Penetration Testing Biometric
System
By
FB1H2S aka Rahul Sasi
http://Garage4Hackers.com
http://null.co.in/
http://nullcon.net/
Who am I ?
What is this paper about ?
• I am an Info Security Enthusiast http://fb1h2s.com
Rahul Sasi aka FB1H2S working as a consultant .
http://www.aaatechnologies.co.in
• Active participant of Null and other computing
groups.
• A member of Garage4Hackers.
http://www.Garage4Hackers.com
• What this paper contains ?
http://null.co.in/
http://nullcon.net/
Explaining the Risk?
• Finger print deployed every where, attendance and door management.
• Advantages and Disadvantages of Bio-systems.
• The devices hold critical information.
Employee
Employee
Details
Attendance
Employee Salary
http://null.co.in/
http://nullcon.net/
Why to audit them ?
I just Hacked into
Biometric Attendance
Register and Changed
attendance and salary :D
of mine and my @#$$
I am marked 10 days absent ,
what the |-|3ll is happening!
Professor / Not so good co-worker
Student / Employee
http://null.co.in/
http://nullcon.net/
Classifying the Attacks
Local Attacks:
• Finger Print Sensor
• USB Data Manager
Remote Attacks:
• Remote IP Management
• Back End Database
• Finger Print Manager (Admin Interface)
http://null.co.in/
http://nullcon.net/
Biometric System Attack Vectors
http://Garag4Hackers.com
http://FB1H2S.com/
Biometric Systems Common
Applications
• Reliable attendance managing system.
• Biometric Finger print guarded doors, implemented for keyless secure
access to doors.
http://null.co.in/
http://nullcon.net/
Attacks: The Non Technical part
http://null.co.in/
http://nullcon.net/
Local Attack: Finger print sensor
• Finger print scanners read input using two
methodologies:
1) Optical scanner
2) Capacitance scanner
• Finger print recognition systems are image matching
algorithms
• Cloning a duplicate finger print and cheating the
image recognition algorithms
http://null.co.in/
http://nullcon.net/
Steeling a Finger Print
• Your finger impressions falls any were you
touch. Ex: on glass
http://null.co.in/
http://nullcon.net/
My Approach: Finger Print Logger
• Biometric sensor looks like this.
• Placing a thin less refractive index transparent
object in front of the sensor and logging finger
prints.
http://null.co.in/
http://nullcon.net/
Building Finger print logger
• Refraction:
• Use Less refractive index thin transparent sheet
• Log the victims fingerprint using the finger print
logger
http://null.co.in/
http://nullcon.net/
Steps Building Logger
http://null.co.in/
http://nullcon.net/
Special Points to be Considered
http://null.co.in/
http://nullcon.net/
Reproducing a Fake Finger print:
http://null.co.in/
http://nullcon.net/
Local Attack: USB Data Manager.
• Biometrics devices have inbuilt data storage, were it stores the Finger
print and user information.
• USB support in order to download and upload finger prints and other log
detail to and from the device.
• Most of the devices do not have any sort of protection mechanism
employed to prevent data theft, and those which uses password
protection often is deployed with default password.
http://null.co.in/
http://nullcon.net/
Attacks: The Technical part
http://null.co.in/
http://nullcon.net/
Remote Attack Vectors.
http://null.co.in/
http://nullcon.net/
Remote Attack Vectors
• IP implementation for data transfer
• Biometric Management Servers
• Biometric Admin/Interface (Web Based and
Desktop based )
• Back end Database
• Man In The Middle Attacks
http://null.co.in/
http://nullcon.net/
TCP/IP Implementation for Remote
Management:
http://null.co.in/
http://nullcon.net/
Remote Administration Implementation
 Issues
• The remote administration capability of this device lets
biometric servers to authenticate to it and manage remotely.
• We are completely unaware of the management protocol
used as the program is embedded in the Biometric MIPS
device.
 Solutions
• The admin application knows everything about the remote
device so if we could get a copy of that application it will tell
us everything we want.
http://null.co.in/
http://nullcon.net/
Example Attack
Attacking the remote management
protocol Example.
• Situation: The remote administration implementation is unknown.
• Foot printing: The label on the Biometric device will reveal which
company has marketed or build that product.
• Download a copy of remote management software from vendor site
http://null.co.in/
http://nullcon.net/
Example Attack
Reverse Engineering the Application
• Reflector used to disassemble the .Net application
• Detected TCP/IP setting of device used to
communication, It uses port 4370 to communicate
http://null.co.in/
http://nullcon.net/
Application uses COM objects which
interacts with Device
• IDA used for dissembling the COM objects
• Disassembling Import function shows the
communication details
http://null.co.in/
http://nullcon.net/
Example Device Command extracted
• Commands to set the device time remotely
http://null.co.in/
http://nullcon.net/
Auditing Back End Database
• From disassembling we were able to find local database
password file and encryption key hardcoded in the
application.
http://null.co.in/
http://nullcon.net/
Biometric Admin/Interface (Web Based and
Desktop based )
• Another possible point of attacks are on the admin
interface, these are either desktop based or Web
based.
• Desktop based applications are common and the
possible chances to interact with them require local
privileges on the Biometric server.
• But web based admin panels could be attacked form
outside.
• So an application check on those modules for
application vulnerabilities could also help.
http://null.co.in/
http://nullcon.net/
Nmap Script: Detecting Biometric Devices on
Network:
How to detect these device on network for attacking?
Nmap Script Output.
http://null.co.in/
http://nullcon.net/
Attack Videos
http://null.co.in/
http://nullcon.net/
Conclusion
• The risk and vulnerabilities associated with
Biometric Device are explained.
• This shows the necessity of including these
devices to the scope of a Network Audit.
http://null.co.in/
http://nullcon.net/