher Jan Krissler, alias starbug, the most well-known biometrics Hacker in the country. In 2013, he tricked Apple’s Touch ID on the iPhone 5s, 2017, the iris recognition system of Samsung Galaxy S8. Meanwhile, Apple is seeking advice, but mainly Krissler conducts research at the Technical University of Berlin.

On Thursday, he wants to be on the 35. Chaos Communication Congress (35C3) in Leipzig, show that the common vein recognition systems are uncertain. With the MIRROR Krissler said in the run-up to the Congress.

to resolve On the hunt for the vein pattern

Two of the problems he and the Student Julian… had Albrecht, and they were extremely creative. First of all: Where to get unnoticed, the vein pattern of a Person than you want to spend? Secondly: How do you make it an artificial Hand, or an artificial Finger?

A way to photograph the pattern, is the use of a prepared reflex camera with a sufficiently powerful flash, “to expand just the infrared filter,” says Krissler. There are instructions on YouTube to do this, alternatively, some hobbyists offer this as a Service.

In consequence of the adjustment of the Sensor can also record infra-red light. It is photographed so that a human Hand, absorbed in the venous blood, the light of a certain wavelength range, while the Rest of the fabric reflects the light, whereby the pattern of the veins be disposed of on the picture is dark visible. With such cameras you can get, even from five to seven meters distance sufficiently good images, says Krissler.

This works, however, only to make the vein pattern in the palms of the hands visible. “In the fingers, the veins are deeper, because you have to due to radiation”, says the researcher. Say: On the one side of the finger, the infrared must be positioned-LED, on the other the lens. From the distance, this is difficult. Then he shows where it might secretly hidden in a hand dryer, how he hangs in washrooms:

Then comes the wax hand in the game

it Has a picture of the pattern, build it into a Wax dummy. Krissler shows a Hand made of yellow wax, which is an expression of the pattern is placed in a second red layer of wax, which acts for a Scanner, such as human skin. The pattern seems to be, if the wax hand with infra-red light is illuminated.

Krissler pointed out that only some of the laser printers work with particles, which absorb this light and the desired result – but as a real limitation he considers the.

wax hand with printed vein pattern

he will have to Overcome, and Albrecht, this means that, under laboratory conditions, the systems of the Japanese manufacturer Fujitsu (palm vein recognition) and Hitachi (finger vein), the one of the market leaders in this Segment. In two Videos, to demonstrate Krissler, in Leipzig, is to see how the Scanner to fall on the dummies. “I think it works so reliably that we could do it somewhere else,” says Krissler. “I know that ‘in the wild’ used the same Sensors and the same Software that we have tested.”

Fujitsu speaks of unrealistic conditions

The reactions to his research from. The BND would not give over his security systems, public information. “The access to the core area of the property of the Federal intelligence service” was “regulated by a variety of security measures,” said the news service on the MIRROR request.

Hitachi says Krissler, have been very cooperative, after he had inaugurated the company.

Fujitsu has responded to a request from the MIRROR, the Krissler described “unnoticed theft of the palm vein pattern with the corresponding practical quality of” hold you “for not feasible.”

in Addition, Krissler have chosen at the time of registration of the real Hand, “very low and unrealistic” settings for the image quality, what is the deception of the Association times. Overcome, he had also only one Element of the whole system, namely, the “Fake Objective Detection” (false object detection). What other security measures in Fujitsu’s technology contains, does not want to give the company the “public price”.

Krissler rejects the criticism: “We have not made any Changes to any configuration values”. He also got tested in a demonstration in the presence of the Fujitsu staff “the current Software on the computers of the employees. Also, since no threshold were adjusted to values”.

Next idea: Using artificial veins the flow of blood

simulate “The current systems of the two manufacturers are really bad,” he concludes, “especially since they are touted as high-security systems”. You could not be more improve so that you will not fall into the Wax dummies? In biometric identification method is used for this purpose, a so-called liveness detection. You should make sure that the user is a living human being. In the case of face recognition, such a camera could wait for the user blinks. Vein scanner, says Krissler, there is the attempt of the blood flow detection. But you could produce with 3D printers, of course, also blood vessels, to the pinching, then a pump and a valve to produce an artificial blood flow.