nullcon 2011 - Penetration Testing a Biometric System

Penetration Testing Biometric System By FB1H2S aka Rahul Sasi http://Garage4Hackers.com http://null.co.in/ http://nullcon.net/

Who am I ? What is this paper about ? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Explaining the Risk? ,[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/ Employee Details E mployee Attendance Employee Salary

Why to audit them ? http://null.co.in/ http://nullcon.net/ I just Hacked into Biometric Attendance Register and Changed attendance and salary :D of mine and my @#$$ Student / Employee Professor / Not so good co-worker I am marked 10 days absent , what the |-|3ll is happening!

Classifying the Attacks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Biometric System Attack Vectors http://Garag4Hackers.com http://FB1H2S.com/

Biometric Systems Common Applications ,[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Attacks: The Non Technical part http://null.co.in/ http://nullcon.net/

Local Attack: Finger print sensor ,[object Object],[object Object],[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Steeling a Finger Print ,[object Object],http://null.co.in/ http://nullcon.net/

My Approach: Finger Print Logger ,[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Building Finger print logger ,[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Steps Building Logger http://null.co.in/ http://nullcon.net/

Special Points to be Considered http://null.co.in/ http://nullcon.net/

Reproducing a Fake Finger print: http://null.co.in/ http://nullcon.net/

Local Attack: USB Data Manager. ,[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Attacks: The Technical part http://null.co.in/ http://nullcon.net/

Remote Attack Vectors. http://null.co.in/ http://nullcon.net/

Remote Attack Vectors ,[object Object],[object Object],[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

TCP/IP Implementation for Remote Management: http://null.co.in/ http://nullcon.net/

Remote Administration Implementation ,[object Object],[object Object],[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Example Attack Attacking the remote management protocol Example. ,[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Example Attack Reverse Engineering the Application ,[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Application uses COM objects which interacts with Device ,[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Example Device Command extracted ,[object Object],http://null.co.in/ http://nullcon.net/

Auditing Back End Database ,[object Object],http://null.co.in/ http://nullcon.net/

Biometric Admin/Interface (Web Based and Desktop based ) ,[object Object],[object Object],[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Nmap Script: Detecting Biometric Devices on Network: ,[object Object],[object Object],http://null.co.in/ http://nullcon.net/

Attack Videos http://null.co.in/ http://nullcon.net/

Conclusion ,[object Object],[object Object],http://null.co.in/ http://nullcon.net/

nullcon 2011 - Penetration Testing a Biometric System

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to nullcon 2011 - Penetration Testing a Biometric System

Similar to nullcon 2011 - Penetration Testing a Biometric System (20)

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Recently uploaded

Recently uploaded (20)

nullcon 2011 - Penetration Testing a Biometric System

Editor's Notes