The Inquirer-Home

How to hack biometrics

Defcon 2005 Not as hard as you might think
Sat Jul 30 2005, 16:58
THE FIRST TALK OF the day was called 'Attacking Biometric Access Control Systems' by Zamboni, a man who looked nothing like a real zamboni. What it described were the nine places to attack a biometric control system, and a little on how to do it.

The grand scheme of it all is that there are several places to attack, the sensor, the feature extractor, the storage computer and the comparison unit. You can also attack communication between these points, be they traces on a circuit board or a network link.

The process works like this, you enroll in the system, which usually means you put your finger in the sensor, and it takes pictures of the fingerprint until the gizmo gets enough information to do it's job. This is then sent to the feature extractor, where a mathematical model is built in a way that the computer understands. That is then passed along to the storage point where it sits and waits.

When you come in and place your finger on the sensor, it takes a picture and passes it to the extractor. A new model is made there, and that is sent to the comparison unit. If it thinks you are a reasonable but not absolute match for the stored template, it authorizes you.

There are several problems with this, and each point is vulnerable to an attack or several types of attack. The most obvious is social engineering, you bat your eyelids, strike a provocative pose, and the underpaid security guard lets you in anyway. Barring that, or the janitor leaving the side door propped open allowing you to pass around the multi-million dollar security setup while you are working at a site, they are pretty secure. The AT&T Redwood City datacenter failed the 'janitor test' three nights in a row when I was last there, and the guard was putty in my hands after 6 donuts on the first night. Luckily, I was there legally, the entry process just annoyed me, so I went around it.

If you are not so skilled, or have $2 to blow on donuts, you need to be a little more cunning. One of the most obvious ways is to fake the data, IE put a gummy bear finger in the sensor with a legitimate fingerprint on it. Attacks like this can work well. You can also tap the data coming off the sensor to the extractor, in many cases this is sent in the clear over a TCP/IP link to a remote machine. You capture this data, and replay it when you want to get in. The sad part is most devices do not add a timestamp, sequence number, or have any authentication, much less encryption, it just trusts the sensor. Stupid, stupid, stupid, stupid.

Moving right along, you get to the 'back end' systems, and most of these are woefully insecure Windows or Linux boxes, and are fairly easy targets. Why bother to make gummy digits for non-sexual purposes when you can just crack the database? If you can put your fingerprint in the database, or set it to enroll you on the next attempt, why bother prying sensors off the wall? If you can drop the confidence level on the comparison unit from 95% to 10%, you probably match someone in the system. These also have the bonus of not denying legitimate users access, so you don't set off alarm bells.

A lot of the attacks on the back end are fairly generic and eased greatly by companies being lazy. Many use the Lantronix Micro100 serial server to control the data flow over the network. While this may be a fine controller, if you send any packet to port 30718, it crashes the server to the point where it has to be sent back to Lantronix for reflashing. Zamboni said that only one vendor tested shut this down, the rest melted with only a port scan.

This would not allow you to break in directly, but it would shut the system down, probably to the point where it would need to be taken off line. Other measures put into place to make up for this mean you are only a half dozen donuts away from free access.

What it all comes down to is 'know your enemy'. Most systems have a common part or two, there are only a few fingerprint sensor makers out there, and they get repackaged a lot. If there is a vulnerability found in company ABC, you can be pretty sure that company XYZ is also vulnerable because they use the same pieces.

Know the protocols used, most are publicly available to one extent or another on the web. If they are not, you can get most of the pieces on eBay for not all that much money. A little experimentation, and you are off to the races and through the intensive biometric security at the gate with nothing more than a smile, some donuts, a gummy finger and a little hacking when no one is looking. Biometrics are not anywhere near as secure as you think. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?