Penetration Testing Biometric System By  FB1H2S aka Rahul Sasi http://Garage4Hackers.com  http://null.co.in/ http://nullco...
Who am I ? What is this paper about ? <ul><li>I am an  Info Security Enthusiast  http://fb1h2s.com </li></ul><ul><li>Rahul...
Explaining the Risk? <ul><li>Finger print deployed every where, attendance and door management. </li></ul><ul><li>Advantag...
Why to audit them ? http://null.co.in/ http://nullcon.net/ I just Hacked into Biometric Attendance Register and Changed at...
Classifying the Attacks <ul><li>Local Attacks: </li></ul><ul><li>Finger Print Sensor  </li></ul><ul><li>USB Data Manager <...
Biometric System Attack Vectors http://Garag4Hackers.com http://FB1H2S.com/
Biometric Systems Common Applications <ul><li>Reliable attendance managing system. </li></ul><ul><li>Biometric Finger prin...
Attacks: The Non Technical part http://null.co.in/ http://nullcon.net/
Local Attack: Finger print sensor <ul><li>Finger print scanners read input using two methodologies: </li></ul><ul><li>1) O...
Steeling a Finger Print  <ul><li>Your finger impressions falls any were  you touch. Ex: on glass </li></ul>http://null.co....
My Approach: Finger Print Logger <ul><li>Biometric sensor looks like this.   </li></ul><ul><li>Placing a thin less refract...
Building Finger print logger <ul><li>Refraction: </li></ul><ul><li>Use Less refractive index thin transparent sheet </li><...
Steps Building Logger http://null.co.in/ http://nullcon.net/
Special Points to be Considered http://null.co.in/ http://nullcon.net/
Reproducing a Fake Finger print: http://null.co.in/ http://nullcon.net/
Local Attack: USB Data Manager.  <ul><li>Biometrics devices have inbuilt data storage, were it stores the Finger print and...
Attacks: The Technical part http://null.co.in/ http://nullcon.net/
Remote Attack Vectors.  http://null.co.in/ http://nullcon.net/
Remote Attack Vectors <ul><li>IP implementation for data transfer </li></ul><ul><li>Biometric Management Servers </li></ul...
TCP/IP Implementation for Remote Management: http://null.co.in/ http://nullcon.net/
Remote Administration Implementation <ul><li>Issues </li></ul><ul><li>The remote administration capability of this device ...
Example Attack Attacking the remote management protocol Example. <ul><li>Situation:  The remote administration implementat...
Example Attack Reverse Engineering the Application  <ul><li>Reflector used to disassemble the .Net application  </li></ul>...
Application uses COM objects which interacts with Device <ul><li>IDA used for dissembling the COM objects </li></ul><ul><l...
Example Device Command extracted <ul><li>Commands to set the device time remotely </li></ul>http://null.co.in/ http://null...
Auditing Back End Database <ul><li>From disassembling we were able to find local database password file and encryption key...
Biometric Admin/Interface (Web Based and Desktop based ) <ul><li>Another possible point of attacks are on the admin interf...
Nmap Script: Detecting Biometric Devices on Network: <ul><li>How to detect these device on network for attacking? </li></u...
Attack Videos  http://null.co.in/ http://nullcon.net/
Conclusion  <ul><li>The risk and vulnerabilities associated with Biometric Device are explained. </li></ul><ul><li>This sh...
Upcoming SlideShare
Loading in …5
×

nullcon 2011 - Penetration Testing a Biometric System

1,700 views

Published on

Penetration Testing a Biometric System by Rahul Sasi

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,700
On SlideShare
0
From Embeds
0
Number of Embeds
78
Actions
Shares
0
Downloads
116
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • http://nullcon.net/
  • nullcon 2011 - Penetration Testing a Biometric System

    1. 1. Penetration Testing Biometric System By FB1H2S aka Rahul Sasi http://Garage4Hackers.com http://null.co.in/ http://nullcon.net/
    2. 2. Who am I ? What is this paper about ? <ul><li>I am an Info Security Enthusiast http://fb1h2s.com </li></ul><ul><li>Rahul Sasi aka FB1H2S working as a consultant . </li></ul><ul><li>http://www.aaatechnologies.co.in </li></ul><ul><li>Active participant of Null and other computing groups. </li></ul><ul><li>A member of Garage4Hackers. </li></ul><ul><li>http://www.Garage4Hackers.com </li></ul><ul><li>What this paper contains ? </li></ul>http://null.co.in/ http://nullcon.net/
    3. 3. Explaining the Risk? <ul><li>Finger print deployed every where, attendance and door management. </li></ul><ul><li>Advantages and Disadvantages of Bio-systems. </li></ul><ul><li>The devices hold critical information. </li></ul>http://null.co.in/ http://nullcon.net/ Employee Details E mployee Attendance Employee Salary
    4. 4. Why to audit them ? http://null.co.in/ http://nullcon.net/ I just Hacked into Biometric Attendance Register and Changed attendance and salary :D of mine and my @#$$ Student / Employee Professor / Not so good co-worker I am marked 10 days absent , what the |-|3ll is happening!
    5. 5. Classifying the Attacks <ul><li>Local Attacks: </li></ul><ul><li>Finger Print Sensor </li></ul><ul><li>USB Data Manager </li></ul><ul><li>Remote Attacks: </li></ul><ul><li>Remote IP Management </li></ul><ul><li>Back End Database </li></ul><ul><li>Finger Print Manager (Admin Interface) </li></ul>http://null.co.in/ http://nullcon.net/
    6. 6. Biometric System Attack Vectors http://Garag4Hackers.com http://FB1H2S.com/
    7. 7. Biometric Systems Common Applications <ul><li>Reliable attendance managing system. </li></ul><ul><li>Biometric Finger print guarded doors, implemented for keyless secure access to doors. </li></ul>http://null.co.in/ http://nullcon.net/
    8. 8. Attacks: The Non Technical part http://null.co.in/ http://nullcon.net/
    9. 9. Local Attack: Finger print sensor <ul><li>Finger print scanners read input using two methodologies: </li></ul><ul><li>1) Optical scanner </li></ul><ul><li>2) Capacitance scanner </li></ul><ul><li>Finger print recognition systems are image matching algorithms </li></ul><ul><li>Cloning a duplicate finger print and cheating the image recognition algorithms </li></ul>http://null.co.in/ http://nullcon.net/
    10. 10. Steeling a Finger Print <ul><li>Your finger impressions falls any were you touch. Ex: on glass </li></ul>http://null.co.in/ http://nullcon.net/
    11. 11. My Approach: Finger Print Logger <ul><li>Biometric sensor looks like this. </li></ul><ul><li>Placing a thin less refractive index transparent object in front of the sensor and logging finger prints. </li></ul>http://null.co.in/ http://nullcon.net/
    12. 12. Building Finger print logger <ul><li>Refraction: </li></ul><ul><li>Use Less refractive index thin transparent sheet </li></ul><ul><li>Log the victims fingerprint using the finger print logger </li></ul>http://null.co.in/ http://nullcon.net/
    13. 13. Steps Building Logger http://null.co.in/ http://nullcon.net/
    14. 14. Special Points to be Considered http://null.co.in/ http://nullcon.net/
    15. 15. Reproducing a Fake Finger print: http://null.co.in/ http://nullcon.net/
    16. 16. Local Attack: USB Data Manager. <ul><li>Biometrics devices have inbuilt data storage, were it stores the Finger print and user information. </li></ul><ul><li>USB support in order to download and upload finger prints and other log detail to and from the device. </li></ul><ul><li>Most of the devices do not have any sort of protection mechanism employed to prevent data theft, and those which uses password protection often is deployed with default password. </li></ul>http://null.co.in/ http://nullcon.net/
    17. 17. Attacks: The Technical part http://null.co.in/ http://nullcon.net/
    18. 18. Remote Attack Vectors. http://null.co.in/ http://nullcon.net/
    19. 19. Remote Attack Vectors <ul><li>IP implementation for data transfer </li></ul><ul><li>Biometric Management Servers </li></ul><ul><li>Biometric Admin/Interface (Web Based and Desktop based ) </li></ul><ul><li>Back end Database </li></ul><ul><li>Man In The Middle Attacks </li></ul>http://null.co.in/ http://nullcon.net/
    20. 20. TCP/IP Implementation for Remote Management: http://null.co.in/ http://nullcon.net/
    21. 21. Remote Administration Implementation <ul><li>Issues </li></ul><ul><li>The remote administration capability of this device lets biometric servers to authenticate to it and manage remotely. </li></ul><ul><li>We are completely unaware of the management protocol used as the program is embedded in the Biometric MIPS device. </li></ul><ul><li>Solutions </li></ul><ul><li>The admin application knows everything about the remote device so if we could get a copy of that application it will tell us everything we want. </li></ul>http://null.co.in/ http://nullcon.net/
    22. 22. Example Attack Attacking the remote management protocol Example. <ul><li>Situation: The remote administration implementation is unknown. </li></ul><ul><li>Foot printing: The label on the Biometric device will reveal which company has marketed or build that product. </li></ul><ul><li>Download a copy of remote management software from vendor site </li></ul>http://null.co.in/ http://nullcon.net/
    23. 23. Example Attack Reverse Engineering the Application <ul><li>Reflector used to disassemble the .Net application </li></ul><ul><li>Detected TCP/IP setting of device used to communication, It uses port 4370 to communicate </li></ul>http://null.co.in/ http://nullcon.net/
    24. 24. Application uses COM objects which interacts with Device <ul><li>IDA used for dissembling the COM objects </li></ul><ul><li>Disassembling Import function shows the communication details </li></ul>http://null.co.in/ http://nullcon.net/
    25. 25. Example Device Command extracted <ul><li>Commands to set the device time remotely </li></ul>http://null.co.in/ http://nullcon.net/
    26. 26. Auditing Back End Database <ul><li>From disassembling we were able to find local database password file and encryption key hardcoded in the application. </li></ul>http://null.co.in/ http://nullcon.net/
    27. 27. Biometric Admin/Interface (Web Based and Desktop based ) <ul><li>Another possible point of attacks are on the admin interface, these are either desktop based or Web based. </li></ul><ul><li>Desktop based applications are common and the possible chances to interact with them require local privileges on the Biometric server. </li></ul><ul><li>But web based admin panels could be attacked form outside. </li></ul><ul><li>So an application check on those modules for application vulnerabilities could also help. </li></ul>http://null.co.in/ http://nullcon.net/
    28. 28. Nmap Script: Detecting Biometric Devices on Network: <ul><li>How to detect these device on network for attacking? </li></ul><ul><li>Nmap Script Output. </li></ul>http://null.co.in/ http://nullcon.net/
    29. 29. Attack Videos http://null.co.in/ http://nullcon.net/
    30. 30. Conclusion <ul><li>The risk and vulnerabilities associated with Biometric Device are explained. </li></ul><ul><li>This shows the necessity of including these devices to the scope of a Network Audit. </li></ul>http://null.co.in/ http://nullcon.net/

    ×