nullcon 2011 - Penetration Testing a Biometric System
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


nullcon 2011 - Penetration Testing a Biometric System



Penetration Testing a Biometric System by Rahul Sasi

Penetration Testing a Biometric System by Rahul Sasi



Total Views
Views on SlideShare
Embed Views



1 Embed 72 72



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

nullcon 2011 - Penetration Testing a Biometric System Presentation Transcript

  • 1. Penetration Testing Biometric System By FB1H2S aka Rahul Sasi
  • 2. Who am I ? What is this paper about ?
    • I am an Info Security Enthusiast
    • Rahul Sasi aka FB1H2S working as a consultant .
    • Active participant of Null and other computing groups.
    • A member of Garage4Hackers.
    • What this paper contains ?
  • 3. Explaining the Risk?
    • Finger print deployed every where, attendance and door management.
    • Advantages and Disadvantages of Bio-systems.
    • The devices hold critical information. Employee Details E mployee Attendance Employee Salary
  • 4. Why to audit them ? I just Hacked into Biometric Attendance Register and Changed attendance and salary :D of mine and my @#$$ Student / Employee Professor / Not so good co-worker I am marked 10 days absent , what the |-|3ll is happening!
  • 5. Classifying the Attacks
    • Local Attacks:
    • Finger Print Sensor
    • USB Data Manager
    • Remote Attacks:
    • Remote IP Management
    • Back End Database
    • Finger Print Manager (Admin Interface)
  • 6. Biometric System Attack Vectors
  • 7. Biometric Systems Common Applications
    • Reliable attendance managing system.
    • Biometric Finger print guarded doors, implemented for keyless secure access to doors.
  • 8. Attacks: The Non Technical part
  • 9. Local Attack: Finger print sensor
    • Finger print scanners read input using two methodologies:
    • 1) Optical scanner
    • 2) Capacitance scanner
    • Finger print recognition systems are image matching algorithms
    • Cloning a duplicate finger print and cheating the image recognition algorithms
  • 10. Steeling a Finger Print
    • Your finger impressions falls any were you touch. Ex: on glass
  • 11. My Approach: Finger Print Logger
    • Biometric sensor looks like this.
    • Placing a thin less refractive index transparent object in front of the sensor and logging finger prints.
  • 12. Building Finger print logger
    • Refraction:
    • Use Less refractive index thin transparent sheet
    • Log the victims fingerprint using the finger print logger
  • 13. Steps Building Logger
  • 14. Special Points to be Considered
  • 15. Reproducing a Fake Finger print:
  • 16. Local Attack: USB Data Manager.
    • Biometrics devices have inbuilt data storage, were it stores the Finger print and user information.
    • USB support in order to download and upload finger prints and other log detail to and from the device.
    • Most of the devices do not have any sort of protection mechanism employed to prevent data theft, and those which uses password protection often is deployed with default password.
  • 17. Attacks: The Technical part
  • 18. Remote Attack Vectors.
  • 19. Remote Attack Vectors
    • IP implementation for data transfer
    • Biometric Management Servers
    • Biometric Admin/Interface (Web Based and Desktop based )
    • Back end Database
    • Man In The Middle Attacks
  • 20. TCP/IP Implementation for Remote Management:
  • 21. Remote Administration Implementation
    • Issues
    • The remote administration capability of this device lets biometric servers to authenticate to it and manage remotely.
    • We are completely unaware of the management protocol used as the program is embedded in the Biometric MIPS device.
    • Solutions
    • The admin application knows everything about the remote device so if we could get a copy of that application it will tell us everything we want.
  • 22. Example Attack Attacking the remote management protocol Example.
    • Situation: The remote administration implementation is unknown.
    • Foot printing: The label on the Biometric device will reveal which company has marketed or build that product.
    • Download a copy of remote management software from vendor site
  • 23. Example Attack Reverse Engineering the Application
    • Reflector used to disassemble the .Net application
    • Detected TCP/IP setting of device used to communication, It uses port 4370 to communicate
  • 24. Application uses COM objects which interacts with Device
    • IDA used for dissembling the COM objects
    • Disassembling Import function shows the communication details
  • 25. Example Device Command extracted
    • Commands to set the device time remotely
  • 26. Auditing Back End Database
    • From disassembling we were able to find local database password file and encryption key hardcoded in the application.
  • 27. Biometric Admin/Interface (Web Based and Desktop based )
    • Another possible point of attacks are on the admin interface, these are either desktop based or Web based.
    • Desktop based applications are common and the possible chances to interact with them require local privileges on the Biometric server.
    • But web based admin panels could be attacked form outside.
    • So an application check on those modules for application vulnerabilities could also help.
  • 28. Nmap Script: Detecting Biometric Devices on Network:
    • How to detect these device on network for attacking?
    • Nmap Script Output.
  • 29. Attack Videos
  • 30. Conclusion
    • The risk and vulnerabilities associated with Biometric Device are explained.
    • This shows the necessity of including these devices to the scope of a Network Audit.