We’ve done some investigation recently into the use of biometrics for authentication. Today, the most common are fingerprint and facial recognition, both of which are commonly used on mobile phones and starting to appear on laptops and desktops. But in this article, we want to focus on a technique that is being used in (at least) two categories of biometric authentication: near-infrared imaging. In particular, while other researchers have previously demonstrated working attacks against most of the systems we discuss in this article, much of the general information about infrared authentication is difficult to find or specific to the methodologies of successful attacks. We set out to gain a broader understanding of how infrared imaging works and what makes it useful in the authentication space.
02. “Near” Infrared?
The term “near-infrared” refers to the portion of the Infrared (IR) spectrum closest to visible light. Visible light wavelengths range from approximately 380nm on the violet side to 700-740nm on the red side. Infrared starts around 700nm and ranges up to an entire 1mm, or 1,000,000nm. Infrared can be subdivided into near-infrared, short-wavelength, mid-wavelength, long-wavelength, and far infrared categories, with near-infrared referring to the wavelengths in the 700-1400nm range. The precise subdivision breakpoints differ slightly between different standards.
The near-infrared spectrum is used today for all sorts of things. If you’ve ever wondered how night-vision works, trailcams and CCTV security cameras often capture in this range. Indoor and outdoor areas can be bathed in ~850nm light that illuminates the area in security footage but doesn’t show up in the visible spectrum.
Near-infrared also has some properties that make it interesting from an authentication perspective. First, light in the visible spectrum has little or no effect on light in the infrared spectrum. Second, just as different materials absorb or reflect different amounts of light in the visible spectrum, they also absorb or reflect different amounts of light in the infrared spectrum. Notably, veins become more discernible, even through skin, when viewed in this spectrum.
03. Where infrared is used today
Infrared light is currently in use in (at least) two different authentication schemes. The first is facial recognition, in which an image is captured and compared to a reference image in both the visible and near-IR spectrum. Many mobile phones, and even laptop and desktop computers, have infrared cameras for this purpose.
The second authentication method in which infrared imaging is used is vein scanning. The vein patterns in our hands and fingers are, theoretically, highly unique, and so can be scanned like a fingerprint to identify us. Vein scanning has been used in medical contexts, particularly as a way to find blood vessels during phlebotomy, or blood drawing. For instance, the AccuView AV500 scans the patient’s veins and redisplays them as an overlay on the patient’s skin.
Fujitsu and Hitachi have recently brought vein scanning authentication products to market (PalmSecure and VeinID, respectively) that identify individuals based on their unique vein patterns. Fujitsu’s PalmSecure takes a near-IR image of one’s palm at a distance of 4-6 centimeters while Hitachi’s VeinID images one’s finger placed inside a scanner pod, similar to a pulse oximeter.
It is interesting that these two products work in very different ways. The PalmSecure scanner is contactless (although there is a placement guide to assist if needed). You hold your flattened hand a few centimeters above the scanner and it will take an image of your vein pattern in the near-IR spectrum.
Right: photo taken with a 950nm high-pass filter on the camera lens
What is more illuminating (pun intended) is viewing its operation in real-time with an infrared camera. When the PalmSecure scanner is activated, four small emitters light up and flash repeatedly, ostensibly in a low-power mode that aims to detect whether a hand is present. When an object comes within range, a much larger array of emitters bathes the object in near-IR light. A camera then captures the reflected light as an image of the hand.
We do not have a Hitachi VeinID scanner to play with in the lab (aka my shelter-at-home desk), but based on its published documentation it appears to operate similarly to a pulse oximeter. It shines near-IR light down through the top of the finger and a sensor captures the light below the finger. In comparison with the PalmSecure device, which measures light reflected by the hand, the VeinID scanner captures the light not absorbed or scattered by the finger. This becomes relevant as we explore how vein scanners are able to visualize veins.
04. Background on Blood and IR absorption
Vein scanners fundamentally rely on the fact that oxygenated and deoxygenated blood absorb near-IR light differently from one another. Arteries carry oxygenated blood to the human body, while veins carry deoxygenated blood from the body back to the heart and lungs, thus concentrating deoxygenated blood in the veins.
From graphs of light absorption in hemoglobin, we can see that in the near-IR region, the absorbance of light between oxygenated (HbO2, shown in red) and deoxygenated (Hb, shown in blue) hemoglobin differs significantly. In the region between 625-700nm, which corresponds to the “red” portion of the visible spectrum, we can see that HbO2 absorbs significantly less light than Hb does. Because less red light is absorbed in HbO2, more red light is reflected, leading to a visible bright red color, whereas Hb has a darker ruddy color. We can also see that at ~850nm and above, the reverse is true, with oxygenated blood absorbing more light than deoxygenated blood.
This is, however, only part of the story. Light absorption in human tissue is a complex subject with much prior and ongoing research. Human tissue is quite good at scattering light, and the other components of blood, such as water, have other spectral characteristics. For instance, water absorbs more light at higher wavelengths.
Based purely on the spectral properties of hemoglobin, we would expect veins to reflect more light at wavelengths in the 900-1000nm range than the surrounding tissue. However, in our experiments, they still appear darker.
05. Veins: How do we get them
If we were attempting to fool a vein scanner, like Krissler and Albrecht at CCC in 2018, we would need to replicate the victim’s vein pattern. In order to replicate it, we would need to view it in the first place. As a starting point, the PalmSecure scanner provides a preview image of a palm scan during the enrollment process as a feedback mechanism to help users position their hand correctly. Here are my vein “prints” from the enrollment process.
In this image, my veins are clearly visible, but are not well defined. This makes sense, since human tissue scatters light. The other problem with these images is that they are low resolution screenshots, rather than based on the raw data being captured. Clearly, the PalmSecure scanner is post-processing the images to, at a minimum, convert the infrared images to grayscale. Ideally, we would have nice clean images like the AccuVein scanner displays. It would be nice to obtain our own images as “ground truth”.
To that end, and equipped with a home-grade attacker budget of a few hundred dollars, we purchased a Canon Rebel T7, a selection of infrared high-pass lens filters, and infrared light emitters in the 740nm, 850nm, and 940nm wavelengths.
Then, mostly following this video, we disassembled the camera and removed its infrared low-pass filter. After reassembly, we were ready to start shooting photos of some veins.
06. IR Camera and Test Setup
Going into this, we wanted to better understand both how the PalmSecure vein scanner itself worked as well as the best way to capture original vein scans. From the chart of hemoglobin absorption, we hypothesized that the 700-750nm wavelengths would be particularly promising.
However, from our initial photography of the vein scanner’s operation, we also noted that a lot of light used to illuminate the hand was visible with our 950nm high-pass filter in place on the camera. So we know the PalmSecure scanner is scanning at least partially in the 950nm+ range.
Taken with 760nm (left) and 850nm (right) filters in outdoor natural light
We also discovered that outdoor full-spectrum illuminated photos were not particularly useful. We tended to see a lot of reflection/glare that made it hard to see the veins at all.
The next step would be to target specific wavelengths and see if veins tend to be more visible using any particular combination of light source wavelength and high-pass filter.
To obtain consistent results, we mounted the camera on a tripod cardboard box and focused our light sources on a target piece of blue tape on the wall. We taped off and blocked the majority of the <740nm light from the grow lamp 740nm light emitter.
We tested each light source and filter combination with shutter speed and ISO settings set as appropriate to produce appropriately-lit photos. Aperture was set to f5.6 to take in as much light as possible since that was the limiting factor in these photos. Focus was manually adjusted, multiple shots were taken and the clearest photos were chosen for display.
For high-pass filters at 720nm, 760nm, 850nm, and 950nm (columns), and light sources of 740nm, 850nm, and 940nm (rows), we took the following images:
1/8s, ISO 1600
1/2s, ISO 3200
1s, ISO 6400
1/200s, ISO 800
1/200s, ISO 800
1/80s, ISO 800
1/20s, ISO 1600
1/20s, ISO 800
1/20s, ISO 800
1/20s, ISO 800
1/8s, ISO 800
A few things we observed:
- Our high-pass camera filters did not sharply cut off all light below the given wavelength, although they did generally reduce the amount of light below that wavelength significantly. To obtain a similarly-lit photo, we often had to use a longer shutter speed and/or higher ISO.
- The veins illuminated by the 740nm light source were the least visible, although this could also be partially due to the 740nm light source being the dimmest of the three.
- The 850nm light source was by far the brightest, and showed veins cleanly, but also appeared to produce a significant amount of glare.
- The 940nm light source appeared to produce the least glare while still adequately lighting the hand.
- As expected, use of any of the 720nm, 760nm, or 850nm filters with the 940nm light source produced near-identical images, and using the 950nm filter also produced similar images once the shutter speed was extended from 1/20s to 1/8s to accommodate.
Based on this overall observation, we determined that of our three illumination sources, the 940nm illuminator produced the best representation of a vein pattern. Using the focus sleeve on the flashlight, we attempted to narrow the beam to increase the light intensity and accentuate the vein pattern, which did seem to marginally help.
After some minor post-processing (cropping, brightness and contrast), we were able to see quite a bit of detail and a clearly defined vein pattern.
Now equipped with an understanding of infrared imaging and vein visibility in different lighting conditions, we can capture clear and detailed vein patterns as needed. If we were going to follow in Krissler and Albrecht’s footsteps and attempt to fool the PalmSecure or other scanners, this would be a great starting place to do so.
08. Takeaways and Lingering Questions
Using a DSLR camera with its infrared filter removed is a well-known technique for performing infrared imaging on the cheap, and has been used to capture images to fool vein scanners in the past. However, there has been a significant gap between conceptually understanding what infrared imaging is capable of, and truly seeing the data that face and vein scanners are operating on.
The 950-1000nm, or even higher wavelengths, may be most promising for further experiments, based on our evidence that of our three illuminators the 940nm was most suitable and the discovery that the PalmSecure scanner is emitting significant light above 950nm. Unfortunately, there don’t appear to be many consumer devices that emit light in these higher wavelengths, so one may need to break out the soldering iron to obtain a suitable light source.
Vein patterns, while more difficult to capture than facial features or fingerprints, are by no means invisible, and their secrecy should never be relied upon as part of an authenticator’s security model. It is the replication of the captured biometric that should be difficult, and as of today, this still appears to present a significant hurdle. In our testing, a simple greyscale print-out of the vein pattern we acquired looks quite different from a real hand to the PalmSecure scanner, and Krissler and Albrecht demonstrated their success only after transforming the vein pattern, printing it, and covering the print with molded wax. Today, this raises the difficulty to attack vein scanning to a level at least comparable to that of fingerprint scanning, if not higher.
In a world where infrared sensors are becoming common in authentication devices, we hope these brief experiments will serve as a starting point for further investigations in the infrared space.