Pages

Subscribe:

Penetration Testing Biometric System: Part 1 Local Attacks


Presented in Nullcon 2011: http://nullcon.net/
Greetz to: B0Nd,Eberly,Wipu,Neo,Vinnu,prashant(null),sud0,Sag ar,rohith,Nishant, atul, r4scal, SmartKD, beenu, d4rkdawn and all Null Members
Special Thanks to: the_empty, 41w4rior, d4rkest,Abishek Dutta, w3bdevil,

PDF: http://www.fb1h2s.com/Null_Biometrics.pdf
PPT: http://www.fb1h2s.com/nullcon-Presen...biometrics.rar 


Abstract: This paper act as a guide explaining the necessity of including Biometric-Devices in the scope of a network audit and the procedures that could be used for Security auditing one such system. The paper explains both local and remote attacks and the procedures to carry out vulnerability detection, exploitation and reporting. 
Introduction: Biometric Fingerprint system is rapidly developing and the no of Biometric systems deployed is increasing day by day along with the amount of vital information it is holding. And this brings the necessity of including these devices on to the list of devices subjected to a Penetration Testing/Security Auditing. 

Biometric Fingerprint systems have several advantages over classical methods based on password and ID cards. These systems are considered effective and fast. The advantages of this system over traditional systems are very high. In spite of the many advantages biometric systems got few draw-backs like a)Your finger print is not a secret eg: any one could have a copy of your finger print b) it’s a onetime password once stolen cannot be reset to a new value. Furthermore the different attack vectors of a biometric system are numbered and mentioned in diagram.



Diagram fb1_01 explains the various possible points of attack, and these would be the areas this research would be concentrating on. On basis of the attack methodology we have categorized the attacks into Local and Remote attacks.

Local Attacks:
1) Finger Print Sensor 
2) USB Data Manager

Remote Attacks:

3) Remote IP Management
4) Back End Database
5) Finger Print Manager (Admin Interface) 

The above mentioned architecture and attacking vectors would be same for all Biometric implementation. Biometric Finger print scanners application are varied and we will discuss on the following deployments, 
• Biometric Attendance Management System used to automate a reliable attendance managing system.
• Biometric Finger print guarded doors, implemented for keyless secure access to doors.



Biometrics: The Non Technical part:

Local Attack: Finger print sensor
Finger print scanners read input using two methodologies:
1) Optical scanner
2) Capacitance scanner

Optical Scanner are most widely used ones and the main part of it are the CCD[charge coupled device ], these are simply an array of light-sensitive diodes called photosites, which generate an electrical signal in response to light photons. Each photosite records a pixel, a tiny dot representing the light that hit that spot. Collectively, the light and dark pixels form an image of the scanned finger print. So the theory says that if a similar image of finger print is placed in front the scanner we would be able to bypass them. This theory is practically not easy as the problems we would have to face would be the validation of the machine in order to differentiate between a real and valid image by checking the average pixel darkness, or the overall values in a small sample by rejecting the scan if the overall image is too dark or too light. One part of this paper would be reproducing two dimensional images of a fingerprint.




Capacitance Scanners work on the principle of capacitance. It relies on the properties of flesh and air to measure differences in capacitance on the scanner when the finger is placed upon the scanner. Certain systems along with capacitance checks blood flow, temperature, and even simulate human sweat. 
One advantage of capacitance scanners over optical scanners is the fact that the capacitance scanner requires a three-dimensional print, whereas an optical scanner needs a two dimensional only. This makes the capacitance scanners more difficult to deceive. However, if one could recreate a three-dimensional representation of a print, then one could theoretically “trick” the scanner into falsely authenticating a user.
The objective of the first section is to try by-passing these devices by steeling and cloning the fingerprint. And later these clones would be modified into three dimensional and two dimensional dummy s that could be used to see the above mentions vulnerabilities exist or not. 
This above mentioned approaches are practically not easy as the problems we would have to face would be the validation of the machine in order to differentiate between a real and valid image by checking the average pixel darkness, or the overall values in a small sample by rejecting the scan if the overall image is too dark or too light. .




Direct attacks: 

Detailed methodology: Penetration Testing a Biometric device. 
This section will explain the methodologies in order to recreate a fingerprint for tricking these systems. Attacks like this were seen in videos that were spreading over the internet by using a Photostat or image of the fingerprint. The issue we would be facing would be the protection mechanism the systems have employed in order to prevent against such attacks. Enough with the theoretical part let’s move on to some action.
Objective: To bypass a finger print guarded door or to fake a finger print attendance system. 
Targets: Finger print guarded confidential room.
Scenario: Here our target would be a finger print guarded door where only the Manager is allowed access using his fingerprint. 

Bypassing a Finger print guarded door or attacking and faking an attendance system. 
The first attack would not get the cooperation of user but in the second on we could. So I will talk about the first case, as same methodology could be used in second scenario too. First step would be to obtain victim’s fingerprint that could later be used to recreate a dummy fingerprint. Human fingers have friction ridges. And there are eccrine glands that produce natural secretion of sweat on the fingers. So there would be the Impressions of fingerprints left behind on surface when touched. What causes the fingerprint is a very important factor, because recreating a fingerprint form few substances only would yield good results. Below is an image of a finger print impression caught on a glass table



Instead of going after cups and bottles my idea here is to build a logger, a setup that could log fingerprints when the victim logs in using the biometric machine. A traditional Biometric sensor looks like this. 



It’s possible to place a transparent plastic cover on top of sensor and, whenever the victim logs in his impression would be on the plastic, the authentication would take place and later plastic could be removed and reproduced. 
Refraction:
The problems we would have to face in the above procedure are refraction, refractive index of the material we place on top of the sensor matters, as we have to maintain stealth. Why refractive index because when light passes form one media to another other it may also change its propagation direction [Refraction] in proportion to the refractive index and the sensor won’t be able to understand the distorted image and login won’t take place.



This would create suspicion. So our logger would be build using a thin transparent sheet placed on top of an OHP sheet cut out, in order to hold it stern.

Building the logger:

Equipments needed: OHP sheets and thin transparent plastic sheet. 
1) Cut out a piece of OHP sheet with approximate size of Finger print sensor
2) Cut equal piece of transparent thin plastic sheet. 
3) Make a U shaped cut out on the OHP sheet piece.
4) Wrap the thin plastic on top of the U shaped cut out and logger is ready.



An alternative is to find a thin OHP sheet film and directly use it as the logger.


Placing the logger:
1) Make sure you are able to reach the biometric guarded door.
2) Slide in the logger into the sensor region make sure no parts of our logger sticks out.
3) Wait for the victim to log into using his valid finger print.
4) Remove the logger and store it in a small box, now we have a valid finger print with us.





Working of Sensors and Detection Algorithms:

Before trying to recreate the fake finger print the few points to be noted are that, the sensors scans the image and compares it with an internal database of stored images. The image matching is done based on few specific branches and loops at specific points. It could also count specific ridges from one point to another building a unique pattern for matching. There are few special points which are practically unique for all finger prints and the scanner image matching algorithms uses the same points for detection. So the point is. We have to take extra care at these regions (dig) when reproducing the fake finger print. In the below mention diagrams diagram fb1_01 shows how a finger print impression would be stored in the database of the matcher, fb1_02 show the regions that the scanner considers when the matching is done, and fb1_03 shows the special points which all the comparing algorithms consider in matching algorithms.




Reproducing a Fake Finger print:

Equipments needed: Finger print powder, cello tape, light brush, a good lab with suitable lighting to recreate the dummy.

1) Apply finger print powder and brush the obtained impression so that the powder will stick to the fringes (dig: fb1_03). 
2) Once the fringes are visible brush out the unwanted powder.
3) Lift the finer print using a cello tape form the plastic surface and you have a 2D fake finger print.
4) For building a 3D impression, apply fevicol to the lifted finger print and allow it to cool.





Only optical scanners were tested and the above mentioned methods worked on a few systems with less effort, the output is directly proportional to the quality of dummy finger print you are able to obtain. 

Local Attack: USB Data Manager. 

Objective: To steel sensitive information stored on the device like employee details, employee salary details, and other confidential details of the employees. 
Targets: Finger print attendance monitoring system placed at the door of your organization.

Biometrics devices have inbuilt data storage, were it stores the Finger prints and user information. Unlike other data sources these Biometric devices are not kept in a protected area instead kept at building entry or other unrestricted places where they could be easily accessed. Basically all the Biometric systems come with a USB support in order to download and upload finger prints and other log detail to and from the device. A normal USB dongle could be used to download data from the device. Most of the devices do not have any sort of protection mechanism employed to prevent data theft, and those which uses password protection often is deployed with default password. So if the attacker could walk to the system with a USB Pen drive then he would be able to copy all the data. Data includes employee personal information, finger prints, time they logged in and other sensitive information. I have gathered and listed commonly used devices default password.