Attacks on Biometric System-Computer Science Writeup Sample



Using APA formatting and the documents attachedwrite a 2000 word paper that explains attacks on the biometric systems we have covered in the text. Also explain if the attacks are cost effective and give you opinion on whether or not you have the motive, means and equipment necessary to accomplish the attacks. (Be sure to include additional sources that you find to support your discussion.)

How to Attack Biometric Systems in Your Spare Time

Need 8-10 refernces with intext citations, please send pdfs or links of all refernces, use apa format





Attacks on Biometric System

Security systems have always been a primary concern for the human race, and since the development of first locks, there have been various attempts to make them more secure. In this race, the latest technology of Biometrics is relatively different and revolutionary too. Biometric systems are the current generation of technologies which offer a stronger factor of authentication. As the name suggests, these systems utilise biological metrics which are either physiological metrics such as fingerprint, iris, palm prints and voice or are behavioural metrics such as handwriting, speech, etc. These metrics are now replacing traditional systems of using keys (tokens) or passwords (knowledge) for authentication. [1] Unlike other systems where they Key or password could be used by anyone,, biometric provide one clear advantage which is they differentiate genuine users from imposters much better than any other systems. For all the advantages of biometric systems, they are being highly useful for authentication and access, and also have found uses where no other systems could be used, such as recording attendance! [2]

But since no system is a perfect one, nor is the biometric system. It also has its own set of vulnerabilities. The biometric systems are being used in multiple places, in government, commercial and forensic applications, and they must be secure. In the past few years, various malicious attacks, which are increasingly becoming difficult to detect are not only increasing each day but are also being smart. The vulnerabilities of such a system must be detected, else the system can be prone to an attack in future. For this purpose, various digital attacks can be useful. These attacks show how a biometric template could be resolved. There are various ways to attack a biometric system, nine to be precise. The paper will cover all aspects of such attacks, and how they can be carried.

Biometric System Model

To attack any biometric system, the components of its model must be fully understood. A general biometric system, using a biological metric will have five modules. Each module and the connectivity within the module are susceptible to various attacks, which are nine in types. The modules are –

  1. Scanner – This module is used for the acquisition of Biometric’s data of individuals in form of signals, images, videos, etc. This is vulnerable to the attack of type 1.

  1. Feature Extractor – The data signal of biometric sent from scanner reaches here. Here, the feature set is extracted from the data and then sent to the next module, matcher. The feature extractor can be vulnerable to type 3 attack.

  1. Stored Templates – This module is a database which contains the biometric standard data of the user and already has preoccupied feature sets. Stored templates are used while matching data of feature extractor to know if they are correct or not. This database is vulnerable to type 6 attacks.

  1. Matcher – It is the primary module on any biometric system. It receives biometric feature set from feature extractor and then matches it with the standard data set of the database. After each matching, scores are generated to determine if the extracted feature set is correct or not. It is the decision-making module and it can be vulnerable to attacks of type 5.

  1. Device – The application device uses data of the matcher module to provide access or to allow a certain task. If there is a match in the two sets of features, it will allow access else it will revoke access. The devices can also be vulnerable to attacks, which are of type 9.[3]

Now, there are nine types of attack points, or simply attacks.

  1. Type 1 attack

This attack occurs at the scanner part and can either be done by physically destroying the scanner on denial of service. Or, a fake biometric trait can also be created to fool the recognition scanner module. This problem is more often seen in biometric systems which use a fingerprint as a trait. Fingerprints can be easily faked using silicon glue or plaster module copy from which thin silicon dummy fingerprints be created. They can be faked easily. Such prints can also be taken from glass surfaces. Nearly all such scanners fail to understand such attacks. For iris based systems, a high-quality print of iris can also be used.

  1. Type 2 attack

This attack occurs in between the channel connecting scanner module with the feature extractor module. These module transfers acquire data to the scanner to get feature sets, and if an attacker beaches this communication channel, then it can extract the feature set of traits and make its copies. These can then be used to carry out Type 1 attacks, precisely better. This is also called a replay attack.

  1. Type 3 attack

The feature extractor module can be attacked using a Trojan horse program and thus replacing the feature extractor module completely. This Trojan horse can then send a desirable feature set to the matcher and thus surpass the system, or collect valuable standard data sets.

  1. Type 4 attack

This type can attack the communication channel existing between the matcher and the feature extractor. It is much similar to the type 2 attack. In this, the focus is to extract original legitimate data set of the user from the matcher, during the matching process. This data can later be replayed to the scanner or through feature extractor to bypass such systems. Type 4 attacks can be carried out in various ways, as suggested by Alder [4] and Uludag and Jain. [5] The attacks could break many existing biometrics and could be lethal.

  1. Type 5 attack

This attack occurs directly on the matcher module and is similar to type 3 attacks. Here also, a Trojan horse replaces matcher module which will now be controlled by the attackers. Through this attack, the attacker can produce high matching scores and bypass the whole system. It can also hamper the working of such a biometric system by generating low matching scores and thus produce ‘No” to the device and thus deny service.

  1. Type 6 attack

The system database can also be vulnerable to attacks of type 6. This is simply a database breach attack, and the security of the database is compromised. This attack can be done in multiple ways, which includes using vulnerabilities of software of database or account on the database. This attack can be used to replace templates or to add a new template or modify existing template set to simply allow trespassing. This can be fine by using a neural network classifier to predict the shape of biometric and reverse engineering it.[6]

  1. Type 7 attack

The attack occurs in the communication channel between the matcher and system database. It is much similar to type 2 attack and the attacker can breach the channel to steal the standard user data and then replay it or alter it for various purpose.

  1. Type 8 attack

The communication channel between the application device and the matcher is also vulnerable to attacks. This can be done to either alter the results or replay a previously submitted result.

  1. Type 9 attack

This is the latest type of attack, and it was proposed by Ahmed Obied.[3] This types of attacks can be directed straight to a device or an application using such a Biometric System. This attack works on vulnerabilities which are already present there. A good example is a backup password or passcode which is always with laptops and smartphones, for cases when the fingerprint scanner or iris scanners, or any other Biometric scanner fails. The attacker could use this vulnerability to indirectly attack the biometric system. There are also vulnerabilities in the software as bugs such as double free or buffer overflow and can be easily exploited by a skilled attacker.

Cost efficiency ?

Most of the attacks which check vulnerabilities of biometric systems are cost-efficient, and use skills only. These attacks can be carried out by skilled individuals, who can design better Trojan horse programs to replace some of the modules. For type 1 attacks, silicon glue can be used or a plaster cast can be used. Both of these are cheap. In type 2, type 4 type 7 and type 8 attacks, where there is a need to breach communication channel, various algorithms can be used. One such algorithm approach used “Hill climbing attack”, which was put forth in use by Hill.[7] In this approach, the attack system keeps on forming minutiae sets which result in the increase of matching scores. This can also be reverse engineered to get user provided feature set, or scanner feature set. These attacks will require skills and will be cost-efficient. In type 3 and type 5 attacks, the need is to use a Trojan horse which is an executable code which replaces a given module. This can be created by skilled personnel, using just a Linux/Windows PC. For type 6 attack which is directed towards the database, is rather easy to breach. This can also be done a skilled attacker using a neural network classifier to predict biometrics class and then reverse engineering the same to get the results. This will also require the same requirement, i.e. a good PC.

Motive of attacks : Threats to a Biometric System

The motive of these attacks are simple and can be summed as below:

  • Finding vulnerabilities of a Biometric System against a possible threat

  • Defining attack types and finding solutions to stop such attacks

The biometric systems are vulnerable due to the following threats:

  1. Service Denial: This occurs due to an increased traffic response of computer and networks due to adversaries. This causes a malfunction in the accessibility of resources by the legal user.

  1. Circumvention: Attackers can also gain data and computer resources access which are to be kept confidential. This can be done through a sniffer on such a machine. The sniffer can then detect the username and password.

  1. Repudiation – This is a simple case of a threat, where a threat may seem to be happening. These threats can be multiplied if carried out by a skilled attacker.

  1. Covert Acquisition – If an attacker gets its key to open such a biometric system, then the attacker can use acknowledgement modules in a ringway.

  1. Collusion – Collusion is rather an internal threat. It occurs in those systems the user privileges are of two levels, user privileges and superuser privileges, and if a Collision of thought and working start, Collusion can be minimised especially for the selection of ports, etc.

  1. Coercion – It is an out of system threat, and it includes forcing the legal user to give the key or password for the system to an attacker. [8]

Means to attack

There can be various means to attack a biometric system and they vary on the type of biometric trait which is in use. Following are some of these means which are being used for various biometric systems:

  • Iris Spoof Database – This is common for biometric systems which are based on iris scanning technologies. Here, they use a vast public Iris Spoof Database, and then through detection check reliability of the system.

  • Print attack – It is also used in the attack of Iris based Biometric System and in this the images of iris are printed on paper and then the attack occurs at the scanner side. [9]

  • Hill Climbing Attack – This technique is used to design algorithm and programs to attack communication channels in a fingerprint-based biometric system. This attack creates smaller sets over a long time to finally create such features that matching scores get high.

  • Replay – It is done in type 2 attacks, where after breaching the channel, the matching data is then replayed to finally open the sho


The types of equipment used to carry such attacks will also vary with respect to the trait which is being used in the biometric systems. Following are some simple equipment:

  • PC – Preferably a Linux based or Mac or Windows PC is used for all the database attacks and Trojan horses.

  • Printers – High-quality printers are used in the attack on iris-based biometric systems.


The attack on any biometric system varies on the trait it uses. Since the whole world is moving towards a new age biometric systems, especially for security, the systems must be attack-proof. The attacks discussed here are cost-efficient, require good skills and help in finding vulnerabilities.


  1. Jain, A., Bolle, R., and Pankanti, S. (1999). Biometrics: Personal Identification in Networked Society.

  2. B. Schneier, B. (August, 1999). The uses and abuses of biometrics. Comm. ACM, vol. 42, no. 8, pp. 136.

  3. Obied, A. (January, 2006). How to Attack Biometric Systems in Your Spare Time.

  4. Adler, A. (September, 2003). Can images be generated from biometric templates? Biometric Consortium Conference.

  5. Jain, A., Ross, A., and Uludag, U. (2005). Biometric template security: Challenges and solutions. Proc. of 13the European Signal Processing Conference (EUSIPCO).

  6. Uludag, U., and Jain, A. (2004). Attacks on biometric systems: a case study in fingerprints. Proc. of SPIE, Security, Seganography and Watermarking of Multimedia Contents VI, Volume 5306, Pages 622 – 633.

  7. Hill, C. (1999). Towards reconstructing fingerprints from minutiae points, b.s. thesis, Australian national university. Available at:

  8. Roberts, C. (2007). Biometric attack vectors and defences. Science Direct Journal. Computer & Security. Pages 14-25.

  9. Gupta, P., Behera, S., Vatsa, M., and Singh, R. (August, 2014). On Iris Spoofing using Print Attack.


Looking for best Computer Science Assignment Help. Whatsapp us at +16469488918 or chat with our chat representative showing on lower right corner or order from here. You can also take help from our Live Assignment helper for any exam or live assignment related assistance.