Penetration Testing Biometric System By FB1H2S aka Rahul Sasi http://Garage4Hackers.com http://null.co.in/ http://nullcon.net/ http://nullcon.net/

Who am I ? What is this paper about ? I am an Info Security Enthusiast http://fb1h2s.com Rahul Sasi aka FB1H2S working as a consultant . http://www.aaatechnologies.co.in Active participant of Null and other computing groups. A member of Garage4Hackers. http://www.Garage4Hackers.com What this paper contains ? http://nullcon.net/ http://null.co.in/

Explaining the Risk? Finger print deployed every where, attendance and door management. Advantages and Disadvantages of Bio-systems. The devices hold critical information. Employee Attendance Employee Details Employee Salary http://nullcon.net/ http://null.co.in/

Why to audit them ? I am marked 10 days absent , what the |-|3ll is happening! I just Hacked into Biometric Attendance Register and Changed attendance and salary :D of mine and my @#$$ Professor / Not so good co-worker Student / Employee http://nullcon.net/ http://null.co.in/

Classifying the Attacks Local Attacks: Finger Print Sensor USB Data Manager Remote Attacks: Remote IP Management Back End Database Finger Print Manager (Admin Interface) http://nullcon.net/ http://null.co.in/

Biometric System Attack Vectors http://FB1H2S.com/ http://Garag4Hackers.com

Biometric Systems Common Applications Reliable attendance managing system. Biometric Finger print guarded doors, implemented for keyless secure access to doors. http://nullcon.net/ http://null.co.in/

Attacks: The Non Technical part http://nullcon.net/ http://null.co.in/

Local Attack: Finger print sensor Finger print scanners read input using two methodologies: 1) Optical scanner 2) Capacitance scanner Finger print recognition systems are image matching algorithms Cloning a duplicate finger print and cheating the image recognition algorithms http://nullcon.net/ http://null.co.in/

Steeling a Finger Print Your finger impressions falls any were you touch. Ex: on glass http://nullcon.net/ http://null.co.in/

My Approach: Finger Print Logger Biometric sensor looks like this. Placing a thin less refractive index transparent object in front of the sensor and logging finger prints. http://nullcon.net/ http://null.co.in/

Building Finger print logger Refraction: Use Less refractive index thin transparent sheet Log the victims fingerprint using the finger print logger http://nullcon.net/ http://null.co.in/

Steps Building Logger http://nullcon.net/ http://null.co.in/

Special Points to be Considered http://nullcon.net/ http://null.co.in/

Reproducing a Fake Finger print: http://nullcon.net/ http://null.co.in/

Local Attack: USB Data Manager. Biometrics devices have inbuilt data storage, were it stores the Finger print and user information. USB support in order to download and upload finger prints and other log detail to and from the device. Most of the devices do not have any sort of protection mechanism employed to prevent data theft, and those which uses password protection often is deployed with default password. http://nullcon.net/ http://null.co.in/

Attacks: The Technical part http://nullcon.net/ http://null.co.in/

Remote Attack Vectors. http://nullcon.net/ http://null.co.in/

Remote Attack Vectors IP implementation for data transfer Biometric Management Servers Biometric Admin/Interface (Web Based and Desktop based ) Back end Database Man In The Middle Attacks http://nullcon.net/ http://null.co.in/

TCP/IP Implementation for Remote Management: http://nullcon.net/ http://null.co.in/

Remote Administration Implementation Issues The remote administration capability of this device lets biometric servers to authenticate to it and manage remotely. We are completely unaware of the management protocol used as the program is embedded in the Biometric MIPS device. Solutions The admin application knows everything about the remote device so if we could get a copy of that application it will tell us everything we want. http://nullcon.net/ http://null.co.in/

Example Attack Attacking the remote management protocol Example. Situation: The remote administration implementation is unknown. Foot printing: The label on the Biometric device will reveal which company has marketed or build that product. Download a copy of remote management software from vendor site http://nullcon.net/ http://null.co.in/

Example Attack Reverse Engineering the Application Reflector used to disassemble the .Net application Detected TCP/IP setting of device used to communication, It uses port 4370 to communicate http://nullcon.net/ http://null.co.in/

Application uses COM objects which interacts with Device IDA used for dissembling the COM objects Disassembling Import function shows the communication details http://nullcon.net/ http://null.co.in/

Example Device Command extracted Commands to set the device time remotely http://nullcon.net/ http://null.co.in/

Auditing Back End Database From disassembling we were able to find local database password file and encryption key hardcoded in the application. http://nullcon.net/ http://null.co.in/

Biometric Admin/Interface (Web Based and Desktop based ) Another possible point of attacks are on the admin interface, these are either desktop based or Web based. Desktop based applications are common and the possible chances to interact with them require local privileges on the Biometric server. But web based admin panels could be attacked form outside. So an application check on those modules for application vulnerabilities could also help. http://nullcon.net/ http://null.co.in/

Nmap Script: Detecting Biometric Devices on Network: How to detect these device on network for attacking? Nmap Script Output. http://nullcon.net/ http://null.co.in/

Attack Videos http://nullcon.net/ http://null.co.in/

Conclusion The risk and vulnerabilities associated with Biometric Device are explained. This shows the necessity of including these devices to the scope of a Network Audit. http://nullcon.net/ http://null.co.in/