Student Reflection - Joshua Sablatura
Throughout the summer of 2014, I was presented with a unique opportunity to advance my personal understanding and knowledge of the emerging field of biometric security through participation in the FAST Research Grant Project led by Dr. Lei Chen of the Department of Computer Science and Dr. Chi Yu of the Department of Forensic Science. As a participant in this research project I was able to develop a better understanding of how the biometric security systems in the iPhone 5s and the Iritech IriShield Iris Scanner function and how these systems may be circumvented.
Furthermore, this research project has provided me with an opportunity to grow and develop my skills as a professional in the security and computer science profession. This research project provided me with a unique opportunity to enhance my ability to function as a member of a team faced with the task of circumventing the security of the two test devices. My fellow research partner, R.J. McDown, and I worked together as a team to develop and carry out the benchmark testing procedures of both of the devices. After the normal baseline operation of each of the devices was determined, we brainstormed several possible attack vectors that could be used against the devices to circumvent the biometric security systems.
During the next stage of the project each of the proposed attack vectors against the device were divided between us so that further research into the effectiveness and practicality of each of the vectors can be assessed. This was done to allow us to examine each of the attack vectors before selecting the most promising vector to refine.
Unfortunately, we were unable to adequately test several promising attack vectors against the Iris Scanner due to a lack of resources primarily a high quality printer and resources to assemble a USB protocol debugger/emulator. However, we were able to pinpoint a promising attack vector against the fingerprint scanner on the iPhone 5s that could be used as a potential means to break into the device in the event of a digital forensics investigation.
This attack vector involves lifting a latent fingerprint from the physical device and then using this print to reconstruct the user’s fingerprint which can then be used in an attempt to login to the phone via the biometric system. The development of this process was extremely tedious and involved a series of trial and error experiments that helped us test and refine our attack vector. This portion of the research project was the most satisfying and rewarding because after hours of trial and error and many failed attempts we were able to successfully break into the phone.