Penetration Testing Biometric
FB1H2S aka Rahul Sasi
Who am I ?
What is this paper about ?
• I am an Info Security Enthusiast
Rahul Sasi aka FB1H2S working as a consultant .
• Active participant of Null and other computing
• A member of Garage4Hackers.
• What this paper contains ?
Explaining the Risk?
• Finger print deployed every where, attendance and door management.
• Advantages and Disadvantages of Bio-systems.
• The devices hold critical information.
Employee Salary
Why to audit them ?
I just Hacked into
Biometric Attendance
Register and Changed
attendance and salary :D
of mine and my @#$$
I am marked 10 days absent ,
what the |-|3ll is happening!
Professor / Not so good co-worker
Student / Employee
Classifying the Attacks
Local Attacks:
• Finger Print Sensor
• USB Data Manager
Remote Attacks:
• Remote IP Management
• Back End Database
• Finger Print Manager (Admin Interface)
Biometric System Attack Vectors
Biometric Systems Common
• Reliable attendance managing system.
• Biometric Finger print guarded doors, implemented for keyless secure
access to doors.
Attacks: The Non Technical part
Local Attack: Finger print sensor
• Finger print scanners read input using two
1) Optical scanner
2) Capacitance scanner
• Finger print recognition systems are image matching
• Cloning a duplicate finger print and cheating the
image recognition algorithms
Steeling a Finger Print
• Your finger impressions falls any were you
touch. Ex: on glass
My Approach: Finger Print Logger
• Biometric sensor looks like this.
• Placing a thin less refractive index transparent
object in front of the sensor and logging finger
Building Finger print logger
• Refraction:
• Use Less refractive index thin transparent sheet
• Log the victims fingerprint using the finger print
Steps Building Logger
Special Points to be Considered
Reproducing a Fake Finger print:
Local Attack: USB Data Manager.
• Biometrics devices have inbuilt data storage, were it stores the Finger
print and user information.
• USB support in order to download and upload finger prints and other log
detail to and from the device.
• Most of the devices do not have any sort of protection mechanism
employed to prevent data theft, and those which uses password
protection often is deployed with default password.
Attacks: The Technical part
Remote Attack Vectors.
Remote Attack Vectors
• IP implementation for data transfer
• Biometric Management Servers
• Biometric Admin/Interface (Web Based and
Desktop based )
• Back end Database
• Man In The Middle Attacks
TCP/IP Implementation for Remote
Remote Administration Implementation
 Issues
• The remote administration capability of this device lets
biometric servers to authenticate to it and manage remotely.
• We are completely unaware of the management protocol
used as the program is embedded in the Biometric MIPS
 Solutions
• The admin application knows everything about the remote
device so if we could get a copy of that application it will tell
us everything we want.
Example Attack
Attacking the remote management
protocol Example.
• Situation: The remote administration implementation is unknown.
• Foot printing: The label on the Biometric device will reveal which
company has marketed or build that product.
• Download a copy of remote management software from vendor site
Example Attack
Reverse Engineering the Application
• Reflector used to disassemble the .Net application
• Detected TCP/IP setting of device used to
communication, It uses port 4370 to communicate
Application uses COM objects which
interacts with Device
• IDA used for dissembling the COM objects
• Disassembling Import function shows the
communication details
Example Device Command extracted
• Commands to set the device time remotely
Auditing Back End Database
• From disassembling we were able to find local database
password file and encryption key hardcoded in the
Biometric Admin/Interface (Web Based and
Desktop based )
• Another possible point of attacks are on the admin
interface, these are either desktop based or Web
• Desktop based applications are common and the
possible chances to interact with them require local
privileges on the Biometric server.
• But web based admin panels could be attacked form
• So an application check on those modules for
application vulnerabilities could also help.
Nmap Script: Detecting Biometric Devices on
How to detect these device on network for attacking?
Nmap Script Output.
Attack Videos
• The risk and vulnerabilities associated with
Biometric Device are explained.
• This shows the necessity of including these
devices to the scope of a Network Audit.